Sign the winget packages published for Windows clients

[Nogal]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The package installed on windows machines is unsigned, which is a security risk.

This can be achieved using "signtool" which is part of the Windows SDK:
https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/

Why is this needed?

Primarily, this lets any user be completely sure that the software they're installing actually came from you. Should a malicious actor get your publishing keys, they would also need to get a hold of your signing keys as well in order to really do damage.

We would like to restrict our client machines to only run trusted signed code. Currently to run step-cli this requires a whitelist exception in our policy for the executable, which of course changes between versions, and should a company implement an exception incorrectly (or even correctly depending on the limitations of their security software) it could result in malicious code taking advantage of the hole and infecting the network.

[tashian]

Looks like we could use mtrojnar/osslsigncode to sign the exe file for Winget.

[redrac]

+1 this is a common problem at our corp that the step CLI doesn't have FW access to public network because its not signed