Document Details

6 Sign Package
Home / Scan 41 / 6 Sign Package
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ windows_first
⚠️ powershell_heavy
⚠️ windows_tools
Summary:
The documentation demonstrates a Windows-first bias by presenting Windows/Powershell instructions and examples before Linux equivalents. The primary signing workflow is described using Powershell cmdlets and Windows certificate tools, with Linux instructions following and still relying on Powershell for the signing step. The certificate export/import examples and references are also Windows-centric, and Azure Policy/Key Vault links are Windows-focused.
Recommendations:
  • Present Linux and Windows instructions in parallel sections or with equal prominence, rather than listing Windows first.
  • Provide native Linux command-line examples for all steps, including package signing, certificate/key generation, and installation, using standard Linux tools (e.g., OpenSSL, GPG, update-ca-certificates) without requiring Powershell.
  • Include Linux-focused references and links (e.g., to Azure Linux VM documentation, Linux Key Vault setup).
  • Clarify which steps require Powershell and offer alternatives for Linux users who may not have Powershell installed.
  • Ensure that all parameter documentation and examples are equally detailed for both platforms.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-07-12 23:44 #41 in_progress ❌ Biased
2025-07-12 00:58 #8 cancelled ✅ Clean
2025-07-10 05:06 #7 processing ✅ Clean

Flagged Code Snippets

# How to create a self sign cert and use it to sign Machine Configuration # custom policy package # Create Code signing cert $codeSigningParams = @{ Type = 'CodeSigningCert' DnsName = 'GCEncryptionCertificate' HashAlgorithm = 'SHA256' } $certificate = New-SelfSignedCertificate @codeSigningParams # Export the certificates $privateKey = @{ Cert = $certificate Password = Read-Host "Enter password for private key" -AsSecureString FilePath = '<full-path-to-export-private-key-pfx-file>' } $publicKey = @{ Cert = $certificate FilePath = '<full-path-to-export-public-key-cer-file>' Force = $true } Export-PfxCertificate @privateKey Export-Certificate @publicKey # Import the certificate $importParams = @{ FilePath = $privateKey.FilePath Password = $privateKey.Password CertStoreLocation = 'Cert:\LocalMachine\My' } Import-PfxCertificate @importParams # Sign the policy package $certToSignThePackage = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Subject -eq "CN=GCEncryptionCertificate" } $protectParams = @{ Path = '<path-to-package-to-sign>' Certificate = $certToSignThePackage Verbose = $true } Protect-GuestConfigurationPackage @protectParams
# generate gpg key gpg --gen-key $emailAddress = '<email-id-used-to-generate-gpg-key>' $publicGpgKeyPath = '<full-path-to-export-public-key-gpg-file>' $privateGpgKeyPath = '<full-path-to-export-private-key-gpg-file>' # export public key gpg --output $publicGpgKeyPath --export $emailAddress # export private key gpg --output $privateGpgKeyPath --export-secret-key $emailAddress # Sign linux policy package Import-Module GuestConfiguration $protectParams = @{ Path = '<path-to-package-to-sign>' PrivateGpgKeyPath = $privateGpgKeyPath PublicGpgKeyPath = $publicGpgKeyPath Verbose = $true } Protect-GuestConfigurationPackage