Document Windows App Control Feature #2654
Conversation
|
|
||
| The policy then should then add the certificate as a trusted publisher to the ``User Mode Signing Scenario``, for example this is an example policy configuration that contains a trusted publisher: | ||
|
|
||
| .. code-block:: text |
There was a problem hiding this comment.
I originally had this as .. code-block:: xml to get some XML highlighting but it seems like we don't have it enabled/allowed in this repo. Happy with text here but if we want to enable xml I can always change this back.
There was a problem hiding this comment.
hey I'm not sure how do enable xml?
There was a problem hiding this comment.
jFYI, https://github.com/ansible-community/ansible-pygments is used as a custom pygments in ansible doc, this is specified in conf.py by pygments = 'ansible'
There was a problem hiding this comment.
The failing message was at https://github.com/ansible/ansible-documentation/actions/runs/15195285949/job/42737710900
/home/runner/work/ansible-documentation/ansible-documentation/docs/docsite/rst/os_guide/windows_app_control.rst:31:4: Warning: literal block with disallowed language: xml. If the language should be allowed, the checker needs to be updated. Currently allowed languages are: ansible-output, bash, console, csharp, diff, ini, jinja, json, md, none, powershell, python, rst, sh, shell, shell-session, text.
We have some documentation on this at https://github.com/ansible/ansible-documentation/blob/510375f072a8dce15a389ced9888dda93975b29d/docs/docsite/rst/dev_guide/style_guide/index.rst#syntax-highlighting---pygments and the list/check is coded at
ansible-documentation/tests/checkers/rst-yamllint.py
Lines 26 to 44 in 510375f
I'm not sure if it's just us simply adding xml to this list so the check doesn't fail or whether there are other things that need to be enabled in the build to get it working.
|
|
||
| The policy then should then add the certificate as a trusted publisher to the ``User Mode Signing Scenario``, for example this is an example policy configuration that contains a trusted publisher: | ||
|
|
||
| .. code-block:: text |
There was a problem hiding this comment.
Maybe?
| .. code-block:: text | |
| .. code-block:: XML |
There was a problem hiding this comment.
Unfortunately the xml highlighting needs to be enabled in the project first.
Co-authored-by: Abhijeet Kasurde <[email protected]>
|
@oraNod PTAL |
Co-authored-by: Sandra McCann <[email protected]>
| Once the code signing certificate has been generated and trusted by the Windows host, it can be used to sign the scripts that Ansible will run. The PowerShell script `New-AnsiblePowerShellSignature.ps1 <https://raw.githubusercontent.com/ansible/ansible-documentation/refs/heads/devel/examples/scripts/New-AnsiblePowerShellSignature.ps1>`_ can be used to sign both the execution wrapper used by Ansible to invoke modules and any PowerShell modules inside an Ansible collection. It requires the following to run: | ||
|
|
||
| * PowerShell 7.4 or later | ||
| * The `OpenAuthenticode <https://github.com/jborean93/PowerShell-OpenAuthenticode>`_ PowerShell module |
There was a problem hiding this comment.
Just going to put this comment here for consideration. Should this repo move to the Ansible org so it is "more official" than a personal repo?
There was a problem hiding this comment.
This is part of why the feature is a tech preview and not something we support officially. A future version of Ansible will most likely include a tool we support and maintain that can sign content but for now it’s down to 3rd party tools.
This adds some documentation for a new feature added in Ansible 2.19.