New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

zip and msi content digital signature of release 6.0.0 #5898

Closed
p0w3rsh3ll opened this Issue Jan 13, 2018 · 3 comments

Comments

Projects
None yet
4 participants
@p0w3rsh3ll

p0w3rsh3ll commented Jan 13, 2018

There's already an opened issue for the content of the zip package #3753 but I want to mention that the the zip packages (x86 and x64) as well as the content of the msi packages (x64 at least, that I tested) contain UnSigned dll files.

Steps to reproduce

#region x64 zip
Invoke-WebRequest -Uri 'https://github.com/PowerShell/PowerShell/releases/download/v6.0.0/PowerShell-6.0.0-win-x64.zip' -OutFile ~/Downloads/PowerShell-6.0.0-win-x64.zip

(Get-FileHash -Path ~/Downloads/PowerShell-6.0.0-win-x64.zip -Algorithm SHA256).Hash -eq 'FE6C17E9829FFD0503917A1A4ACC3E75A203A80B28E2D9EFFDD7F0AB576F7D5D'

Expand-Archive -Path  ~/Downloads/PowerShell-6.0.0-win-x64.zip -DestinationPath ~/Downloads/PowerShell-6.0.0-win-x64

Get-AuthenticodeSignature -FilePath ~/Downloads/PowerShell-6.0.0-win-x64/* | Where Status -eq 'NotSigned'
#endregion

#region x86 zip
Invoke-WebRequest -Uri 'https://github.com/PowerShell/PowerShell/releases/download/v6.0.0/PowerShell-6.0.0-win-x86.zip' -OutFile ~/Downloads/PowerShell-6.0.0-win-x86.zip

(Get-FileHash -Path ~/Downloads/PowerShell-6.0.0-win-x86.zip -Algorithm SHA256).Hash -eq '8E32785547FDD90412FA3A8FA4703D272933999F3D29CAE9FEDA19119B3A2D46'

Expand-Archive -Path ~/Downloads/PowerShell-6.0.0-win-x86.zip -DestinationPath ~/Downloads/PowerShell-6.0.0-win-x86

Get-AuthenticodeSignature -FilePath ~/Downloads/PowerShell-6.0.0-win-x86/* | Where Status -eq 'NotSigned'

#endregion

#region x64 msi
Invoke-WebRequest -Uri 'https://github.com/PowerShell/PowerShell/releases/download/v6.0.0/PowerShell-6.0.0-win-x64.msi'  -OutFile ~/Downloads/PowerShell-6.0.0-win-x64.msi

(Get-FileHash -Path ~/Downloads/PowerShell-6.0.0-win-x64.msi -Algorithm SHA256).Hash -eq 'A1155D0F9D697B3EBF51C03D328886F9000709C1C4688DA42FF9C234AF02A63F'

Get-AuthenticodeSignature -FilePath ~/Downloads/PowerShell-6.0.0-win-x64.msi

msiexec.exe /i  ~/Downloads/PowerShell-6.0.0-win-x64.msi

$null -ne @(Get-AuthenticodeSignature -FilePath "C:\Program Files\PowerShell\6.0.0\*" | Where Status -eq 'NotSigned')
#endregion

Expected behavior

$null -eq @(Get-AuthenticodeSignature -FilePath "C:\Program Files\PowerShell\6.0.0\*" | `
Where Status -eq 'NotSigned')

Actual behavior

$null -ne @(Get-AuthenticodeSignature -FilePath "C:\Program Files\PowerShell\6.0.0\*" | `
Where Status -eq 'NotSigned')

Environment data

> $PSVersionTable
Name                           Value
----                           -----
PSVersion                      6.0.0
PSEdition                      Core
GitCommitId                    v6.0.0
OS                             Microsoft Windows 10.0.16299
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

@iSazonov iSazonov added the Area-Build label Jan 13, 2018

@iSazonov

This comment has been minimized.

Show comment
Hide comment
@iSazonov

iSazonov Jan 13, 2018

Collaborator
Collaborator

iSazonov commented Jan 13, 2018

@daxian-dbw

This comment has been minimized.

