Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PowerShell sees authenticode hash as changed in scripts that were signed with Unix Line Endings (LF) - unable to use AllSigned #1203

Closed
delurker opened this issue Mar 17, 2017 · 16 comments

Comments

@delurker
Copy link

What You Are Seeing?

Lots of security hash errors when I Install Chocolatey
"because the hash of the file does not match the hash stored in the digital signature"
Fresh install. Chocolatey installs but is not fully functional.

What is Expected?

A fresh functional Chocolatey

How Did You Get This To Happen? (Steps to Reproduce)

Install as per Website:
Admin Powershell. ExecutionPolicy AllSigned
iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex -Verbose -Debug
Typed [A] for Always run from RealDimensions

Output Log

PS C:\WINDOWS\system32> iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex -Verbose -Debug

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       17/03/2017   2:09 PM                chocInstall
Getting latest version of the Chocolatey package for download.
Getting Chocolatey from https://chocolatey.org/api/v2/package/chocolatey/0.10.3.
Downloading 7-Zip commandline tool prior to extraction.
Extracting C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.zip to C:\Users\natha\AppData\Local\Temp\
chocolatey\chocInstall...
Installing chocolatey on this machine
. : File
C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Format-FileSize.ps1
cannot be loaded. The contents of file
C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Format-FileSize.ps1
might have been changed by an unauthorized user or process, because the hash of the file does not match the hash
stored in the digital signature. The script cannot run on the specified system. For more information, run Get-Help
about_Signing..
At
C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\chocolateyInstaller.psm1:41
char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Get-Uninsta
llRegistryKey.ps1 cannot be loaded. The contents of file C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools
\chocolateyInstall\helpers\functions\Get-UninstallRegistryKey.ps1 might have been changed by an unauthorized user or
process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run
on the specified system. For more information, run Get-Help about_Signing..
At
C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\chocolateyInstaller.psm1:41
char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Set-PowerSh
ellExitCode.ps1 cannot be loaded. The contents of file C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\c
hocolateyInstall\helpers\functions\Set-PowerShellExitCode.ps1 might have been changed by an unauthorized user or
process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run
on the specified system. For more information, run Get-Help about_Signing..
At
C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\chocolateyInstaller.psm1:41
char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Uninstall-C
hocolateyEnvironmentVariable.ps1 cannot be loaded. The contents of file C:\Users\natha\AppData\Local\Temp\chocolatey\ch
ocInstall\tools\chocolateyInstall\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1 might have been
changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital
signature. The script cannot run on the specified system. For more information, run Get-Help about_Signing..
At
C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\chocolateyInstaller.psm1:41
char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Write-Funct
ionCallLogMessage.ps1 cannot be loaded. The contents of file C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\t
ools\chocolateyInstall\helpers\functions\Write-FunctionCallLogMessage.ps1 might have been changed by an unauthorized
user or process, because the hash of the file does not match the hash stored in the digital signature. The script
cannot run on the specified system. For more information, run Get-Help about_Signing..
At
C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\chocolateyInstaller.psm1:41
char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
Write-FunctionCallLogMessage : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Install-Chocolate
yEnvironmentVariable.ps1:96 char:3
+   Write-FunctionCallLogMessage -Invocation $MyInvocation -Parameters  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Set-EnvironmentVariable : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Install-Chocolate
yEnvironmentVariable.ps1:111 char:9
+         Set-EnvironmentVariable -Name $variableName -Value $variableV ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [Set-EnvironmentVariable], Command
   NotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException,Set-EnvironmentVariable

Write-FunctionCallLogMessage : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Install-Chocolate
yEnvironmentVariable.ps1:96 char:3
+   Write-FunctionCallLogMessage -Invocation $MyInvocation -Parameters  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Write-FunctionCallLogMessage : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Set-EnvironmentVa
riable.ps1:64 char:3
+   Write-FunctionCallLogMessage -Invocation $MyInvocation -Parameters  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Creating ChocolateyInstall as an environment variable (targeting 'Machine')
  Setting ChocolateyInstall to 'C:\ProgramData\chocolatey'
WARNING: It's very likely you will need to close and reopen your shell
  before you can use choco.
Write-FunctionCallLogMessage : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Install-Chocolate
yEnvironmentVariable.ps1:96 char:3
+   Write-FunctionCallLogMessage -Invocation $MyInvocation -Parameters  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Write-FunctionCallLogMessage : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Set-EnvironmentVa
riable.ps1:64 char:3
+   Write-FunctionCallLogMessage -Invocation $MyInvocation -Parameters  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Write-FunctionCallLogMessage : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Update-SessionEnv
ironment.ps1:48 char:3
+   Write-FunctionCallLogMessage -Invocation $MyInvocation -Parameters  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Restricting write permissions to Administrators
We are setting up the Chocolatey package repository.
The packages themselves go to 'C:\ProgramData\chocolatey\lib'
  (i.e. C:\ProgramData\chocolatey\lib\yourPackageName).
A shim file for the command line goes to 'C:\ProgramData\chocolatey\bin'
  and points to an executable in 'C:\ProgramData\chocolatey\lib\yourPackageName'.

