You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems that while nuget has added various ways of validating content, PowerShell is stuck with just code and cab signing mechanisms that rely on authors -- and very, very few authors are signing.
Specifically, Nuget hashes and provides hash files, and does repo-signing (and counter-signs pre-signed packages).
It purports to be from Microsoft, but as far as I can tell, it's hosted in a personal repo. I can see contributions from folks with Microsoft in their GitHub profiles. I've reviewed the code and it looks good... So, it looks legit but how am I supposed to know if this is actually a Microsoft module? Should I be reporting it for saying it's from Microsoft? Should I contact the owners? - what if they are malicious and lie to me?
@dbaileyut we're currently running scripts to validate newly published modules to check if they're spoofing or typo squatting. This a short term solution as we work on more thorough ways to validate packages. In the long term, we'd like to work on implementing security feature akin to what @Jaykul has mentioned. Please feel free to add any suggestions here.
Edit: @dbaileyut I just looked and validated that AccessControlDSC is actually a Microsoft module.
It seems that while nuget has added various ways of validating content, PowerShell is stuck with just code and cab signing mechanisms that rely on authors -- and very, very few authors are signing.
Specifically, Nuget hashes and provides hash files, and does repo-signing (and counter-signs pre-signed packages).
https://github.com/NuGet/Home/wiki/Nupkg-Metadata-File
https://devblogs.microsoft.com/nuget/introducing-repository-signatures/
Microsoft, of course, is also providing spdx files in their modules, in addition to code-signing, etc.
https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/
The text was updated successfully, but these errors were encountered: