PackageManagement - Best Practices in an All-Signed Environment

Welcome Forums General PowerShell Q&A PackageManagement - Best Practices in an All-Signed Environment

This topic contains 4 replies, has 2 voices, and was last updated by

 
Participant
3 years, 6 months ago.

  • Author
    Posts
  • #26310

    Participant
    Points: 0
    Rank: Member

    I am checking out WMF 5, April 2015 release and testing some basic installation / uninstallation of packages.

    To get in line with best security practices I've set our environment up as All-Signed and have a certificate authority up for our domain that can sign scripts.

    My question is how do I make this mesh with PackageMangement? If I am understanding this correctly chocolatey (for example) uses ps1 scripts to execute the installation of packages from that repo. Is it possible to auto-sign scripts from certain package sources? Or is there a method to do that on a case by case basis?

  • #26311

    Keymaster
    Points: 1,704
    Helping HandTeam Member
    Rank: Community Hero

    Well...

    The idea is that authors who submit modules to the repository SHOULD sign them.

    However, YOU downloading them and YOU signing them completely defeats the purpose of AllSigned. If that's your plan, just switch to Unrestricted. If you're going to take on the job of signing untrusted code, you're not making it "trusted" and you're not making it any more secure. That isn't a best practice at all.

    The fact is that an unsigned script coming from an Internet repo *is* untrusted. If it isn't signed by its author, there's absolutely zero benefit in you signing it. All you're doing is signing something that you know nothing about.

  • #26313

    Participant
    Points: 0
    Rank: Member

    Thanks Don, that makes sense. I see where I was off base.

    As a followup, is there a good place to find information about submitting modules / creating custom package sources within the new PackageMangement paradigm?

    I'm seeing the Register-PackageSource and Register-PSRepository cmdlets (and have read the help) but am still not fully understanding the workflow.

  • #26315

    Keymaster
    Points: 1,704
    Helping HandTeam Member
    Rank: Community Hero

    Not really. Keep in mind it's mega-pre-release code. Documentation comes later ;).

  • #26316

    Participant
    Points: 0
    Rank: Member

    Sounds good. Thanks again!

The topic ‘PackageManagement - Best Practices in an All-Signed Environment’ is closed to new replies.