Creating Chocolatey folders if they do not already exist.

WARNING: You can safely ignore errors related to missing log files when
  upgrading from a version of Chocolatey less than 0.9.9.
  'Batch file could not be found' is also safe to ignore.
  'The system cannot find the file specified' - also safe.
chocolatey.nupkg file not installed in lib.
 Attempting to locate it from bootstrapper.
Write-FunctionCallLogMessage : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Update-SessionEnv
ironment.ps1:48 char:3
+   Write-FunctionCallLogMessage -Invocation $MyInvocation -Parameters  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

. : File C:\ProgramData\chocolatey\helpers\functions\Format-FileSize.ps1 cannot be loaded. The contents of file
C:\ProgramData\chocolatey\helpers\functions\Format-FileSize.ps1 might have been changed by an unauthorized user or
process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run
on the specified system. For more information, run Get-Help about_Signing..
At C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1:41 char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\ProgramData\chocolatey\helpers\functions\Get-UninstallRegistryKey.ps1 cannot be loaded. The contents of
file C:\ProgramData\chocolatey\helpers\functions\Get-UninstallRegistryKey.ps1 might have been changed by an
unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature.
The script cannot run on the specified system. For more information, run Get-Help about_Signing..
At C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1:41 char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\ProgramData\chocolatey\helpers\functions\Set-PowerShellExitCode.ps1 cannot be loaded. The contents of file
C:\ProgramData\chocolatey\helpers\functions\Set-PowerShellExitCode.ps1 might have been changed by an unauthorized user
or process, because the hash of the file does not match the hash stored in the digital signature. The script cannot
run on the specified system. For more information, run Get-Help about_Signing..
At C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1:41 char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1 cannot be loaded. The
contents of file C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1 might have
been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the
digital signature. The script cannot run on the specified system. For more information, run Get-Help about_Signing..
At C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1:41 char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\ProgramData\chocolatey\helpers\functions\Write-FunctionCallLogMessage.ps1 cannot be loaded. The contents
of file C:\ProgramData\chocolatey\helpers\functions\Write-FunctionCallLogMessage.ps1 might have been changed by an
unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature.
The script cannot run on the specified system. For more information, run Get-Help about_Signing..
At C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1:41 char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
WARNING: Not setting tab completion: Profile file does not exist at
'C:\Users\natha\OneDrive\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'.
Chocolatey (choco.exe) is now ready.
You can call choco from anywhere, command line or powershell by typing choco.
Run choco /? for a list of functions.
You may need to shut down and restart powershell and/or consoles
 first prior to using choco.
Ensuring chocolatey commands are on the path
Ensuring chocolatey.nupkg is in the lib folder


PS C:\WINDOWS\system32> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.14393.953
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.953
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1


PS C:\WINDOWS\system32> [System.Environment]::OSVersion

Platform ServicePack Version      VersionString
-------- ----------- -------      -------------
 Win32NT             10.0.14393.0 Microsoft Windows NT 10.0.14393.0


PS C:\WINDOWS\system32> Get-ExecutionPolicy
AllSigned
PS C:\WINDOWS\system32> Get-ChildItem Cert:\CurrentUser\TrustedPublisher\ | sls RealDimensions

[Subject]
  CN="RealDimensions Software, LLC", O="RealDimensions Software, LLC", L=Topeka, S=Kansas, C=US

[Issuer]
  CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

[Serial Number]
  077466EDA2676F3AEC9217D230537110

[Not Before]
  24/03/2016 11:00:00 AM

[Not After]
  28/03/2017 11:00:00 PM

[Thumbprint]
  C9F7FD1A91F078DB6BFCFCCE28B9749F8F2A0C38


PS C:\WINDOWS\system32> choco upgrade chocolately
Chocolatey v0.10.3
Upgrading the following packages:
chocolately
By upgrading you accept licenses for the packages.
chocolately is not installed. Installing...
chocolately not installed. The package was not found with the source(s) listed.
 If you specified a particular version and are receiving this message, it is possible that the package name exists but t
he version does not.
 Version: ""
 Source(s): "https://chocolatey.org/api/v2/"

Chocolatey upgraded 0/1 packages. 1 packages failed.
 See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

Failures
 - chocolately - chocolately not installed. The package was not found with the source(s) listed.
 If you specified a particular version and are receiving this message, it is possible that the package name exists but t
he version does not.
 Version: ""
 Source(s): "https://chocolatey.org/api/v2/"
@ferventcoder
Copy link
Member

You know, I wonder if this has something to do with packing and unpacking the file. Since it is packaged as a nupkg, when it is unpacked with Choco / NuGet, it probably does something additional during decompression that maybe just simply running 7zip does not (which is done with first install). Give me a little more time to dive in on this.

