Closed crazy4cs closed 6 years ago
My colleague has just tried to install Scoop and also got this problem. I installed it last week and it was fine.
What's the output of Get-ExecutionPolicy -List
?
My colleagues settings were
Scope ExecutionPolicy ----- ---------------
MachinePolicy Undefined UserPolicy Undefined Process Undefined CurrentUser RemoteSigned LocalMachine RemoteSigned
Hello I'm having the same issue
Whats the output of [Net.ServicePointManager]::SecurityProtocol
?
PS C:\Users\chere> [Net.ServicePointManager]::SecurityProtocol Ssl3, Tls PS C:\Users\chere>
And if I try to install it again it says:
PS C:\Users\chere> iex (new-object net.webclient).downloadstring('https://get.scoop.sh') Initializing... Scoop is already installed. Run 'scoop update' to get the latest version. PS C:\Users\chere> scoop update scoop : The term 'scoop' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1
- scoop update
+ CategoryInfo : ObjectNotFound: (scoop:String) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\chere>
I just ran into this as well on a 'fresh' install of Windows 10 (it was installed from a base image provided by the IT dept, for whatever that's worth). I found that I was able to delete the ~/scoop directory, run the command:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
directly in my prompt, and then re-install with the standard method. That being said, it seems I need to re-run that command in each new powershell window, or I see a bunch of SSL/TLS errors any time I use scoop.
You can put [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
in your Powershell profile (notepad $PROFILE
) as a workaround. It seems like something's changed on github's side so they no longer accept TLSv1, which winhttp uses by default. There's also stuff you can fiddle with in the registry to get winhttp to use TLSv1.2 instead.
EDIT: Looks like installing .NET 4.6.1 also changes the default TLS scheme to 1.2.
Just updated Windows 10 today and I'm receiving this. I've tried the above suggestions without much luck, although the symptoms are the same, my error is a bit different.
PS C:\Users\Tres> scoop update
Updating Scoop...
fatal: unable to access 'https://github.com/lukesampson/scoop/': error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
Update failed.
I've tried setting the registry flag to force WinHttp to a higher TLS version, but it's not working on my machine or perhaps my steps are incorrect.
The suggestion to use notepad $PROFILE
doesn't seem to work on my installation, I'm not sure what that does. My scoop version is ef058e9 Update fnproject to version 0.4.34
.
@tresf notepad $PROFILE
doesn't do anything by itself, it's just supposed to open your Powershell profile file for editing. In that file you need to add [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
. Before adding it to your profile file, you can test out whether the incorrect TLS version is causing your issue by just running this command in a powershell session right before scoop update
.
you can test out whether the incorrect TLS version is causing your issue by just running this command in a powershell session right before scoop update.
I wasn't able to get either proposal to help...
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
I also removed ~/scoop
and reinstalled through the iex ...
command from scoop.sh, which worked, but once scoop update
was run, the tlsv1 alert protocol version
error comes back.
@tresf
notepad $PROFILE
doesn't do anything by itself, it's just supposed to open your Powershell profile file for editing.
Thanks for explaining. The command didn't work on my machine. I'm happy to know it's the same effect as setting the properties via PowerShell command line, so I won't worry about it at this time.
PS C:\Users\Tres> scoop update
Updating Scoop...
fatal: unable to access 'https://github.com/lukesampson/scoop/': error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
Update failed.
Apologies... My issue was a botched git-scm
after the Windows 10 updates. The fix was to completely purge all git versions and reinstall. Interestingly enough, the default git
location changed from C:\Program Files (x86)\
to C:\Program Files\
but my system did not reflect it, so this seems to be unrelated to the original bug report and fixed by repairing git
through some manual steps. The symptoms and timing were very close to the original bug report, so I thought they were related, but they appear to be different.
@masaeedu Is there a work around for this when using the command prompt? Having to use scoop exclusively in PowerShell is inconvenient.
