reillysiemens
commented
1 year ago Thanks for bringing this to our attention, @dpaoliello. We're looking into the best way to handle a signed installation process. We're not yet sure if this will result in signing the install/install.ps1 script itself or preferring another mechanism altogether, but it's an active discussion.
The PowerShell install script (
install/install.ps1) is currently unsigned, requiring anyone running it to bypass PowerShell's execution policy, potentially allowing a vector for a supply-chain attack (especially since it isn't obvious or easy to get a hash of the install scripts so that clients can verify them).Can you please provide a signed version of the script - either checked-in or as part of the release artifacts.