-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PowerShell sees authenticode hash as changed in scripts that were signed with Unix Line Endings (LF
) - unable to use AllSigned
#1203
Comments
You know, I wonder if this has something to do with packing and unpacking the file. Since it is packaged as a nupkg, when it is unpacked with Choco / NuGet, it probably does something additional during decompression that maybe just simply running 7zip does not (which is done with first install). Give me a little more time to dive in on this. |
I'm seeing this same issue - currently not yet sure exactly what is causing it. It shows the signature valid when you run Get-AuthenticodeSignature, but for some reason it sees the file as changed. I wonder if there is some limitation in file format. |
@delurker Okay, I see the problem. It's a bug in PowerShell. The line endings are mixed when the file gets signed. If the PowerShell file had |
@delurker I filed PowerShell/PowerShell#3361 after asking the PowerShell folks about this issue. |
@delurker we are able to move it all over to CRLF, so I will make that adjustment for 0.10.4. |
@delurker can I ask what version of POSH you are running? |
LF
) - unable to use AllSigned
PS C:\WINDOWS\system32> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.14393.953
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.953
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1 |
@delurker Thanks! Just wanted to validate it is an issue across all versions of PowerShell. |
Ensure all PowerShell scripts are CRLF and UTF-8 so that running Chocolatey with an "AllSigned" execution policy does not result in any errors. There is a bug in PowerShell that doesn't allow it to verify scripts that have LF file endings. It adds the block of the Authenticode signature with CRLF line endings every time, resulting in a mixed EOL format. When signing scripts that end in LF, PowerShell will see the signature as valid, but it will fail running the script with 'filename "may have been tampered because the hash of the file does not match the hash stored in the digital signature."' However the file had not been changed. This has been determined to be a bug in PowerShell and has been shown to affect v3 to v5, but likely also to affect v2 and the upcoming v6.
This is fixed for 0.10.4 |
@delurker thanks for reporting that issue. Not only will that help Chocolatey, but it looks like the PowerShell folks are looking to fix the behavior as well! |
When do you expect version 0.10.4 would be deployed with https://chocolatey.org/install.ps1 ?? I just tried to install and got the issue mentioned... Thanks! |
Soon... |
@luferogo to give you a better answer, we just closed the final known issue for the milestone about 30 minutes ago - https://github.com/chocolatey/choco/issues?q=is%3Aopen+is%3Aissue+milestone%3A0.10.4 You can always get a sense of when a release will occur by going to issues, clicking on Milestones, and selecting the milestone you are interested in. HTH |
Okay, I'm thinking there is more to this than just line endings. Packing and unpacking the file may have something to do here as well. Or it could be the UTF8 with no BOM. |
Wow... so this was fixed for 0.10.4, but then I updated the copyright in #1209 . Which added a unicode copyright symbol. And these are UTF8 (w/no BOM). So back to broken again. If I convert the file to be UTF8 w/BOM, then sign. It works. |
I filed a followup with #1225 |
What You Are Seeing?
Lots of security hash errors when I Install Chocolatey
"because the hash of the file does not match the hash stored in the digital signature"
Fresh install. Chocolatey installs but is not fully functional.
What is Expected?
A fresh functional Chocolatey
How Did You Get This To Happen? (Steps to Reproduce)
Install as per Website:
Admin Powershell. ExecutionPolicy AllSigned
iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex -Verbose -Debug
Typed [A] for Always run from RealDimensions
Output Log
The text was updated successfully, but these errors were encountered: