Our infrastructure team has just indicated that they would prefer to add a number of security restrictions to our UAT and Production environments, one of these is to restrict the servers to only run signed powershell scripts.
Is there any way to get Octopus Deploy to sign both the generated scripts for in-built tasks and also custom step tasks?
Thanks for getting in touch. Unfortunately this is not possible. We bypass the execution policy usually, and we can’t run under policies that require signing
Sorry for the bad news,
Thanks for the reply, I’ve just passed the info back to the infrastructure team and apparently this is going to become a requirement for us. The company has instructed an external company to advise and monitor system security, one of their key points is powershell security.
Is this going to appear on the OctopusDeploy road map at any point ?
I’ve discussed this with the team and we decided to create a github issue to estimate value and effort of this implementation. We’ve been asked about it a couple of times (not that many), so we’re gonna see what we can do about it.
Thanks for the positive response, we will watch the gitgub issue with interest.
I am not part of the Octopus deploy support staff. Am I allowed to comment and possibly give you a solution?
You definitely can. It’ll be up to the user to decided whether or not to follow the instructions given by someone that’s not part of the Octopus team. Just like in any other tech forum
Thanks for that!
@Jon, What about using the predeploy.ps1 to change the execution policy of your script. You then run your deploy script and in the postdeploy set the execution policy back to restricted.
You will then only have a very small gap that the server will have a unrestricted execution policy and your security department “Shouldn’t” have an issue with that.
Let me know what you think.
Hi Lance - That approach will only work for scripts written by the user, It wont cover the scripts dynamically created by Octopus.
But surely this can be done in a previous step before the Octopus created script runs?
Surly there is a more obvious blocker to this solution. PreDeploy.ps1 is a powershell script that will be written to the file system ?? Therefore, would it not also be blocked from execution by the very policy it is attempting to disable.
What I would do to test this is
- set execution policy to restricted on the server you want to test to.
- Create a powershell script step in your project. In the script section add in your execution policy to unrestricted.
- Create a new step with a script that would normally be blocked.
- Create another step to set the execution policy back to restricted.
Let me know how it goes.