@ferventcoder
Copy link
Member

I'm seeing this same issue - currently not yet sure exactly what is causing it. It shows the signature valid when you run Get-AuthenticodeSignature, but for some reason it sees the file as changed. I wonder if there is some limitation in file format.

@ferventcoder
Copy link
Member

@delurker Okay, I see the problem. It's a bug in PowerShell. The line endings are mixed when the file gets signed. If the PowerShell file had LF line endings like the ones showing issues, it errors saying the hash changed. If the file had CRLF line endings prior to signature, all is well.

image

@ferventcoder
Copy link
Member

@delurker I filed PowerShell/PowerShell#3361 after asking the PowerShell folks about this issue.

@ferventcoder
Copy link
Member

@delurker we are able to move it all over to CRLF, so I will make that adjustment for 0.10.4.

@ferventcoder ferventcoder added this to the 0.10.4 milestone Mar 17, 2017
@ferventcoder
Copy link
Member

@delurker can I ask what version of POSH you are running?

@ferventcoder ferventcoder changed the title Many file hash security errors on fresh install with ExecutionPolicy AllSigned PowerShell sees authenticode hash as changed in scripts that were signed with Unix Line Endings (LF) - unable to use AllSigned Mar 17, 2017
@delurker
Copy link
Author

@ferventcoder

PS C:\WINDOWS\system32> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.14393.953
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.953
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

@ferventcoder
Copy link
Member

@delurker Thanks! Just wanted to validate it is an issue across all versions of PowerShell.

ferventcoder added a commit that referenced this issue Mar 22, 2017
Ensure all PowerShell scripts are CRLF and UTF-8 so that running
Chocolatey with an "AllSigned" execution policy does not result in any
errors. There is a bug in PowerShell that doesn't allow it to verify
scripts that have LF file endings. It adds the block of the Authenticode
signature with CRLF line endings every time, resulting in a mixed EOL
format.

When signing scripts that end in LF, PowerShell will see the signature
as valid, but it will fail running the script with 'filename "may have
been tampered because the hash of the file does not match the hash
stored in the digital signature."' However the file had not been
changed. This has been determined to be a bug in PowerShell and has
been shown to affect v3 to v5, but likely also to affect v2 and the
upcoming v6.
ferventcoder added a commit that referenced this issue Mar 22, 2017
* stable:
  (GH-1203) Ensure PowerShell uses CRLF
  (GH-1200) Export built-in functions early
  (maint) Update NuGet.Core
  (maint) update scenarios
  (GH-1054) Document requested execution levels
  (GH-1054) Externalize the app.manifest
@ferventcoder
Copy link
Member

This is fixed for 0.10.4

@ferventcoder
Copy link
Member

@delurker thanks for reporting that issue. Not only will that help Chocolatey, but it looks like the PowerShell folks are looking to fix the behavior as well!

@luferogo
Copy link

When do you expect version 0.10.4 would be deployed with https://chocolatey.org/install.ps1 ?? I just tried to install and got the issue mentioned... Thanks!

@ferventcoder
Copy link
Member

Soon...

@ferventcoder
Copy link
Member

@luferogo to give you a better answer, we just closed the final known issue for the milestone about 30 minutes ago - https://github.com/chocolatey/choco/issues?q=is%3Aopen+is%3Aissue+milestone%3A0.10.4

You can always get a sense of when a release will occur by going to issues, clicking on Milestones, and selecting the milestone you are interested in. HTH

@ferventcoder
Copy link
Member

Okay, I'm thinking there is more to this than just line endings. Packing and unpacking the file may have something to do here as well. Or it could be the UTF8 with no BOM.

@ferventcoder
Copy link
Member

ferventcoder commented Mar 31, 2017

Wow... so this was fixed for 0.10.4, but then I updated the copyright in #1209 . Which added a unicode copyright symbol. And these are UTF8 (w/no BOM). So back to broken again.

If I convert the file to be UTF8 w/BOM, then sign. It works.

@ferventcoder
Copy link
Member

ferventcoder commented Mar 31, 2017

I filed a followup with #1225

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants