I noticed MS has a push to using Trusted Signing for pipelines via Azure DevOps and Github Actions.
it also uses a different cert EVERY day.
is there a way to trust the cert used here for PowerShell code signing.
in my experience we have to add each and every cert to the trusted publishers list. and for that reason, we only cycle our internal certs every 2 years.
Not fully conversant with code signing in PowerShell, but wouldn’t you just trust the root cert/certification authority so that all certificates issued by that CA are automatically trusted?
The critical question is: where is your signed Powershell script going to be run? If the answer is “within my organization and on premise”, then use your internal CA generated certificate with your internal rules of expiration duration.
If it’s meant for public consumption and use then you will most likely need to conform to the rules set forth in your public CA provider.
The upcoming rule changes for certificate duration are for public CA providers. An internal does not need to adhere to the public CA rules. My only suggestion is that your private CA has different rules then document your rules and what business use case you are trying to use it for. Share that information with your security auditor.