Skip to content

Running Authenticode-signed script under AllSigned fails when script has LF line endings #3361

New issue
New issue
Closed
Closed
Running Authenticode-signed script under AllSigned fails when script has LF line endings#3361
Assignees
SteveL-MSFT
Labels
Issue-BugIssue has been identified as a bug in the productOS-WindowsResolution-AnsweredThe question is answered.WG-Cmdletsgeneral cmdlet issues
Milestone
6.0.0-GA
@ferventcoder

Description

@ferventcoder
ferventcoder
opened on Mar 17, 2017

Related to #1195 / Found with chocolatey/choco#1203

You are likely to see this more now that PowerShell is cross platform. We just had an issue filed about attempting to run scripts with execution policy "AllSigned". Upon researching this, we were able to determine that any scripts that were UTF-8 / CRLF, those would load just fine. However any scripts that were UTF8 / LF, it would error saying 'filename "may have been tampered because the hash of the file does not match the hash stored in the digital signature."'

I have not had an attempted to check this with the new versions of PowerShell just yet but I did check it against PowerShell v3 and v4 (so far). After talking to @lzybkr and @vors (https://gitter.im/PowerShell/PowerShell?at=58cc405c6d7eb18404dbca07), they said to followup with an issue as they have not had a report of this anywhere.

Steps to reproduce

  1. Create a script with LF line endings. Save it as FileSignedWithUnixLineEndings.ps1
  2. Authenticode sign the script.
  3. Open the script and note that it now has LF in the script code and CRLF in the authenticode signature (Mixed mode line endings).
  4. Check to be sure the signature is valid. Get-AuthenticodeSignature .\FileSignedWithUnixLineEndings.ps1
  5. Change execution policy to all signed. Set-ExecutionPolicy AllSigned
  6. Attempt to run the script. .\FileSignedWithUnixLineEndings.ps1

Expected behavior

It should run the script as it has not been modified since it was signed.

Actual behavior

It thinks the file has been modified:

.\FileSignedWithUnixLineEndings.ps1 : File FileSignedWithUnixLineEndings.ps1 cannot be 
loaded. The contents of file FileSignedWithUnixLineEndings.ps1 may have been tampered 
because the hash of the file does not match the hash stored in the digital signature. The 
script will not execute on the system. Please see "get-help about_signing" for more 
details..
At line:1 char:1
+ .\FileSignedWithUnixLineEndings.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess

Metadata

Metadata

Assignees

Labels

Issue-BugIssue has been identified as a bug in the productOS-WindowsResolution-AnsweredThe question is answered.WG-Cmdletsgeneral cmdlet issues

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions