search

aws / aws-tools-for-powershell

The AWS Tools for PowerShell lets developers and administrators manage their AWS services from the PowerShell scripting environment.
Apache License 2.0
239 stars 79 forks source link

Update-AWSToolsModule / Install-Module Causing Signature Error On Upgrade to 4.1.15.0 #232

Closed klementi closed 1 year ago

klementi commented 3 years ago

The Question

When updating to 4.1.15.0 using Update-AWSToolsModule in AWS.Tools.Installer module the following error may occur:

Error validating manifest signature for AWS.Tools.Common

To fix this problem update to version 1.0.2.2 or higher of the AWS.Tools.Installer (Install-Module AWS.Tools.Installer -SkipPublisherCheck -Force) and run the command as:

Update-AWSToolsModule -SkipPublisherCheck

This issue can also occur if you have an existing version of AWS PowerShell installed and try to Install-Module MODULE_NAME -Force. The following error will be reported:

 | Authenticode issuer 'CN="Amazon Web Services, Inc.", OU=SDKs and Tools, O="Amazon Web Services, Inc.", L=Seattle, S=Washington, C=US,
 | SERIALNUMBER=4152954, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization' of the new module
 | 'AWS.Tools.Installer' with version '1.0.2.2' from root certificate authority 'CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc,
 | C=US' is not matching with the authenticode issuer 'CN="Amazon Web Services, Inc.", OU=AWS, O="Amazon Web Services, Inc.", L=Seattle, S=Washington,
 | C=US' of the previously-installed module 'AWS.Tools.Installer' with version '1.0.2.1' from root certificate authority 'CN=DigiCert Assured ID Root
 | CA, OU=www.digicert.com, O=DigiCert Inc, C=US'. If you still want to install or update, use -SkipPublisherCheck parameter.

To fix this problem run Install-Module MODULE_NAME -Force -SkipPublisherCheck

ghost commented 2 years ago

I saw the same thing. I did a full uninstall of all the prior modules AND installers, installed the fresh AWS.Tools.Installer and was able to make it go, but it definitely took 30+ minutes of beating my head against the wall to make it work.

Not great.

jbilinski commented 2 years ago

It's my belief that CA changes like this need to be overt. I appreciate the Announcement label from @klementi and trust this is a legitimate change. But next time it may not be. It would be good policy to announce this at top of release notes and as publicly as possible on a secondary trusted platform -- perhaps on docs.aws.amazon.com: https://docs.aws.amazon.com/powershell/latest/userguide/pstools-security.html and the PowerShell galley: https://www.powershellgallery.com/packages/AWS.Tools.Common/

normj commented 2 years ago

@nsandar Sorry for your wasted time

@jbilinski That is a good callout that we should have put the certificate change at the top of the release notes. Out of curiosity did you experience the issue via the AWS.Tools.Installer module as well?

We aren't happy with the certificate handling in PowerShell and how the built in mechanism is supposed to handle certificates eventually evolving over time. We are working with Microsoft to see how we can make PowerShell better in the future.

jbilinski commented 2 years ago

Thanks @normj: Yes, Update path with ignore flag using the AWS.Tools.Installer module failed with same cert error. I had to cut bait on the issue and remove/install.

I can see the effort you're putting into adding a layer of trust on top of the loose tooling available in PowerShell. Thanks for bringing it to Microsoft -- now prepare for all the "when" questions. :)

github-actions[bot] commented 1 year ago

We have noticed this issue has not received attention in 1 year. We will close this issue for now. If you think this is in error, please feel free to comment and reopen the issue.

kimvais commented 1 year ago

For future reference, to fix this for all installed modules:

foreach ($mod in Get-InstalledModule AWS.Tools.*) { Install-Module $mod.name -Force -SkipPublisherCheck }