diff --git a/docs/src/content/docs/consumer/private-and-org-packages.md b/docs/src/content/docs/consumer/private-and-org-packages.md index 045af37a6..f483bb04e 100644 --- a/docs/src/content/docs/consumer/private-and-org-packages.md +++ b/docs/src/content/docs/consumer/private-and-org-packages.md @@ -146,6 +146,29 @@ dependencies: APM falls back across protocols on the same port: `ssh://host:7999` will retry as `https://host:7999/...` if SSH is unreachable. +### Custom SSH user + +By default APM clones over SSH as `git`. To authenticate as a different +SSH identity -- for example, an EMU account or a custom service +account -- include the user directly in the `ssh://` URL: + +```yaml +dependencies: + apm: + - git: ssh://meppiel-microsoft@github.com/acme/standards.git + ref: v1.2.0 + - git: ssh://svc-account@bitbucket.acme.internal:7999/team/libs.git + ref: v1.2.0 +``` + +The user portion is validated against a strict allowlist +(`[a-zA-Z0-9_][a-zA-Z0-9_.+-]*`, max 64 characters) before the SSH URL +is composed. Leading dashes and percent-encoded userinfo are rejected. + +> **Azure DevOps exception:** ADO always requires the literal `git` user +> (`git@ssh.dev.azure.com`). A custom SSH user in an ADO dependency URL +> is ignored and `git` is used regardless. + ## Bitbucket Data Center personal repos Bitbucket Data Center / Server exposes personal repositories under diff --git a/docs/src/content/docs/getting-started/installation.md b/docs/src/content/docs/getting-started/installation.md index df9df8989..8126d8e50 100644 --- a/docs/src/content/docs/getting-started/installation.md +++ b/docs/src/content/docs/getting-started/installation.md @@ -252,6 +252,40 @@ $env:APM_DEBUG = "1" apm install ``` +### apm.exe flagged as a virus or potentially unwanted software (Windows Defender / antivirus) + +If the installer (or `apm self-update`) fails at the `Testing binary...` step with a message like: + +``` +Program 'apm.exe' failed to run: Operation did not complete successfully because +the file contains a virus or potentially unwanted software +``` + +Windows Defender (or another real-time antivirus) is blocking the unsigned PyInstaller binary. HRESULT `0x800700E1` and `0x800704EC` both indicate this class of block. + +**Option 1 -- Add a Defender exclusion (elevated PowerShell):** + +```powershell +# Run as administrator +Add-MpPreference -ExclusionPath "$env:LOCALAPPDATA\Programs\apm" +``` + +This tells Defender to skip scanning files under the APM install root. Re-run the installer after adding the exclusion. + +**Option 2 -- Install via pip (avoids the binary entirely):** + +```powershell +pip install --user apm-cli +``` + +This installs the pure-Python `apm` command from PyPI instead of the standalone binary. Requires Python 3.10+. + +**Option 3 -- Report a false positive to Microsoft:** + +If you believe this is an incorrect detection, submit `apm.exe` to the [Microsoft Security Intelligence portal](https://www.microsoft.com/en-us/wdsi/filesubmission) as a false positive. Binary signing is tracked as a separate roadmap item. + +> **Note:** This is a distinct error class from the AppLocker / WDAC `Access is denied` block below. The two must not be confused: HRESULT `0x800700E1` is an antivirus block; HRESULT `0x80070005` is an application-control policy block. + ### `Access is denied` running apm.exe on Windows (AppLocker / App Control for Business) If the installer (or `apm self-update`) fails at the `Testing binary...` step with `Access is denied` / HRESULT `0x80070005`, an enterprise application control policy ([AppLocker](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) or [App Control for Business / WDAC](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/)) is blocking execution of `apm.exe` from a user-writable path.