Can extensions be trusted?

[iRon7]

We are in a highly secured environment and I am currently in a test phase for SecretManagement/Microsoft.PowerShell.SecretStore How is the trust/security of the 3rd party extensions (as e.g. SecretManagement.KeePass) guaranteed?

Related: Can dependencies be trusted?

[iSazonov]

It is your decision whether you trust this developer. If yes you need to check the code sign to trust the code.

[iRon7]

@iSazonov,

It is your decision whether you trust this developer

I guess this is exactly what it is. As it concerns secret data, I think that the responsibility should be taken at a higher level with e.g. certification of the SecretManagement extensions which might even include (Microsoft) code signing the extensions or otherwise some clear disclaimers which would also help in deciding how deep I should investigate in the concerned extensions (or even rewrite them myself).

[iSazonov]

certification of the SecretManagement extensions

It makes sense. I'm afraid only big manufacturers can do it.

[PaulHigin]

Microsoft, of course, cannot make any security guarantees for third party vault extensions. I think trust will have to come through community involvement, with code reviews and security reviews.