FileSignatureInfo.GetFromFileStream fails for .ps1 files when ran from Windows Service under gMSA account

[ysiivan]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest released version
• Search the existing issues.
• Refer to the FAQ.
• Refer to Differences between Windows PowerShell 5.1 and PowerShell.

Steps to reproduce

Execute FileSignatureInfo.GetFromFileStream on a signed .ps1 file from a Windows service (.NET Framework 4.8, compiled with "Prefer 32-bit") running under a gMSA account. This works for .exe and .dll files. It also works for .ps1 too if the service is running under a "normal" (non gMSA) account.

The NuGet Microsoft.Security.Extensions package's listed website goes to Get-AuthenticodeSignature hence opening a ticket here.
For reference - same is observed when calling Get-AuthenticodeSignature from the same service using PowerShellStandard.Library.
Not a surprise, since:

PowerShell/src/System.Management.Automation/security/Authenticode.cs

Line 323 in 85fcb72

fileSigInfo = FileSignatureInfo.GetFromFileStream(fileStream);

Expected behavior

FileSignatureInfo.GetFromFileStream and Get-AuthenticodeSignature should correctly work for .ps1 files when called from a Windows service running under a gMSA account

Actual behavior

FileSignatureInfo.GetFromFileStream and Get-AuthenticodeSignature  do not work correctly for .ps1 files when called from a Windows service running under a gMSA account

Error details

Neither FileSignatureInfo.GetFromFileStream nor Get-AuthenticodeSignature throw errors. They just fail to read the signature.

Environment data

Name                           Value
----                           -----
PSVersion                      7.5.0
PSEdition                      Core
GitCommitId                    7.5.0
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Visuals

No response

[rhubarb-geek-nz]

PowerShell 7 (aka PowerShell Core) uses the Windows native APIs (crypt32.dll, advap32.dll etc) to perform cryptographic operations.

Eg see nativeMethods.cs

If you are using the PowerShellStandardLibrary or a .NET 4.8 application this should not be related to PowerShell 7.

How is PowerShell 7 related to your problem?

[ysiivan]

FileSignatureInfo.GetFromFileStream is in the current code and the package Microsoft.Security.Extensions is listed as being used by it. See Authenticode.cs

[rhubarb-geek-nz]

The code you mention is implemented in the NuGet package you describe.

using (var fs = System.IO.File.OpenRead("foo.ps1"))
{
    var foo = Microsoft.Security.Extensions.FileSignatureInfo.GetFromFileStream(fs);
}

Is PowerShell responsible for the API failing, or is it that you are trying to use it with a gMSA account in a service?

Does the error stop the PowerShell SDK from being able to be used in that environment?

[jborean93]

Unfortunately the Microsoft.Security.Extensions nuget package is a very thin wrapper over an unmanaged dll included inside the nuget so it is hard to see what exactly it is doing. It does ultimately wrap some Windows APIs but this wrapper itself uses some undocumented ones and I believe this nuget was made to work around some compliance problems when using undocumented Windows APIs.

There is no public repo for the code that I know off and the pwsh team did create the nuget or at least are the main users of it so this place is probably the best you can do to get an answer.

What is the exact return value you get back when calling this? Does your .ps1 contain non-ASCII characters in the script (codepoints above 0x7F)? Can your gMSA access the script itself and read it?

[ysiivan]

There is no public repo for the code that I know off and the pwsh team did create the nuget or at least are the main users of it so this place is probably the best you can do to get an answer.

This was my line of thought exactly.

At this time, I believe what I observed might have been due to certificate propagation issues and timing. Closing.

[microsoft-github-policy-service]

📣 Hey @ysiivan, how did we do? We would love to hear your feedback with the link below! 🗣️

🔗 https://aka.ms/PSRepoFeedback

Microsoft Forms