Show comment
Hide comment
@daxian-dbw

daxian-dbw Jan 16, 2018

Member

We sign all the PowerShell assemblies and scripts (including .ps1xml files). The .NET Core assemblies are not produced by powershell, and thus we don't sign them. /cc @TravisEz13

Some .NET Core assemblies are not signed by their owners:

[F:\tmp\PowerShell-6.0.0-win-x64]
PS:48> Get-AuthenticodeSignature * | Where Status -eq 'NotSigned' | select -Property Status, Path

   Status Path
   ------ ----
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\Microsoft.CodeAnalysis.CSharp.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\Microsoft.CodeAnalysis.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\Microsoft.CSharp.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\Microsoft.PowerShell.PSReadLine.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\Microsoft.PowerShell.SDK.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\Microsoft.Win32.Registry.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\Newtonsoft.Json.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Collections.Concurrent.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Collections.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Collections.Specialized.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Console.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Diagnostics.FileVersionIn...
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Diagnostics.Process.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.IO.FileSystem.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.IO.Pipes.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Linq.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Linq.Expressions.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Private.Uri.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Runtime.Extensions.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Security.AccessControl.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Security.Principal.Window...
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Text.Encoding.CodePages.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Threading.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Threading.Tasks.Parallel.dll

Just to clarify

  • the Microsoft.PowerShell.PSReadLine.dll is a third-party assembly, and thus we don't sign it.
  • the Microsoft.PowerShell.SDK.dll is a build artifact and it's empty, and thus we don't sign it.
Member

daxian-dbw commented Jan 16, 2018

We sign all the PowerShell assemblies and scripts (including .ps1xml files). The .NET Core assemblies are not produced by powershell, and thus we don't sign them. /cc @TravisEz13

Some .NET Core assemblies are not signed by their owners:

[F:\tmp\PowerShell-6.0.0-win-x64]
PS:48> Get-AuthenticodeSignature * | Where Status -eq 'NotSigned' | select -Property Status, Path

   Status Path
   ------ ----
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\Microsoft.CodeAnalysis.CSharp.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\Microsoft.CodeAnalysis.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\Microsoft.CSharp.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\Microsoft.PowerShell.PSReadLine.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\Microsoft.PowerShell.SDK.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\Microsoft.Win32.Registry.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\Newtonsoft.Json.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Collections.Concurrent.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Collections.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Collections.Specialized.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Console.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Diagnostics.FileVersionIn...
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Diagnostics.Process.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.IO.FileSystem.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.IO.Pipes.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Linq.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Linq.Expressions.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Private.Uri.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Runtime.Extensions.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Security.AccessControl.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Security.Principal.Window...
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Text.Encoding.CodePages.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Threading.dll
NotSigned F:\tmp\PowerShell-6.0.0-win-x64\System.Threading.Tasks.Parallel.dll

Just to clarify

  • the Microsoft.PowerShell.PSReadLine.dll is a third-party assembly, and thus we don't sign it.
  • the Microsoft.PowerShell.SDK.dll is a build artifact and it's empty, and thus we don't sign it.
@TravisEz13

This comment has been minimized.

Show comment
Hide comment
@TravisEz13

TravisEz13 Jan 16, 2018

Member

Our current process is set up to ensure that PowerShell does not sign any file that is not built by PowerShell. Except for the following two files, it would be difficult for us to start signing most of these files.

These two files we don't sign for special reasons:

  • the Microsoft.PowerShell.PSReadLine.dll is a third-party assembly, and thus we don't sign it and will be removed from our repo in the future.
  • the Microsoft.PowerShell.SDK.dll is a build artifact and it's empty, and thus we don't sign it and hopefully will be removed from the build when the bug that causes it is fixed.
Member

TravisEz13 commented Jan 16, 2018

Our current process is set up to ensure that PowerShell does not sign any file that is not built by PowerShell. Except for the following two files, it would be difficult for us to start signing most of these files.

These two files we don't sign for special reasons:

  • the Microsoft.PowerShell.PSReadLine.dll is a third-party assembly, and thus we don't sign it and will be removed from our repo in the future.
  • the Microsoft.PowerShell.SDK.dll is a build artifact and it's empty, and thus we don't sign it and hopefully will be removed from the build when the bug that causes it is fixed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment