Where should I install Updater?
For security reasons, you must install Updater in a folder that is restricted to Administrator-only write permissions, such as the Program Files folder.
This means, however, that the Git and SSH binaries cannot be replaced without Administrator permissions. While they system makes sure the Updater assemblies have not been modified via signature verification, it cannot control what external applications like Git or SSH may call.
So even if the system tried to apply signature validation to the git.exe and ssh.exe files, Pega Robotics software would still be vulnerable since the system does not control their source code. The system does make sure that any external applications called by Git or SSH are used from within our bin directory, as we prefix the environment path so our bin directory takes priority.
As long as replacing assemblies within the Updater installation folder requires Administrator permissions, the system should be secure.