Signing Powershell Scripts

bonejon · 19 October 2015 10:52

Hi,

Our infrastructure team has just indicated that they would prefer to add a number of security restrictions to our UAT and Production environments, one of these is to restrict the servers to only run signed powershell scripts.

Is there any way to get Octopus Deploy to sign both the generated scripts for in-built tasks and also custom step tasks?

Thanks, Jon.

Dalmiro · 19 October 2015 21:18

Hi,

Thanks for getting in touch. Unfortunately this is not possible. We bypass the execution policy usually, and we can’t run under policies that require signing

Sorry for the bad news,

Dalmiro

bonejon · 20 October 2015 12:34

Hi Dalmiro,

Thanks for the reply, I’ve just passed the info back to the infrastructure team and apparently this is going to become a requirement for us. The company has instructed an external company to advise and monitor system security, one of their key points is powershell security.

Is this going to appear on the OctopusDeploy road map at any point ?

Thanks, Jon.

Dalmiro · 22 October 2015 14:12

Hi,

I’ve discussed this with the team and we decided to create a github issue to estimate value and effort of this implementation. We’ve been asked about it a couple of times (not that many), so we’re gonna see what we can do about it.

Best regards,

Dalmiro

bonejon · 22 October 2015 15:00

Hi Dalmiro,

Thanks for the positive response, we will watch the gitgub issue with interest.

Regards, Jon.

lance_hall · 26 October 2015 17:14

Hi,

I am not part of the Octopus deploy support staff. Am I allowed to comment and possibly give you a solution?

Thanks,
Lance

Dalmiro · 26 October 2015 20:20

Hi Lance,

You definitely can. It’ll be up to the user to decided whether or not to follow the instructions given by someone that’s not part of the Octopus team. Just like in any other tech forum

Thanks,

Dalmiro

lance_hall · 27 October 2015 09:00

Hi Dalmiro,

Thanks for that!

@Jon, What about using the predeploy.ps1 to change the execution policy of your script. You then run your deploy script and in the postdeploy set the execution policy back to restricted.

You will then only have a very small gap that the server will have a unrestricted execution policy and your security department “Shouldn’t” have an issue with that.

Let me know what you think.

Thanks,
Lance

Dalmiro · 27 October 2015 19:07

Hi Lance - That approach will only work for scripts written by the user, It wont cover the scripts dynamically created by Octopus.

lance_hall · 28 October 2015 08:44

But surely this can be done in a previous step before the Octopus created script runs?

bonejon · 30 October 2015 13:24

Hi Both,

Surly there is a more obvious blocker to this solution. PreDeploy.ps1 is a powershell script that will be written to the file system ?? Therefore, would it not also be blocked from execution by the very policy it is attempting to disable.

Regards, Jon.

lance_hall · 30 October 2015 13:33

Hi Jon,

What I would do to test this is

set execution policy to restricted on the server you want to test to.
Create a powershell script step in your project. In the script section add in your execution policy to unrestricted.
Create a new step with a script that would normally be blocked.
Create another step to set the execution policy back to restricted.

Let me know how it goes.

Thanks,
Lance