Why don't we have repo-signing? #206
Comments
|
Agreed. For example, see: AccessControlDSC It purports to be from Microsoft, but as far as I can tell, it's hosted in a personal repo. I can see contributions from folks with Microsoft in their GitHub profiles. I've reviewed the code and it looks good... So, it looks legit but how am I supposed to know if this is actually a Microsoft module? Should I be reporting it for saying it's from Microsoft? Should I contact the owners? - what if they are malicious and lie to me? |
|
@dbaileyut we're currently running scripts to validate newly published modules to check if they're spoofing or typo squatting. This a short term solution as we work on more thorough ways to validate packages. In the long term, we'd like to work on implementing security feature akin to what @Jaykul has mentioned. Please feel free to add any suggestions here. Edit: |
It seems that while nuget has added various ways of validating content, PowerShell is stuck with just code and cab signing mechanisms that rely on authors -- and very, very few authors are signing.
Specifically, Nuget hashes and provides hash files, and does repo-signing (and counter-signs pre-signed packages).
https://github.com/NuGet/Home/wiki/Nupkg-Metadata-File
https://devblogs.microsoft.com/nuget/introducing-repository-signatures/
Microsoft, of course, is also providing spdx files in their modules, in addition to code-signing, etc.
https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/
The text was updated successfully, but these errors were encountered: