PowershellFrameworkCollective / psframework

A module that provides tools for other modules and scripts
MIT License
435 stars 41 forks source link

Code Signing PSFramework #545

Open potatoqualitee opened 2 years ago

potatoqualitee commented 2 years ago

Any chance you could digitally sign PSFramework? Digicert gives code signing certs to MVPs, maybe they give them to former MVPs turned Microsoft people? Or perhaps Microsoft can help with the signage? Signing the underlying framework would help other modules that rely on PSFramework who do sign to be able to justify the use of both modules.

Ty

trir262 commented 1 year ago

@FriedrichWeinmann any idea whether this will be added to the roadmap? Our company recently changed ppowershells execution policy to AllSigned, making all modules using PSFramework unusuable unless we sign them ourselves...

FriedrichWeinmann commented 1 year ago

Hi @trir262 , it is on a low priority "Would like to have" state and will look into this more during my next vacation (August). The key reason of "why?" is that having the module signed actually doesn't say much - all it says is "Fred signed this code". It does not address "Is Fred Trustworthy?" or "is Fred's computer secure?" or "Has anybody compromised Fred's build pipeline?"

That being said, ExecutionPolicy doesn't do much - if your organization worries about securing PowerShell, maybe check out this recording: https://www.youtube.com/watch?v=M261YjSKj4w&ab_channel=PowerShellConferenceEU

That saod, for the immediate future you're stuck either disabling EP or signing your internal copy of PSFramework with your own certificate, sorry :(

trir262 commented 1 year ago

Thanks for the quick reply Friedrich.

I totally agree with you it is an empty bottle, however since your framework is being used by other modules I am using (like passwordstate-management) it makes them unusable as well without the workaround (sign it myself).

For me it is hard to ask @dnewsholme to sign his module if yours is not yet digitally signed, specifically since I was the one who converted his module with your framework (via PR86)

Fyi: The only action I needed to do to sign your module is

$SigningCertificate = Get-PFXCertificate -FilePath 'c:\temp\mycert.pfx'
$SignProperties = @{
    Certificate=$SigningCertificate
    TimestampServer = 'http://timestamp.digicert.com'
    HashAlgorithm = 'SHA256'
}

@('psframework.psd1','psframework.psm1', '*.psm1xml') | Foreach-Object { Get-ChildItem -Recurse -Filter $PSItem | ForEach-Object { Set-AuthenticodeSignature @SignProperties -FilePath $PSItem.Fullname | Out-Null}}

I hope you find some time in your holiday to implement above step in your pipeline...

potatoqualitee commented 1 year ago

Seconded. It's about more than execution policies, it's about increasing adoption.

Orgs do not necessarily care if you, Fred, are trustworthy. They want to know that the software hasn't been tampered with AND there is a record of the signer. You have to prove your ID to the CA with passports, etc so it is a valuable security process.