Author Posts

June 11, 2015 at 6:00 am

I am checking out WMF 5, April 2015 release and testing some basic installation / uninstallation of packages.

To get in line with best security practices I've set our environment up as All-Signed and have a certificate authority up for our domain that can sign scripts.

My question is how do I make this mesh with PackageMangement? If I am understanding this correctly chocolatey (for example) uses ps1 scripts to execute the installation of packages from that repo. Is it possible to auto-sign scripts from certain package sources? Or is there a method to do that on a case by case basis?

June 11, 2015 at 6:07 am

Well...

The idea is that authors who submit modules to the repository SHOULD sign them.

However, YOU downloading them and YOU signing them completely defeats the purpose of AllSigned. If that's your plan, just switch to Unrestricted. If you're going to take on the job of signing untrusted code, you're not making it "trusted" and you're not making it any more secure. That isn't a best practice at all.

The fact is that an unsigned script coming from an Internet repo *is* untrusted. If it isn't signed by its author, there's absolutely zero benefit in you signing it. All you're doing is signing something that you know nothing about.

June 11, 2015 at 6:19 am

Thanks Don, that makes sense. I see where I was off base.

As a followup, is there a good place to find information about submitting modules / creating custom package sources within the new PackageMangement paradigm?

I'm seeing the Register-PackageSource and Register-PSRepository cmdlets (and have read the help) but am still not fully understanding the workflow.

June 11, 2015 at 6:25 am

Not really. Keep in mind it's mega-pre-release code. Documentation comes later ;).

June 11, 2015 at 6:28 am

Sounds good. Thanks again!