MSI PowerShell installers should be Microsoft signed

[mateialexandru]

Steps to reproduce

1. Follow install instructions from Installing PowerShell on Windows
2. This will take you to PowerShell latest release page on Github
3. Download the MSI x64 version
4. Try launching the MSI and install PowerShell

Expected behavior

MSI installer shows and you get to install and run PowerShell.

Actual behavior

Windows Defender SmartScreen prevents installation because the MSI installer is not Microsoft signed ⁉

Environment data

OS: Microsoft Windows [Version 10.0.19042.746]

[daxian-dbw]

@TravisEz13 and @adityapatwardhan can you please a look? I cannot repro this locally and my OS version is 10.0.19042.928.

[iSazonov]

Perhaps root certificates is not updated on the system.

[mateialexandru]

@iSazonov I don't believe that is the problem. Looking at the MSI itself, I don't see a digital signature in File-Properties

I think someone updated the binaries in the past days and fixed the issue 😉:

The latest download link for x64 7.1.3 PowerShell MSI works as expected and has a digital signature attached.

With this update, I think it is safe to close the issue.

[TravisEz13]

@mateialexandru I don't think the binaries were updated. They are published by an automated process. If it happens again, please run Get-FileHash against the file so we can check for the origin of the file. Or better you, please do if you still have the two files.

Our practice if an error of the kind you suggest did happen, is that we leave the hash of both files up and I only see one has in the release: https://github.com/PowerShell/PowerShell/releases/tag/v7.1.3

There are 3 distinct possibilities:

1. You got a version of the file from before we signed it.
2. Your file was corrupted.
3. something was wrong with the root CAs on your system

All 3 possibilities can be distinguished by the hashes of both files.

1. The first file will match the hash of the file before we signed it.
   • I think you can take the signed file remove the signature and get to this state, but that is unlikely.
2. The first file will not match the signature of either our signed or unsigned MSI.
3. Both your files will have the same hash, matching our signed file

GitHub

Release v7.1.3 Release of PowerShell · PowerShell/PowerShell

7.1.3 - 2021-03-11 Engine Updates and Fixes

Remove the 32K character limit on the environment block for Start-Process (#14111)
Fix webcmdlets to properly construct URI from body when using -NoProx...