[Security] setup/signpath.ps1 — Install-Module -Force without -RequiredVersion (floating signing-module version)

[Christophe-Rogiers]

Severity: Info
File: setup/signpath.ps1 lines 32–47

Description:
The signing helper installs the PowerShell SignPath module without pinning a version:

if (-not (Get-Module -ListAvailable -Name SignPath)) {
    Write-Host "SignPath module not found. Installing..."
    Install-Module -Name SignPath -Force      # no -RequiredVersion
    Import-Module SignPath -Force
    Write-Host "SignPath module installed and imported."
} else {
    Import-Module SignPath -Force             # no -RequiredVersion
    Write-Host "SignPath module already installed."
}

Consequences:

• Every first-time install fetches whatever is currently the latest on the PS Gallery.
• If the module ships a breaking parameter rename (e.g., on Submit-SigningRequest), the signing pipeline fails at release time with no signal about which version was pulled.
• There is no audit line recording which version was actually used to sign a given build, which matters for supply-chain incident response.

Suggested fix:
Pin a known-good version and log the version actually loaded. If new versions need evaluation, do it deliberately via a PR that bumps the constant:

$requiredSignPathVersion = '0.2.0'   # adjust to the known-good
if (-not (Get-Module -ListAvailable -Name SignPath | Where-Object { $_.Version -eq $requiredSignPathVersion })) {
    Install-Module -Name SignPath -RequiredVersion $requiredSignPathVersion -Force -Scope CurrentUser
}
Import-Module SignPath -RequiredVersion $requiredSignPathVersion -Force
Write-Host "SignPath module $((Get-Module SignPath).Version) loaded."

Companion to #583 (which covers the token file) — this is the other half of locking down the signing entry point.

[aelassas]

All fixed.