Scoop has the following functions to enable every available protocol when downloading apps: https://github.com/lukesampson/scoop/blob/f8f08db7e53f624b4c81f5d61e8d16c8176a13a7/lib/install.ps1#L117-L133
Currently they are only used in do_dl()
, checkver.ps1 and checkurls.ps1
https://github.com/lukesampson/scoop/blob/f8f08db7e53f624b4c81f5d61e8d16c8176a13a7/lib/install.ps1#L135-L149
Adding them to all other commands that require downloading something could fix it. It has to be set manually for the initial scoop installation to work.
https://github.com/blog/2507-weak-cryptographic-standards-removed Does the change of GitHub affect this issue?
AFAIK, the scoop installer script is hosted by GitHub.
@h404bi that is the main cause of this issue 😁
https://get.scoop.sh redirects to https://raw.githubusercontent.com/lukesampson/scoop/master/bin/install.ps1
Currently using this in a .bat
on fresh installed systems:
@echo off
COLOR 1F
set filePath="%userprofile%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1"
IF EXIST $filePath (GOTO appendTLS) else (GOTO newTLS)
:appendTLS
(
echo.
echo [Net.ServicePointManager]::SecurityProtocol = ^"tls12, tls11, tls^"
) >> "%filePath%"
:newTLS
mkdir "%userprofile%\Documents\WindowsPowerShell\"
(
echo [Net.ServicePointManager]::SecurityProtocol = ^"tls12, tls11, tls^"
) > "%filePath%"
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -InputFormat None -ExecutionPolicy RemoteSigned -Command "iex (new-object net.webclient).downloadstring('https://get.scoop.sh')"
But obviously need Set-ExecutionPolicy RemoteSigned -s cu
@tresf notepad $PROFILE doesn't do anything by itself, it's just supposed to open your Powershell profile file for editing.
Turns out this command fails on systems without a ~/PowerShell
folder.
I ran into this today with Windows 7 SP1. Here's a little script that should help.
mkdir $PROFILE\..
echo '[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"' >> $PROFILE
& $PROFILE
# thats it
Prepare, do this in
PowerShell
:
set-executionpolicy remotesigned -s currentuser
And input Y
to ensure.
Open https://get.scoop.sh
in your browser to download the shellscript, save as install.ps1
:
#requires -v 3
# remote install:
# iex (new-object net.webclient).downloadstring('https://get.scoop.sh')
$erroractionpreference = 'stop' # quit if anything goes wrong
if(($PSVersionTable.PSVersion.Major) -lt 3) {
Write-Output "PowerShell 3 or greater is required to run Scoop."
Write-Output "Upgrade PowerShell: https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-windows-powershell"
break
}
# show notification to change execution policy:
if((get-executionpolicy) -gt 'RemoteSigned') {
Write-Output "PowerShell requires an execution policy of 'RemoteSigned' to run Scoop."
Write-Output "To make this change please run:"
Write-Output "'Set-ExecutionPolicy RemoteSigned -scope CurrentUser'"
break
}
# get core functions
$core_url = 'https://raw.github.com/lukesampson/scoop/master/lib/core.ps1'
Write-Output 'Initializing...'
Invoke-Expression (new-object net.webclient).downloadstring($core_url)
# prep
if(installed 'scoop') {
write-host "Scoop is already installed. Run 'scoop update' to get the latest version." -f red
# don't abort if invoked with iex——that would close the PS session
if($myinvocation.mycommand.commandtype -eq 'Script') { return } else { exit 1 }
}
$dir = ensure (versiondir 'scoop' 'current')
# download scoop zip
$zipurl = 'https://github.com/lukesampson/scoop/archive/master.zip'
$zipfile = "$dir\scoop.zip"
Write-Output 'Downloading...'
dl $zipurl $zipfile
'Extracting...'
unzip $zipfile "$dir\_tmp"
Copy-Item "$dir\_tmp\scoop-master\*" $dir -r -force
Remove-Item "$dir\_tmp" -r -force
Remove-Item $zipfile
Write-Output 'Creating shim...'
shim "$dir\bin\scoop.ps1" $false
ensure_robocopy_in_path
ensure_scoop_in_path
success 'Scoop was installed successfully!'
