v2024.2.0: PowerShell Terminal Fails to Load Due to PSES change to non-Windows-trusted Certificate

[cyrkin]

Prerequisites

• I have written a descriptive issue title.
• I have searched all open and closed issues to ensure it has not already been reported.
• I have read the troubleshooting guide.
• I am sure this issue is with the extension itself and does not reproduce in a standalone PowerShell instance.
• I have verified that I am using the latest version of Visual Studio Code and the PowerShell extension.
• If this is a security issue, I have read the security issue reporting guidance.

Summary

Hello,
Since the extension updated itself to V 2024.2.0, I can't use the integrated Powershell terminal of my VS Code anymore, it won't load.
My ExecutionPolicy is set by GPO to AllSigned : it has always been like that, it worked like that, and it's not planned to change.
It's like the code in PSReadLine.format.ps1xml is now signed using an unapproved certificate on my side, or it tries desperately to force the ExecutionPolicy to change, which it did not do before.

When I finally kill the terminal, here's the output :

[Error - 8:47:47 AM] Microsoft.PowerShell.EditorServices.Services.PowerShell.Host.PsesInternalHost: Unable to load PSReadLine. Will fall back to legacy readline implementation. - System.Management.Automation.CmdletInvocationException: Des erreurs se sont produites lors du chargement du fichier de données de format : 
C:\Users\XXX\.vscode\extensions\ms-vscode.powershell-2024.2.0\modules\PSReadLine\2.4.0\PSReadLine.format.ps1xml, , C:\Users\XXX\.vscode\extensions\ms-vscode.powershell-2024.2.0\modules\PSReadLine\2.4.0\PSReadLine.format.ps1xml : le fichier a été ignoré en raison de l’exception de validation suivante : Impossible de charger le fichier C:\Users\XXX\.vscode\extensions\ms-vscode.powershell-2024.2.0\modules\PSReadLine\2.4.0\PSReadLine.format.ps1xml. Une chaîne de certificats a été traitée mais s’est terminée par un certificat racine qui n’est pas approuvé par le fournisseur d’approbation..
 ---> System.Management.Automation.RuntimeException: Des erreurs se sont produites lors du chargement du fichier de données de format : 
C:\Users\XXX\.vscode\extensions\ms-vscode.powershell-2024.2.0\modules\PSReadLine\2.4.0\PSReadLine.format.ps1xml, , C:\Users\XXX\.vscode\extensions\ms-vscode.powershell-2024.2.0\modules\PSReadLine\2.4.0\PSReadLine.format.ps1xml : le fichier a été ignoré en raison de l’exception de validation suivante : Impossible de charger le fichier C:\Users\XXX\.vscode\extensions\ms-vscode.powershell-2024.2.0\modules\PSReadLine\2.4.0\PSReadLine.format.ps1xml. Une chaîne de certificats a été traitée mais s’est terminée par un certificat racine qui n’est pas approuvé par le fournisseur d’approbation..

