Any plans to release signed IcingaForWindows Powershell files?

[johannesst]

Hello,

at work there is some pressure from security managment to activate a PowerShell execution policy which would prevent to run any unsigned powershell scripts.
This would mean that we coudn't install or update the IcingaForWindows with the IcingaForWindows.ps1 kickstart script or the IcingaManagmentConsole anymore. We would have to sign every file by ourself, zipping the results and uploading them to our mirror before recreating the ifw.reso.json

Are there any plans or ways to release new versions with signed powershell files? If we would have to add a custom CA (e.G. Icinga/Netways CA) certificate this wouldn't be the problem.
Or at least some way to recreate the ifw.reso.json in a automatic way?

TIA and best regards, Johannes

[LordHepipud]

Thank you for your issue. At the moment there are no plans to provide Icinga for Windows with signed files.
The reason for that is the way the entire design of the solution works by using a cache file which is automatically generated on each environment to increase the performance while loading Icinga for Windows.

We will have to play around and check if we are able to provide signed modules or if

1. The code signing will simply not work
2. The changes provided will cause for invalid trust

The ifw.repo.json can already be automatically generated, by creating own repositories

[johannesst]

Thanks for your answer. Although it's not what I wanted to hear this is still something I can work with :)
One question though: The cache file is also a powershell file isn' it? Thus a policy which would ban the running of unsigned powershell files would render IcingaForWindows useless?

Regarding creating a own repository with signed IcingaForWindows modules the workflow would be like this:

1. Create signed versions of any powershell script of the IcingaForWindows modules inside the given zip-Archives)
2. Recreate the zip files of every module with the signed versions
3. Create the repository with the commands given in the documentation

Did I miss something?

[LordHepipud]

No, that should basically be it. The issue is, that the Framework as well as the plugins generate an own cache file to speed up performance during the initialization of Icinga for Windows.

Based on my previews testing, you had to sign the cache file to make sure Icinga for Windows is signed. How ever, everytime you generate a new cache, the signing would be overwritten.

I will take a look into this into the next few moments. Maybe this is something we can change for Icinga for Windows 2, as the general way right now is to use the Icinga for Windows API as well as direct API communication by the Icinga Agent.

The previous performance boost that was required for the cache file seems only important for older environments, not using Icinga Agent 2.12.x or later or Icinga for Windows 1.11.x or later.