microsoft-authentication-cli icon indicating copy to clipboard operation
microsoft-authentication-cli copied to clipboard
verified publisher icon AzureAD

Please provide a signed version of install.ps1

Open dpaoliello opened this issue 2 years ago • 1 comments

The PowerShell install script (install/install.ps1) is currently unsigned, requiring anyone running it to bypass PowerShell's execution policy, potentially allowing a vector for a supply-chain attack (especially since it isn't obvious or easy to get a hash of the install scripts so that clients can verify them).

Can you please provide a signed version of the script - either checked-in or as part of the release artifacts.

dpaoliello avatar Aug 18 '23 17:08 dpaoliello

Thanks for bringing this to our attention, @dpaoliello. We're looking into the best way to handle a signed installation process. We're not yet sure if this will result in signing the install/install.ps1 script itself or preferring another mechanism altogether, but it's an active discussion.

reillysiemens avatar Aug 18 '23 19:08 reillysiemens