Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What are catalogs, and why should I care? #215

Closed
Jaykul opened this issue Sep 26, 2016 · 3 comments
Closed

What are catalogs, and why should I care? #215

Jaykul opened this issue Sep 26, 2016 · 3 comments

Comments

@Jaykul
Copy link

@Jaykul Jaykul commented Sep 26, 2016

I recently tried to update the Pester module because the one on my computer was reporting as version 3.4.0 and Find-Module reported one versioned 3.4.3 ... but upon running Update-Module I was greeted with a series of incredibly unhelpful error messages:

First;

update-module Pester
update-module : Module 'Pester' was not installed by using Install-Module, 
so it cannot be updated.
At line:1 char:1
+ update-module Pester
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: 
        (Pester:String) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : ModuleNotInstalledUsingInstallModuleCmdlet,Update-Module 

I remember this error from the pre-releases of Windows 10, but I thought the team had solved it by shipping the manifests? Regardless, I remember the correct but undocumented incantation to bypass it:

Install-Module Pester -Force
PackageManagement\Install-Package : The version '3.4.3' of the module 'Pester' being 
installed is not catalog signed. Ensure that the version '3.4.3' of the module 'Pester' has
the catalog file 'Pester.cat' and signed with the same publisher 'CN=Microsoft 
Development Root Certificate Authority 2014, O=Microsoft Corporation, L=Redmond, 
S=Washington, C=US' as the previously-installed module '3.4.3' with version '3.4.0' 
under the directory 'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0'. 
If you still want to install or update, use -SkipPublisherCheck parameter.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1661 
char:21
+ ...          $null = PackageManagement\Install-Package @PSBoundParameters
+                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: 
        (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Exception
    + FullyQualifiedErrorId : ModuleIsNotCatalogSigned, Validate-ModuleAuthenticodeSignature,
        Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage

Now I have many questions.

  1. What is the catalog? (is it this)
  2. How is it signed?
  3. Why is code-signing not enough?
  4. Should the rest of us be doing this?
  5. How would we do it?
  6. Why is the upgrade release not catalog signed?
  7. Does this mean I should not trust the upgrade?
    1. If so, how and why did it get published?
    2. If not, why is PackageManagement warning me about it!!!!!?
  8. Why was this additional check introduced without fanfare?
  9. How on earth was it introduced (since PowerShellGet is still version 1.0.0.1)?
  10. Why can't I Update this module or ANY module with a catalog file. This is ridiculous.
  11. If you're going to continue down the path of pretending these modules cannot be updated, can we please give instructions for Install-Module -Force -SkipUpdateCheck in the error message when you refuse to update them?
  12. Why do I need multiple flags to bypass all this insanity?
  13. How is anyone supposed to figure this out?
@Jaykul

This comment has been minimized.

Copy link
Author

@Jaykul Jaykul commented Sep 26, 2016

Follow up: I've determined these are, in fact just catalog files generated by the completely undocumented New-FileCatalog command and signed (using Set-AuthenticodeSignature).

Now more than ever I'm curious why this install-time only feature was implemented, when it's so easy to bypass, but just forces you to run the command again with another switch. I already had to go through:

  1. Update-Module Pester
  2. Install-Module Pester
  3. Install-Module Pester -Force

This is starting to feel like the result of a perverse desire to force people to jump through hoops.

@citelao

This comment has been minimized.

Copy link

@citelao citelao commented Oct 5, 2016

Maybe ask the PowerShellGet community (https://github.com/PowerShell/PowerShellGet)? They're the ones who maintain the Update-Module commands (get-command -Module PowerShellGet)

@Jaykul

This comment has been minimized.

Copy link
Author

@Jaykul Jaykul commented Oct 6, 2016

Well, the error was thrown from Install-Package, and the error string was in this repo, and that repo literally didn't exist at the time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.