Allow Octopus to run signed PowerShell scripts
Add the ability for Octopus to run all PowerShell scripts on Tentacle as signed using the Tentacle certificate.
We have clients that enforce the script signing. Is this possible yet?
Blair Paine commented
Our business has a requirement to have all PowerShell scripts signed. This policy is forced by security software installed on deployment targets. Unfortunately without this capability we can no longer use Octopus Deploy as an enterprise application.
I would like to enhance this by also requesting Octopus also allow for loading/using a "Script Signing Certificate" on the Octopus server that will be consumable (in a domain/CA) by the destination (tentacle) systems, allowing servers in a locked down production environment to execute powershell scripts (my company wont allow staging and prod's powershell execution policy to be anything less than AllSigned (ie: does not allow Unrestricted or RemoteSigned) thus forcing us to load the signed scripts into Nuget packages and consume them on the tentacle boxes.
However, to fully utilize Octopus's Step Templates, and other built in powershell execution capability, the Octopus server will need to be able to sign the scripts with a powershell script-signing cert that is installed in the domain CA, so the tentacle boxes can execute them with the security team's signoff (thank goodness Octopus has well-implemented project-level RBAC).
Implementing script signing and Allowing admins to select which certificate Octopus uses to sign the scripts (per environment would be even more awesome, due to our multiple domains) will be the only way we will be able to use advanced octopus capabilities like step-templates and "Run a Script" steps against our internal server deployment locations.