   à System.Management.Automation.Runspaces.InitialSessionState.ThrowTypeOrFormatErrors(String resourceString, String errorMsg, String errorId)
   à System.Management.Automation.Runspaces.InitialSessionState.UpdateFormats(ExecutionContext context, Boolean update)
   à System.Management.Automation.Runspaces.InitialSessionState.Bind_UpdateFormats(ExecutionContext context, Boolean updateOnly)
   à System.Management.Automation.Runspaces.InitialSessionState.Bind(ExecutionContext context, Boolean updateOnly, PSModuleInfo module, Boolean noClobber, Boolean local)
   à System.Management.Automation.Runspaces.InitialSessionState.Bind(ExecutionContext context, Boolean updateOnly)
   à Microsoft.PowerShell.Commands.ModuleCmdletBase.LoadModuleManifest(String moduleManifestPath, ExternalScriptInfo manifestScriptInfo, Hashtable data, Hashtable localizedData, ManifestProcessingFlags manifestProcessingFlags, Version minimumVersion, Version maximumVersion, Version requiredVersion, Nullable`1 requiredModuleGuid, ImportModuleOptions& options, Boolean& containedErrors)
   --- Fin de la trace de la pile d'exception interne ---
   à System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   à System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   à System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
   à System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   à System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   à System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
   à Microsoft.PowerShell.EditorServices.Services.PowerShell.Utility.PowerShellExtensions.InvokeAndClear(PowerShell pwsh, PSInvocationSettings invocationSettings)
   à Microsoft.PowerShell.EditorServices.Services.PowerShell.Console.PSReadLineProxy.LoadAndCreate(ILoggerFactory loggerFactory, String bundledModulePath, PowerShell pwsh)
   à Microsoft.PowerShell.EditorServices.Services.PowerShell.Host.PsesInternalHost.TryLoadPSReadLine(PowerShell pwsh, EngineIntrinsics engineIntrinsics, IReadLine& psrlReadLine) | 
[Error - 8:47:47 AM] Microsoft.PowerShell.EditorServices.Services.PowerShell.Host.PsesInternalHost: Error occurred calling 'Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force' - System.Management.Automation.CmdletInvocationException: Windows PowerShell a correctement mis à jour votre stratégie d’exécution, mais ce paramétrage est remplacé par une stratégie définie dans un contexte plus spécifique. Votre environnement va donc conserver sa stratégie d’exécution actuelle, AllSigned. Tapez « Get-ExecutionPolicy -List » pour afficher les paramètres de stratégie d’exécution. Pour plus d’informations, voir « Get-Help Set-ExecutionPolicy ». ---> System.Security.SecurityException: Erreur de sécurité.
   à System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
   --- Fin de la trace de la pile d'exception interne ---
   à System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   à System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   à System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
   à System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   à System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   à System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
   à Microsoft.PowerShell.EditorServices.Services.PowerShell.Utility.PowerShellExtensions.InvokeAndClear(PowerShell pwsh, PSInvocationSettings invocationSettings)
   à Microsoft.PowerShell.EditorServices.Services.PowerShell.Utility.PowerShellExtensions.SetCorrectExecutionPolicy(PowerShell pwsh, ILogger logger) | Policy='Unrestricted'
[Warn  - 8:52:46 AM] OmniSharp.Extensions.LanguageServer.Server.LspServerOutputFilter: Tried to send request or notification before initialization was completed and will be sent later OmniSharp.Extensions.JsonRpc.RequestCancelled | @Request='OmniSharp.Extensions.JsonRpc.RequestCancelled'
[Error - 10:48:27 AM] Server initialization failed.
  Message: Pending response rejected since connection got disposed
  Code: -32097 
[Error - 10:48:27 AM] Connection to PowerShell Editor Services (the Extension Terminal) was closed. See below prompt to restart!
[Error - 10:48:27 AM] PowerShell Editor Services Client client: couldn't create connection to server.
  Message: Pending response rejected since connection got disposed
  Code: -32097

I rolled back to version 2024.0.0 and it works again.

PowerShell Version

Name                           Value
----                           -----
PSVersion                      5.1.19041.4170
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.4170
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Name             : ConsoleHost
Version          : 5.1.19041.4170
InstanceId       : 86e284ae-6000-426e-aa83-129c82a8b98b
UI               : System.Management.Automation.Internal.Host.InternalHostUserInterface
CurrentCulture   : fr-FR
CurrentUICulture : fr-FR
PrivateData      : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
DebuggerEnabled  : True
IsRunspacePushed : False
Runspace         : System.Management.Automation.Runspaces.LocalRunspace

Visual Studio Code Version

1.88.1
e170252f762678dec6ca2cc69aba1570769a5d39
x64

Extension Version

ms-vscode.powershell@2024.2.0

Steps to Reproduce

1. Open VS Code and wait for the Integrated Powershell Terminal to load and wait for prompt
2. It never happens and stays like

PowerShell Extension v2024.2.0
Copyright (c) Microsoft Corporation.

https://aka.ms/vscode-powershell
Type 'help' to get help.

