Trust thy neighbour: the windows equivalent of curl | sudo bash

iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex

I find this in the Vagrant file to bring up some Windows docker. Chocolatey? Its a package manager for Windows.

The script in question (https://chocolatey.org/install.ps1) is fetched (iwr) and the run (iex). Hmm.

Well, if someone gets our DNS, or MITM, we should get an HTTPS alert due to CA mismatch. So I guess that can be ok. The script itself has some authenticode signing. But, we are not using that.

PS C:\Users\vagrant> Get-ExecutionPolicy 
RemoteSigned

There exists some unsigned-copies of the install (e.g. here), referenced in the install docs (e.g. here).

Reading a bit more, it seems maybe:

Set-ExecutionPolicy RemoteSigned
$env:chocolateyVersion = '0.10.11'

iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

is the 'safe' way? This means that we trust the signer (their process, their code, their control of the signing keys).

Comments?

Leave a Reply

Your email address will not be published. Required fields are marked *

*