iSazonov
commented
2 years ago It is your decision whether you trust this developer. If yes you need to check the code sign to trust the code.
Open iRon7 opened 2 years ago
iSazonov
commented
2 years ago It is your decision whether you trust this developer. If yes you need to check the code sign to trust the code.
iRon7
commented
2 years ago @iSazonov,
It is your decision whether you trust this developer
I guess this is exactly what it is. As it concerns secret data, I think that the responsibility should be taken at a higher level with e.g. certification of the SecretManagement extensions which might even include (Microsoft) code signing the extensions or otherwise some clear disclaimers which would also help in deciding how deep I should investigate in the concerned extensions (or even rewrite them myself).
iSazonov
commented
2 years ago certification of the SecretManagement extensions
It makes sense. I'm afraid only big manufacturers can do it.
PaulHigin
commented
2 years ago Microsoft, of course, cannot make any security guarantees for third party vault extensions. I think trust will have to come through community involvement, with code reviews and security reviews.
We are in a highly secured environment and I am currently in a test phase for SecretManagement/Microsoft.PowerShell.SecretStore How is the trust/security of the 3rd party extensions (as e.g. SecretManagement.KeePass) guaranteed?
Related: Can dependencies be trusted?