I'm guessing it'll be close to 100 unless people started out on yubikeys. There's a new directive that requires us to use YubiKeys or some service that puts our private keys on HSMs. It's been hell but we finally got it working.
Now, however, we will have to educate our community about the error they will encounter because our CA changed on renewal.
PS C:\github> install-module -Repository local -RequiredVersion 1.1.99 dbatools
PS C:\github> update-module dbatools
PackageManagement\Install-Package : Authenticode issuer 'CN=dbatools, O=dbatools,
L=Vienna, S=Virginia, C=US' of the new module 'dbatools' with version '2.0.4' from root
certificate authority 'CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1,
O="DigiCert, Inc.", C=US' is not matching with the authenticode issuer 'CN=dbatools,
O=dbatools, L=Vienna, S=Virginia, C=US' of the previously-installed module 'dbatools' with
version '1.1.99' from root certificate authority 'CN=DigiCert Assured ID Root CA,
OU=www.digicert.com, O=DigiCert Inc, C=US'. If you still want to install or update, use
-SkipPublisherCheck parameter.
At
C:\Users\ctrlb\Documents\WindowsPowerShell\Modules\PowerShellGet\2.2.5\PSModule.psm1:13069
char:20
+ ... $sid = PackageManagement\Install-Package @PSBoundParameters
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Microsoft.Power....InstallPackage:Install
Package) [Install-Package], Exception
+ FullyQualifiedErrorId : AuthenticodeIssuerMismatch,Validate-ModuleAuthenticodeSignat
ure,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage
I know this is a secure thing but will the answer be that now the standard way to update a signed module is to suggest skippublishercheck? Will that be like telling people to accept the SSL warnings they see on a website? Does it engender bad practices? Is there any alternative? Do we expect ongoing changes in the industry that will basically require skippublishercheck by default? i am almost regretting signing?
no idea, up for debate. on one hand, we have to check the publisher, on the other, if skip check becomes default whats the point? should we switch to -CheckPublisher?
Summary of the new feature / enhancement
I'm guessing it'll be close to 100 unless people started out on yubikeys. There's a new directive that requires us to use YubiKeys or some service that puts our private keys on HSMs. It's been hell but we finally got it working.
Now, however, we will have to educate our community about the error they will encounter because our CA changed on renewal.
I know this is a secure thing but will the answer be that now the standard way to update a signed module is to suggest skippublishercheck? Will that be like telling people to accept the SSL warnings they see on a website? Does it engender bad practices? Is there any alternative? Do we expect ongoing changes in the industry that will basically require skippublishercheck by default? i am almost regretting signing?
Proposed technical implementation details (optional)
no idea, up for debate. on one hand, we have to check the publisher, on the other, if skip check becomes default whats the point? should we switch to -CheckPublisher?