Write-Output "Type 'scoop help' for instructions."
find $zipurl
:
$zipurl = 'https://github.com/lukesampson/scoop/archive/master.zip'
Find zipurl: https://github.com/lukesampson/scoop/archive/master.zip
, download it, and unzip it in the scoop's dir:
%USERPROFILE%\scoop\apps\scoop\current
Or you can change the install.ps1
script, to see where scoop dir is:
Write-Output 'Downloading...'
# this will print scoop dir
Write-Output '$dir'
Then modify the install.ps1
,it should be below:
#requires -v 3
# remote install:
# iex (new-object net.webclient).downloadstring('https://get.scoop.sh')
$erroractionpreference = 'stop' # quit if anything goes wrong
if(($PSVersionTable.PSVersion.Major) -lt 3) {
Write-Output "PowerShell 3 or greater is required to run Scoop."
Write-Output "Upgrade PowerShell: https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-windows-powershell"
break
}
# show notification to change execution policy:
if((get-executionpolicy) -gt 'RemoteSigned') {
Write-Output "PowerShell requires an execution policy of 'RemoteSigned' to run Scoop."
Write-Output "To make this change please run:"
Write-Output "'Set-ExecutionPolicy RemoteSigned -scope CurrentUser'"
break
}
# get core functions
$core_url = 'https://raw.github.com/lukesampson/scoop/master/lib/core.ps1'
Write-Output 'Initializing...'
Invoke-Expression (new-object net.webclient).downloadstring($core_url)
# prep
$dir = ensure (versiondir 'scoop' 'current')
Write-Output "$dir"
# download scoop zip
# $zipurl = 'https://github.com/lukesampson/scoop/archive/master.zip'
$zipfile = "$dir\scoop.zip"
# Write-Output 'Downloading...'
# comment dl command, download zipfile yourself.
# dl $zipurl $zipfile
'Extracting...'
# notice to comment unzip, otherwise there will be an error of unzip. You should unzip with winrar yourself
# the zip file should unzip in $dir\_tmp yourself
# unzip $zipfile "$dir\_tmp"
Copy-Item "$dir\_tmp\scoop-master\*" $dir -r -force
Remove-Item "$dir\_tmp" -r -force
Remove-Item $zipfile
Write-Output 'Creating shim...'
shim "$dir\bin\scoop.ps1" $false
ensure_robocopy_in_path
ensure_scoop_in_path
success 'Scoop was installed successfully!'
Write-Output "Type 'scoop help' for instructions."
save install.ps1
, then drag it into PowerShell
, and then press enter, after a moment:
Scoop was installed successfully!
One line PowerShell command for new installation, if someone is looking for workaround:
set-executionpolicy remotesigned -s currentuser; [System.Net.ServicePointManager]::SecurityProtocol = 3072 -bor 768 -bor 192 -bor 48; iwr https://get.scoop.sh -UseBasicParsing | iex
If I had to guess, the schoop.sh website is probably using a certificate from StartSSL. As they are no longer a trusted cert authority, the download is failing. If you browse to https://scoop.sh you'll get a security warning about the certificate. Should be easy to fix with a new certificate using letsencrypt or something similar.
@danielgary nope, scoop.sh didn't have ssl, it's a CNAME of scoop's gh-pages. And https://get.scoop.sh redirects to https://raw.githubusercontent.com/lukesampson/scoop/master/bin/install.ps1
GitHub drops TLSv1 support cause this issue.
@danielgary ugh, thanks for pointing this out. I contacted @lukesampson about this.
@h404bi I don't think the one line solution will work, scoop
frequently consults the buckets (which are on github), post-install. This means you need to have the TLS settings in every powershell instance you start; i.e. you need to put it in your profile.
