Summary
azd update applies code-signing verification only on the direct binary download path (updateViaBinaryDownload), but skips it for the Windows MSI/install-script path and all Linux paths.
Affected paths
| Update path |
Signature verified? |
Details |
| Direct binary download (macOS) |
Yes |
codesign -v --strict |
| Direct binary download (Windows) |
Yes |
Get-AuthenticodeSignature |
| Direct binary download (Linux) |
No |
Skipped — no standard mechanism |
Windows MSI via install-azd.ps1 |
No |
-SkipVerify is passed to the install script |
Linux/macOS via install-azd.sh |
Yes |
No verification in updater; relies on script; script checks for macOS |
Linux/macOS via install-azd.sh |
No |
No verification in updater; relies on script; script skipped — no standard mechanism |
| Homebrew cask |
N/A |
Delegated to brew |
| winget / choco |
N/A |
Delegated to package manager |
Why this matters
The Windows MSI path (updateViaMSI) is the primary update method for most Windows users, yet it explicitly bypasses Authenticode verification by passing -SkipVerify to install-azd.ps1. HTTPS transport alone is weaker than verifying the publisher signature on the downloaded artifact.
Summary
azd updateapplies code-signing verification only on the direct binary download path (updateViaBinaryDownload), but skips it for the Windows MSI/install-script path and all Linux paths.Affected paths
codesign -v --strictGet-AuthenticodeSignatureinstall-azd.ps1-SkipVerifyis passed to the install scriptinstall-azd.shinstall-azd.shbrewWhy this matters
The Windows MSI path (
updateViaMSI) is the primary update method for most Windows users, yet it explicitly bypasses Authenticode verification by passing-SkipVerifytoinstall-azd.ps1. HTTPS transport alone is weaker than verifying the publisher signature on the downloaded artifact.