PackageManagement - Best Practices in an All-Signed Environment

I am checking out WMF 5, April 2015 release and testing some basic installation / uninstallation of packages.

To get in line with best security practices I’ve set our environment up as All-Signed and have a certificate authority up for our domain that can sign scripts.

My question is how do I make this mesh with PackageMangement? If I am understanding this correctly chocolatey (for example) uses ps1 scripts to execute the installation of packages from that repo. Is it possible to auto-sign scripts from certain package sources? Or is there a method to do that on a case by case basis?


The idea is that authors who submit modules to the repository SHOULD sign them.

However, YOU downloading them and YOU signing them completely defeats the purpose of AllSigned. If that’s your plan, just switch to Unrestricted. If you’re going to take on the job of signing untrusted code, you’re not making it “trusted” and you’re not making it any more secure. That isn’t a best practice at all.

The fact is that an unsigned script coming from an Internet repo is untrusted. If it isn’t signed by its author, there’s absolutely zero benefit in you signing it. All you’re doing is signing something that you know nothing about.

Thanks Don, that makes sense. I see where I was off base.

As a followup, is there a good place to find information about submitting modules / creating custom package sources within the new PackageMangement paradigm?

I’m seeing the Register-PackageSource and Register-PSRepository cmdlets (and have read the help) but am still not fully understanding the workflow.

Not really. Keep in mind it’s mega-pre-release code. Documentation comes later ;).

Sounds good. Thanks again!