-
Notifications
You must be signed in to change notification settings - Fork 7.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running Authenticode-signed script under AllSigned fails when script has LF
line endings
#3361
Comments
To be clear, this was all when running on Windows. |
@SteveL-MSFT @joeyaiello It seems we should definitely fix this in Beta. |
It gets better. :/ If the file is UTF8 with no BOM but contains a unicode character, it also fails. |
Followed up with related #3466 |
If #3466 overlaps the Issue please close the Issue. |
Not able to repro this with alpha.18 on Win10 Creators Update. Here I have a simple script. I show it only has a LF. I sign it. Changed executionpolicy. And it successfully ran. I show that the script portion has LF and the signature has CRLF (unfortunately, we can't control this aspect as we're calling a Win32 api to sign the file and there's no options for line endings). PS C:\Users\slee\test> .\script_lf.ps1
hello
PS C:\Users\slee\test> Format-Hex .\script_lf.ps1
Path: C:\Users\slee\test\script_lf.ps1
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 77 72 69 74 65 2D 68 6F 73 74 20 22 68 65 6C 6C write-host "hell
00000010 6F 22 0A o".
PS C:\Users\slee\test> Set-AuthenticodeSignature -Certificate $cert .\script_lf.ps1
Directory: C:\Users\slee\test
SignerCertificate Status Path
----------------- ------ ----
E761F5ACD89D25CBFED6D07BDD3117E27F9E4538 Valid script_lf.ps1
PS C:\Users\slee\test> Set-ExecutionPolicy AllSigned -Scope CurrentUser
PS C:\Users\slee\test> .\script_lf.ps1
hello
PS C:\Users\slee\test> Get-AuthenticodeSignature .\script_lf.ps1
Directory: C:\Users\slee\test
SignerCertificate Status Path
----------------- ------ ----
E761F5ACD89D25CBFED6D07BDD3117E27F9E4538 Valid script_lf.ps1
PS C:\Users\slee\test> Format-Hex .\script_lf.ps1
Path: C:\Users\slee\test\script_lf.ps1
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 77 72 69 74 65 2D 68 6F 73 74 20 22 68 65 6C 6C write-host "hell
00000010 6F 22 0A 0D 0A 23 20 53 49 47 20 23 20 42 65 67 o"...# SIG # Beg
00000020 69 6E 20 73 69 67 6E 61 74 75 72 65 20 62 6C 6F in signature blo
00000030 63 6B 0D 0A 23 20 4D 49 49 45 4D 77 59 4A 4B 6F ck..# MIIEMwYJKo
00000040 5A 49 68 76 63 4E 41 51 63 43 6F 49 49 45 4A 44 ZIhvcNAQcCoIIEJD
00000050 43 43 42 43 41 43 41 51 45 78 43 7A 41 4A 42 67 CCBCACAQExCzAJBg
00000060 55 72 44 67 4D 43 47 67 55 41 4D 47 6B 47 43 69 UrDgMCGgUAMGkGCi
00000070 73 47 41 51 51 42 0D 0A 23 20 67 6A 63 43 41 51 sGAQQB..# gjcCAQ |
Sweet! |
@ferventcoder can you confirm it works for you with alpha.18 and we can close this? |
.Net Core 2.0 works wonders? |
@iSazonov no, alpha.18 doesn't have .NET Core 2.0 yet. It'll be there in the next release. |
Related to #1195 / Found with chocolatey/choco#1203
You are likely to see this more now that PowerShell is cross platform. We just had an issue filed about attempting to run scripts with execution policy "AllSigned". Upon researching this, we were able to determine that any scripts that were
UTF-8 / CRLF
, those would load just fine. However any scripts that wereUTF8 / LF
, it would error saying 'filename "may have been tampered because the hash of the file does not match the hash stored in the digital signature."'I have not had an attempted to check this with the new versions of PowerShell just yet but I did check it against PowerShell v3 and v4 (so far). After talking to @lzybkr and @vors (https://gitter.im/PowerShell/PowerShell?at=58cc405c6d7eb18404dbca07), they said to followup with an issue as they have not had a report of this anywhere.
Steps to reproduce
FileSignedWithUnixLineEndings.ps1
LF
in the script code andCRLF
in the authenticode signature (Mixed mode line endings).Get-AuthenticodeSignature .\FileSignedWithUnixLineEndings.ps1
Set-ExecutionPolicy AllSigned
.\FileSignedWithUnixLineEndings.ps1
Expected behavior
It should run the script as it has not been modified since it was signed.
Actual behavior
It thinks the file has been modified:
The text was updated successfully, but these errors were encountered: