iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex
I find this in the Vagrant file to bring up some Windows docker. Chocolatey? Its a package manager for Windows.
The script in question (https://chocolatey.org/install.ps1) is fetched (iwr) and the run (iex). Hmm.
Well, if someone gets our DNS, or MITM, we should get an HTTPS alert due to CA mismatch. So I guess that can be ok. The script itself has some authenticode signing. But, we are not using that.
PS C:\Users\vagrant> Get-ExecutionPolicy RemoteSigned
There exists some unsigned-copies of the install (e.g. here), referenced in the install docs (e.g. here).
Reading a bit more, it seems maybe:
Set-ExecutionPolicy RemoteSigned
$env:chocolateyVersion = '0.10.11'
iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))is the ‘safe’ way? This means that we trust the signer (their process, their code, their control of the signing keys).
Comments?
Leave a Reply