Need new ArgKind to inform importers and adapters to check content is signed

[SteveL-MSFT]

Summary of the new feature / enhancement

As part of the authenticode scenario, once we have settings to handle signing of content (whether it's a warning or error), we need a way to inform importers and adapters to check their own content.

Proposed technical implementation details (optional)

Define a new ArgKind:

{
  "untrustedContent": "[error|warn]"
}

DSC itself would either error or warn if the importer or adapter doesn't use this ArgKind.

[whindsaks]

ignore option?

[SteveL-MSFT]

ignore option?

It might be better to have importers/adapters return a JSON response with path and whether the content is trusted and have DSC handle the error, warn, and perhaps ignore. This way it'll be consistent.

[michaeltlombardi]

I would definitely prefer to push the warn/error/ignore option up to DSC from the importers and adapters, wherever possible, as long as the importers and adapters have a way to tell DSC whether discovered items are trustable.

We should probably build trustability into the discovery API surface, so implemented adapters and importers can participate (and treat anything returned by non-participating adapters and importers as untrusted by default).

So for example, the PSDSC adapters could report on whether the module files are signed with authenticode and whether that signature was valid and the signing identity.

I think making DSC responsible for telling the adapters and importers the current trust option does make sense, but I would expect DSC to handle the messaging instead of asking implementers to do so. Otherwise we risk varied messaging behaviors as implementations drift.