search

NuGet / NuGetGallery

NuGet Gallery is a package repository that powers https://www.nuget.org. Use this repo for reporting NuGet.org issues.
https://www.nuget.org/
Apache License 2.0
1.54k stars 644 forks source link

[SECURITY-CONCERN]: Make NuGet repository trustful for windows module installation #9746

Open thecircleoflifefree opened 9 months ago

thecircleoflifefree commented 9 months ago

Related Problem

I am trying to do a module installation on windows 11. The fact that it returns it as an "untrusted repository" feels discouraging to continue.

The Elevator Pitch

Is this something that can be addressed by NuGet?

Additional Context and Details

PS C:\WINDOWS\system32> Install-Module -Name Microsoft.PowerShell.UnixCompleters

NuGet provider is required to continue PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or 'C:\Users\\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and import the NuGet provider now? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y

Untrusted repository You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"):

cmcknz77 commented 8 months ago

This is set at a repository level and in my environment is set at a Domain level. The Public PSGallery repository where anyone can realistically upload any old tat is untrusted but when you connect to the repository in the first place you can define how that repository is treated using the Register-PSRepository cmdlet.

We have an internally hosted copy of the NuGet Repository where we can push trusted scripts and modules for internal use and that repository is trusted by our computers:

Register-PSRepository -Name YourRepository -InstallationPolicy Trusted -PackageManagementProvider NuGet -PublishLocation 'https://some.url/api/v2/package/' -SourceLocation 'https://some.url/api/v2/'

I would not recommend ever registering the public PSGallery as a trusted repository.