azure-boards[bot]
commented
9 months ago ✅ Successfully linked to Azure Boards work item(s):
Open AaronCrawfis opened 9 months ago
azure-boards[bot]
commented
9 months ago ✅ Successfully linked to Azure Boards work item(s):
radius-triage-bot[bot]
commented
9 months ago :+1: We've reviewed this issue and have agreed to add it to our backlog. Please subscribe to this issue for notifications, we'll provide updates when we pick it up.
We also welcome community contributions! If you would like to pick this item up sooner and submit a pull request, please visit our contribution guidelines and assign this to yourself by commenting "/assign" on this issue.
For more information on our triage process please visit our triage overview
Today we build and publish Radius binaries (namely the rad CLI) without signing the binaries.
We should add a code signing step to verify the identity of the Radius binaries and help prevent code tampering. It will also allow Radius binaries to be run on user machines where there are requirements to only run signed software. See #7141 for an example of a user-reported problem when trying to run the rad CLI on a machine with signing requirements.
https://github.com/marketplace/actions/azure-code-signing will probably be the best way to sign our binaries once we have a signing certificate setup.
Background
What is signing?
Digital signatures placed on files by code signing help provide a foundation for security by enabling downstream users or processes to identify the origin of software and to verify whether the software has tampered with post-release.
Why sign?
We sign code to ensure the authenticity and integrity of software to end users. If the software is properly code signed, the publisher of the signed software is correctly identified and the user can verify that the software has not been tampered with since it was signed. As a result, users can make a more informed decision on whether to download or install the software.
AB#11125