Update-Module throws exception Authenticode issuer

[Ghufz]

Steps to reproduce

Published the new version of PowerShell module on PowerShell gallery.

use the cmdlet 
Update-Module  to update the latest module while previous module is installed.

I have the  module Cisco.IMC module version 3.0.0.10 installed locally.

Now I want to update the module Cisco.IMC version 3.0.1.2

Update-Module -Name Cisco.IMC   

it throws exception Authenticode issuer mismatch.

Expected behavior

Update-Module should install the cmdlet without any exception since all the file are signed.

Actual behavior

Update-module throws exception

PackageManagement\Install-Package : Authenticode issuer 'CN="xyz, INC.", O="xyz, INC.", L=San Jose, S=California, C=US, SERIALNUMBER=C1183477, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US' of the new module 'Cisco.IMC' with version '3.0.1.2' from root certificate authority 'CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US' is not matching with the authenticode issuer 'CN="xyz, INC.", O="CISCO SYSTEMS, INC.", L=San Jose, S=California, C=US' of the previously-installed module 'Cisco.IMC' with version '3.0.0.10' from root certificate authority 'CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US'. If you still want to install or update, use -SkipPublisherCheck parameter.
At C:\Users\user\Documents\PowerShell\Modules\PowerShellGet\2.2.5\PSModule.psm1:13069 char:20
+ ...           $sid = PackageManagement\Install-Package @PSBoundParameters
+                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (Microsoft.PowerShel\u2026lets.InstallPackage:InstallPackage) [Install-Package], Exception
+ FullyQualifiedErrorId : AuthenticodeIssuerMismatch,Validate-ModuleAuthenticodeSignature,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage

Environment data

Name                           Value
----                           -----
PSVersion                      6.2.3
PSEdition                      Core
GitCommitId                    6.2.3
OS                             Microsoft Windows 10.0.17134
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

PS C:\BitBucket\powershell_sdk\PowerShellSDK_Testing\Sdk\intersight_powershell_sdk_v3_1.0.9.2687> get-module

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   1.2.3.0    Microsoft.PowerShell.Archive        {Compress-Archive, Expand-Archive}
Manifest   6.1.0.0    Microsoft.PowerShell.Management     {Add-Content, Clear-Content, Clear-Item, Clear-ItemProperty…}
Manifest   6.1.0.0    Microsoft.PowerShell.Security       {ConvertFrom-SecureString, ConvertTo-SecureString, Get-Acl, Get-AuthenticodeSignature…}
Manifest   6.1.0.0    Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable, Compare-Object…}
Manifest   6.1.0.0    Microsoft.WSMan.Management          {Connect-WSMan, Disable-WSManCredSSP, Disconnect-WSMan, Enable-WSManCredSSP…}
Script     1.4.7      PackageManagement                   {Find-Package, Find-PackageProvider, Get-Package, Get-PackageProvider…}
Script     2.2.5      PowerShellGet                       {Find-Command, Find-DscResource, Find-Module, Find-RoleCapability…}
Script     2.0.0      PSReadLine                          {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PSReadLineKeyHandler, Set-PSReadLineKeyHandler…}

[iSazonov]

PSVersion 6.2.3

It is out support (or near the time). Please tests with latest PowerShell 7.1 release. Also the cmdlet is in PowerShellGet repository - please create new issue there.

[ThomasNieto]

PowerShellGet requires the signature to be issued by the same certificate authority in order to update. Since Cisco has a new root CA it fails and you need to use the -SkipPublisherCheck switch to bypass it. I'd recommend moving this ticket over to https://github.com/PowerShell/PowerShellGet. As for getting past the error you need to run this command instead.

Install-Module -Name Cisco.IMC -Force -AcceptLicense -SkipPublisherCheck

GitHub

PowerShell/PowerShellGet

PowerShellGet is the package manager for PowerShell - PowerShell/PowerShellGet

[Ghufz]

Thanks for your reply. The expected workaround is Install-Module -Name Cisco.IMC -Force -AcceptLicense -SkipPublisherCheck

My question is during the life cycle of single module it can happen that the CA may changes, and this issue will persists.

[shockogit]

This is still open. The update-module CMDLET does not allow us to specify a -skippublishercheck option. This Authenticode issue occurs on numerous modules (Vmware but also MS Graph!). Why can it not be addressed? It's very common for a developer of admin to want to update all modules ot the latest without messy workarounds to run install-module. Have I missed something here?

[ThomasNieto]

@shockogit PowerShellGet is deprecated in favor of PSResourceGet. If you use that new module it doesn't have this issue as publisher checks aren't enabled by default.

[shockogit]

I see it at https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.psresourceget/?view=powershellget-3.x&viewFallbackFrom=powershellget-2.x. Thanks @ThomasNieto !