Our infrastructure team has just indicated that they would prefer to add a number of security restrictions to our UAT and Production environments, one of these is to restrict the servers to only run signed powershell scripts.
Is there any way to get Octopus Deploy to sign both the generated scripts for in-built tasks and also custom step tasks?
Thanks for getting in touch. Unfortunately this is not possible. We bypass the execution policy usually, and we can’t run under policies that require signing
Thanks for the reply, I’ve just passed the info back to the infrastructure team and apparently this is going to become a requirement for us. The company has instructed an external company to advise and monitor system security, one of their key points is powershell security.
Is this going to appear on the OctopusDeploy road map at any point ?
I’ve discussed this with the team and we decided to create a github issue to estimate value and effort of this implementation. We’ve been asked about it a couple of times (not that many), so we’re gonna see what we can do about it.
You definitely can. It’ll be up to the user to decided whether or not to follow the instructions given by someone that’s not part of the Octopus team. Just like in any other tech forum
@Jon, What about using the predeploy.ps1 to change the execution policy of your script. You then run your deploy script and in the postdeploy set the execution policy back to restricted.
You will then only have a very small gap that the server will have a unrestricted execution policy and your security department “Shouldn’t” have an issue with that.
Surly there is a more obvious blocker to this solution. PreDeploy.ps1 is a powershell script that will be written to the file system ?? Therefore, would it not also be blocked from execution by the very policy it is attempting to disable.