3. Kill the terminal to see the output

Visuals

No response

Logs

No response

[SebCT]

Since 2024.2.0 some components (DLLs and PS1/PSM1/PSD1) of the module are signed with a untrusted certificate/CA called "ameroot" - here is the output with sigcheck from Sysinternals, also affects AppLocker if you use application allowlisting:

Signers: Microsoft Azure Code Sign
Cert Status: The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Valid Usage: 1.3.6.1.4.1.311.91.1.1, Code Signing
Cert Issuer: AME CS CA 01
Serial Number: 36 00 00 01 DF 73 81 97 16 BE 32 FD 0D 00 02 00 00 01 DF
Thumbprint: 1226440E939A24EB202C2A517CE13F8326EFDE60
Algorithm: sha256RSA
Valid from: 03:33 20.01.2024
Valid to: 03:33 19.01.2025
AME CS CA 01
Cert Status: The certificate or certificate chain is based on an untrusted root., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Valid Usage: KDC Auth, Server Auth, Client Auth, Enrollment Agent, 1.3.6.1.4.1.311.21.6, Document Signing, 1.3.6.1.4.1.311.21.6, OCSP Signing, IPSEC IKE Intermediate, DNS Server, EFS Recovery, EFS, Private Key Archival, Smartcard Logon, 1.3.6.1.4.1.311.20.2.3, Code Signing, 1.3.6.1.4.1.311.91.1.1, 1.3.6.1.4.1.311.91.2.1, 1.3.6.1.4.1.311.91.3.1, 1.3.6.1.4.1.311.91.5.1, 1.3.6.1.4.1.311.91.4.1, 1.3.6.1.4.1.311.91.4.2
Cert Issuer: ameroot
Serial Number: 1F 00 00 00 51 EA 8F F6 9C 73 0C A8 3B 00 00 00 00 00 51
Thumbprint: E3981E455AAFF0C851FF1D3C4EF41EE6A4C087F5
Algorithm: sha256RSA
Valid from: 20:44 21.05.2021
Valid to: 20:54 21.05.2026
ameroot
Cert Status: The certificate or certificate chain is based on an untrusted root.
Valid Usage: All
Cert Issuer: ameroot
Serial Number: 25 DA CB 55 C9 C6 77 81 40 9E 56 94 82 DE 4D FE
Thumbprint: 413E8AAC6049924B178BA636CBAF3963CCB963CD
Algorithm: sha256RSA
Valid from: 00:52 25.05.2016
Valid to: 00:57 25.05.2026

Please MS fix this asap and sign this components with a trusted root CA - workaround is now to revert to V2024.0.0 - even the newer prerelease version has the problem with untrusted CA

[andyleejordan]

No certificates are trusted on your machine by default. They are signed with updated certificates, you will need to trust those when running AllSigned.

[andyleejordan]

See more info here: #3741 (comment)

[github-actions]

This issue has been labeled as resolved, please verify the provided fix (or other reason).

[SebCT]

No certificates are trusted on your machine by default. They are signed with updated certificates, you will need to trust those when running AllSigned.

That's not true - there is a list of Trusted root certificates which gets updated by Microsoft and Windows does download them automatically.

That Root certificate ameroot is not an official root certificate - so you have problems with AppLocker.

Issue is not resolved.

[cyrkin]

No certificates are trusted on your machine by default. They are signed with updated certificates, you will need to trust those when running AllSigned.

That's not true - there is a list of Trusted root certificates which gets updated by Microsoft and Windows does download them automatically.

That Root certificate ameroot is not an official root certificate - so you have problems with AppLocker.

Issue is not resolved.

Couldn't agree more.

[github-actions]

This issue has been labeled as resolved, please verify the provided fix (or other reason).

[SebCT]

This issue has been labeled as resolved, please verify the provided fix (or other reason).

Not resolved yet