Why don't we have repo-signing?

[Jaykul]

It seems that while nuget has added various ways of validating content, PowerShell is stuck with just code and cab signing mechanisms that rely on authors -- and very, very few authors are signing.

Specifically, Nuget hashes and provides hash files, and does repo-signing (and counter-signs pre-signed packages).

https://github.com/NuGet/Home/wiki/Nupkg-Metadata-File https://devblogs.microsoft.com/nuget/introducing-repository-signatures/

Microsoft, of course, is also providing spdx files in their modules, in addition to code-signing, etc.

https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/

[dbaileyut]

Agreed.

For example, see: AccessControlDSC

It purports to be from Microsoft, but as far as I can tell, it's hosted in a personal repo. I can see contributions from folks with Microsoft in their GitHub profiles. I've reviewed the code and it looks good... So, it looks legit but how am I supposed to know if this is actually a Microsoft module? Should I be reporting it for saying it's from Microsoft? Should I contact the owners? - what if they are malicious and lie to me?

[alerickson]

@dbaileyut we're currently running scripts to validate newly published modules to check if they're spoofing or typo squatting. This a short term solution as we work on more thorough ways to validate packages. In the long term, we'd like to work on implementing security feature akin to what @Jaykul has mentioned. Please feel free to add any suggestions here.

Edit: @dbaileyut I just looked and validated that AccessControlDSC is actually a Microsoft module.