search

PowerShell / PSResourceGet

PSResourceGet is the package manager for PowerShell
https://www.powershellgallery.com/packages/Microsoft.PowerShell.PSResourceGet
MIT License
485 stars 92 forks source link

100% of OV-signed modules will soon encounter error on update #1381

Closed potatoqualitee closed 1 year ago

potatoqualitee commented 1 year ago

Summary of the new feature / enhancement

I'm guessing it'll be close to 100 unless people started out on yubikeys. There's a new directive that requires us to use YubiKeys or some service that puts our private keys on HSMs. It's been hell but we finally got it working.

Now, however, we will have to educate our community about the error they will encounter because our CA changed on renewal.

PS C:\github> install-module -Repository local -RequiredVersion 1.1.99 dbatools
PS C:\github> update-module dbatools
PackageManagement\Install-Package : Authenticode issuer 'CN=dbatools, O=dbatools,
L=Vienna, S=Virginia, C=US' of the new module 'dbatools' with version '2.0.4' from root
certificate authority 'CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1,
O="DigiCert, Inc.", C=US' is not matching with the authenticode issuer 'CN=dbatools,
O=dbatools, L=Vienna, S=Virginia, C=US' of the previously-installed module 'dbatools' with
version '1.1.99' from root certificate authority 'CN=DigiCert Assured ID Root CA,
OU=www.digicert.com, O=DigiCert Inc, C=US'. If you still want to install or update, use
-SkipPublisherCheck parameter.
At
C:\Users\ctrlb\Documents\WindowsPowerShell\Modules\PowerShellGet\2.2.5\PSModule.psm1:13069
char:20
+ ...           $sid = PackageManagement\Install-Package @PSBoundParameters
+                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Power....InstallPackage:Install
   Package) [Install-Package], Exception
    + FullyQualifiedErrorId : AuthenticodeIssuerMismatch,Validate-ModuleAuthenticodeSignat
   ure,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage

I know this is a secure thing but will the answer be that now the standard way to update a signed module is to suggest skippublishercheck? Will that be like telling people to accept the SSL warnings they see on a website? Does it engender bad practices? Is there any alternative? Do we expect ongoing changes in the industry that will basically require skippublishercheck by default? i am almost regretting signing?

Proposed technical implementation details (optional)

no idea, up for debate. on one hand, we have to check the publisher, on the other, if skip check becomes default whats the point? should we switch to -CheckPublisher?

ThomasNieto commented 1 year ago

In PSResourceGet (PSGet v3) the signature check is opt-in.

potatoqualitee commented 1 year ago

OH Wow! This is already fixed? What a relief, we'll test then include that in our blog posts/tutorials. Thank you.