I’ve been evaluating PSADT (for the company that I work for) as an alternative deployment wrapper solution to the internally developed solution that is presently in use. Part of this evaluation involves an in depth security assessment; I’ve been asked to make an inquiry to address a concern emphasized in the security assessment. Below is an excerpt from the assessment concerning signed executables/scripts in the PSADT.
Other observed vulnerabilities
-Signing
The PSADT products executable and scripts extracted did not appear to be signed.
Recommendation to remediate:
The security engineer recommends following up with the vendor/developers for a
signed version of the product.
Question, are there any plans to sign executables/scripts included in the PSADT to satisfy Information Security vulnerability mitigation?
We don’t currently have any plans to sign the toolkit. A certificate costs money that we don’t have to spend on this open source project (I think we’ve only ever received two donations on our donation page). Also, the toolkit is meant to be a starting point for users to customize it to their own internal needs. If we signed it, most users would still make their own modifications and then have the need to re-sign using their own certificates. Deploy-Application.ps1, for example, would never be signed by us as that is your custom script for controlling a deployment. If the requirement is that you sign it before you deploy it, then it’s trivial to sign the rest of the toolkit files at the same time.
Also, if your organization requires that all scripts/exes you deploy have to be signed, then you probably have a certificate you can use to re-compile/sign the EXEs and scripts included in our toolkit.
1 Like
I have a question about signing the Deploy-Application.exe, if I need to recompile this executable to contain my code signing certificate, which file would I recompile? Would this be the C# file that is in the AppDeployToolkit folder?
1 Like
Did you found the solution?