@masaeedu I said that's a workaround for fresh installation. Though I have tested on a fresh install windows 10, fresh install scoop with that command, then just install git-with-openssh, every thing seems fine, scoop update, scoop search, scoop status...
The Windows 10 ServicePointManager:
$ [System.Net.ServicePointManager]::SecurityProtocol
Ssl3, Tls
Besides, I search that we could modify the registry of ServicePointManager to permanently force to use strong cryptography, but that's inconvenient and it needs elevated privileges, which is worse.1
Besides, I search that we could modify the registry of ServicePointManager to permanently force to use strong cryptography, but that's inconvenient and it needs elevated privileges, which is worse.1
Do you mean for all users? For the current user, https://github.com/lukesampson/scoop/issues/2040#issuecomment-368145842, @covertcj's solution works great. I've adapted @r15ch13's proposal to make it permanent for the current user and this technique was tested on Windows 7.
Is the concern that this won't scale for multiple users? I would propose that the scoop library internally nudges this since it makes no sense to attempt to continue functioning otherwise.
Even the set-executionpolicy remotesigned -s currentuser
, I don't entirely understand as this is part of the base scoop.sh install, this command should already have been run 100% of the time adding it to this thread seems like it will only confuse first time users.
@h404bi While I agree that scoop should just work, setting ServicePointManager to only use TLS 1.1 and higher is something you should do anyway since SSLv3 and TLSv1.0 are deprecated due to POODLE. (Although, this could break other .NET applications and libraries.)
Here's how to do that in PowerShell:
# set strong cryptography on 64 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
# set strong cryptography on 32 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Plus, this will allow scoop to work in Command Prompt instead of just PowerShell.
Was not sure if every site supports TLS 1.2 therefore I created a script to checks all the URLs. Every single hosts supports it, so it's safe to just enable it I guess.
/Edit: Updated script and results (20190410)
I'm not sure what's more impressive... the speed in which you valided every script mirror supports TLS12, or the neat GitHub hide huge codeblock trick.
An easy fix could be to add this neat little line to core.ps1
.
Mentioned by @masaeedu in https://github.com/lukesampson/scoop/pull/2065#issuecomment-369669048
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
Sadly the initial install oneliner has to change.
@r15ch13 @lukesampson The install oneliner doesn't need to change unless Amazon CloudFront drops support for TLSv1.0 or GitHub drops support for TLSv1.0 on raw.githubusercontent.com.
get.scoop.sh is served from Amazon CloudFront servers, then redirects to raw.githubusercontent.com. GitHub only dropped support for TLSv1.0 on github.com and api.github.com.
The install oneliner doesn't have trouble downloading the install script, it just has trouble accessing api.github.com during the install.
TLDR; install.ps1
and core.ps1
need to be updated, but the oneliner doesn't need to change... yet.
That being said, the following oneliner is shorter, but suffers from the same problem.
iwr https://get.scoop.sh | iex
I didn't see a commit related to this but I am no longer receiving the error after updating scoop.
@dsbert What happens when you run this:
scoop search --no-cache
@jordanbtucker There it is
This is fixed for me, but I left a comment about it leaving side effects. It's probably not a big deal though.
rtgsd
@h404bi While I agree that scoop should just work, setting ServicePointManager to only use TLS 1.1 and higher is something you should do anyway since SSLv3 and TLSv1.0 are deprecated due to POODLE. (Although, this could break other .NET applications and libraries.)
Here's how to do that in PowerShell:
# set strong cryptography on 64 bit .Net Framework (version 4 and above) Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord # set strong cryptography on 32 bit .Net Framework (version 4 and above) Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Plus, this will allow scoop to work in Command Prompt instead of just PowerShell.
This finally let me install boxstarter on windows7 via azure-arm/packer.
set-executionpolicy remotesigned -s currentuser
has been ranThe scoop directory is created within the user profile folder, as well as the %USERPROFILE%\scoop\apps\scoop\current directory, however, they are both empty.