Severity: Warning
File: setup/signpath.ps1
Lines: 73, 96
Description:
The API token is read from a plaintext .signpath / .signpath.env file on disk. There is no protection against the file being world-readable, no mention of file permissions, and the token is stored as plaintext. If the signing script runs in a shared build environment, any user with read access to the script directory can read the API token.
Suggested fix:
Document that the file must have restricted filesystem ACLs. Prefer environment variable injection ($env:SIGNPATH_API_TOKEN) for the token, falling back to the file only if the env var is absent.
Severity: Warning
File:
setup/signpath.ps1Lines: 73, 96
Description:
The API token is read from a plaintext
.signpath/.signpath.envfile on disk. There is no protection against the file being world-readable, no mention of file permissions, and the token is stored as plaintext. If the signing script runs in a shared build environment, any user with read access to the script directory can read the API token.Suggested fix:
Document that the file must have restricted filesystem ACLs. Prefer environment variable injection (
$env:SIGNPATH_API_TOKEN) for the token, falling back to the file only if the env var is absent.