search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.26k stars 3.86k forks source link

Az.Accounts module version 2.0.1-preview could not be installed with authenticode signature failure #15246

Closed bganapa closed 3 years ago

bganapa commented 3 years ago

Description

Installing Az.Accounts module version 2.0.1-preview fails with The module Az.Accounts can not be installed or updated beacause the authenticode signature of the file 'Az.Accounts.psd1' is not valid

Here are few screenshots

image

image

image

image

image

Steps to reproduce

Install-Module -Name Az.Accounts -RequiredVersion 2.0.1-preview -AllowPrerelease -Repository PSGallery

Module versions

Az.Accounts 2.0.1-preview

image

bganapa commented 3 years ago

We could install with -SkipPublisherCheck option. However we need to find the root cause. We suspect issues in cert root chain and following up to find more details.

dingmeng-xue commented 3 years ago

The signature on 2.0.1-preview should be valid. Please read below output. I suspect the reason is that user has an old version of Az.Accounts which has no signature. Upgrade process found the signature was changed (from unsigned to signed) and considered it as invalid.

PS C:\Dev> Get-AuthenticodeSignature C:\Users\dixue\Documents\PowerShell\Modules\Az.Accounts\2.0.1\Az.Accounts.psd1 | fl

SignerCertificate      : [Subject]
                           CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                         [Issuer]
                           CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                         [Serial Number]
                           33000001519E8D8F4071A30E41000000000151

                         [Not Before]
                           5/3/2019 5:37:46 AM

                         [Not After]
                           5/3/2020 5:37:46 AM

                         [Thumbprint]
                           62009AAABDAE749FD47D19150958329BF6FF4B34

TimeStamperCertificate : [Subject]
                           CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:7D2E-3782-B0F7, OU=Microsoft Operations Puerto Rico, O=Microsoft Corporation, L=Redmond, S=Washington,
                         C=US

                         [Issuer]
                           CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                         [Serial Number]
                           330000010020F75C9356D577D0000000000100

                         [Not Before]
                           9/7/2019 4:41:09 AM

                         [Not After]
                           12/5/2020 4:41:09 AM

                         [Thumbprint]
                           38071FF037D5DC5476017EDB8D63BCB31EA18CC5

Status                 : Valid
StatusMessage          : Signature verified.
Path                   : C:\Users\dixue\Documents\PowerShell\Modules\Az.Accounts\2.0.1\Az.Accounts.psd1
SignatureType          : Authenticode
IsOSBinary             : False
bganapa commented 3 years ago

Thanks, Yes. We suspect issues in Certificate root chain . The machine where the user tried might not have got the needed root cert installed. We have asked to collect the CAPI2 logs to find out the cert related issues on the machine where it was failing

bganapa commented 3 years ago

CAPI2 logs revealed an issue in the certificate root chain.