PackageManagement - Best Practices in an All-Signed Environment

This topic contains 4 replies, has 2 voices, and was last updated by Profile photo of Travis Hubbard Travis Hubbard 1 year, 7 months ago.

  • Author
    Posts
  • #26310
    Profile photo of Travis Hubbard
    Travis Hubbard
    Participant

    I am checking out WMF 5, April 2015 release and testing some basic installation / uninstallation of packages.

    To get in line with best security practices I've set our environment up as All-Signed and have a certificate authority up for our domain that can sign scripts.

    My question is how do I make this mesh with PackageMangement? If I am understanding this correctly chocolatey (for example) uses ps1 scripts to execute the installation of packages from that repo. Is it possible to auto-sign scripts from certain package sources? Or is there a method to do that on a case by case basis?

  • #26311
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Well...

    The idea is that authors who submit modules to the repository SHOULD sign them.

    However, YOU downloading them and YOU signing them completely defeats the purpose of AllSigned. If that's your plan, just switch to Unrestricted. If you're going to take on the job of signing untrusted code, you're not making it "trusted" and you're not making it any more secure. That isn't a best practice at all.

    The fact is that an unsigned script coming from an Internet repo *is* untrusted. If it isn't signed by its author, there's absolutely zero benefit in you signing it. All you're doing is signing something that you know nothing about.

  • #26313
    Profile photo of Travis Hubbard
    Travis Hubbard
    Participant

    Thanks Don, that makes sense. I see where I was off base.

    As a followup, is there a good place to find information about submitting modules / creating custom package sources within the new PackageMangement paradigm?

    I'm seeing the Register-PackageSource and Register-PSRepository cmdlets (and have read the help) but am still not fully understanding the workflow.

  • #26315
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Not really. Keep in mind it's mega-pre-release code. Documentation comes later ;).

  • #26316
    Profile photo of Travis Hubbard
    Travis Hubbard
    Participant

    Sounds good. Thanks again!

You must be logged in to reply to this topic.