Cannot install chocolatey - chocolateyInstall.ps1 is not digitally signed

opoplawski commented 9 months ago

Checklist

[X] I have verified this is the correct repository for opening this issue.
[X] I have verified no other issues exist related to my problem.
[X] I have verified this is not an issue for a specific package.
[X] I have verified this issue is not security related.
[X] I confirm I am using official, and not unofficial, or modified, Chocolatey products.

What You Are Seeing?

Trying to do an initial chocolatey install on a Windows 11 Enterprise machine I get:

fatal: [HOSTNAME]: FAILED! => {
    "changed": false,
    "command": "",
    "invocation": {
        "module_args": {
            "allow_empty_checksums": false,
            "allow_multiple": false,
            "allow_prerelease": false,
            "architecture": "default",
            "bootstrap_script": null,
            "bootstrap_tls_version": [
                "tls12",
                "tls13"
            ],
            "checksum": null,
            "checksum64": null,
            "checksum_type": null,
            "checksum_type64": null,
            "choco_args": null,
            "force": false,
            "ignore_checksums": false,
            "ignore_dependencies": false,
            "install_args": null,
            "name": [
                "chocolatey"
            ],
            "override_args": false,
            "package_params": null,
            "pinned": null,
            "proxy_password": null,
            "proxy_url": null,
            "proxy_username": null,
            "remove_dependencies": false,
            "skip_scripts": false,
            "source": null,
            "source_password": null,
            "source_username": null,
            "state": "latest",
            "timeout": 2700,
            "validate_certs": true,
            "version": null
        }
    },
    "msg": "Chocolatey bootstrap installation failed.",
    "rc": 1,
    "stderr": "& : File \r\nC:\\Users\\USER\\AppData\\Local\\Temp\\ansible-tmp-1702336268.5886993-69281-230291664240022\\chocolateyInstall.ps1 \r\ncannot be loaded. The file \r\nC:\\Users\\USER\\AppData\\Local\\Temp\\ansible-tmp-1702336268.5886993-69281-230291664240022\\chocolateyInstall.ps1 is \r\nnot digitally signed. You cannot run this script on the current system. For more information about running scripts and \r\nsetting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.\r\nAt line:1 char:3\r\n+ & \"C:\\Users\\USER\\AppData\\Local\\Temp\\ansible-tmp-1702336268.588 ...\r\n+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : SecurityError: (:) [], PSSecurityException\r\n    + FullyQualifiedErrorId : UnauthorizedAccess\r\n",
    "stderr_lines": [
        "& : File ",
        "C:\\Users\\USER\\AppData\\Local\\Temp\\ansible-tmp-1702336268.5886993-69281-230291664240022\\chocolateyInstall.ps1 ",
        "cannot be loaded. The file ",
        "C:\\Users\\USER\\AppData\\Local\\Temp\\ansible-tmp-1702336268.5886993-69281-230291664240022\\chocolateyInstall.ps1 is ",
        "not digitally signed. You cannot run this script on the current system. For more information about running scripts and ",
        "setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.",
        "At line:1 char:3",
        "+ & \"C:\\Users\\USER\\AppData\\Local\\Temp\\ansible-tmp-1702336268.588 ...",
        "+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~",
        "    + CategoryInfo          : SecurityError: (:) [], PSSecurityException",
        "    + FullyQualifiedErrorId : UnauthorizedAccess"
    ],
    "stdout": "",
    "stdout_lines": []
}

What is Expected?

Chocolatey is installed

How Did You Get This To Happen?

- hosts: windows
  gather_facts: false
  tasks:
    - name: "Install chocolatey"
      win_chocolatey:
        name:
          - chocolatey
        state: latest

System Details

Operating System: 10.0.22621.0
Windows PowerShell version: 5.1.22621.2506
Chocolatey CLI Version: 2.2.2
Chocolatey Licensed Extension version:
Chocolatey License type:
Terminal/Emulator:

Installed Packages

N/A

Output Log

N/A

Additional Context

I can fix the signing issue by adding -NoNewline to the Set-Content call. But then I get:

    "stderr": "& : AuthorizationManager check failed.\r\nAt line:1 char:3\r\n+ & \"C:\\Users\\USER\\AppData\\Local\\Temp\\ansible-moduletmp-13346812 ...\r\n+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : SecurityError: (:) [], PSSecurityException\r\n    + FullyQualifiedErrorId : UnauthorizedAccess\r\n",
    "stderr_lines": [
        "& : AuthorizationManager check failed.",
        "At line:1 char:3",
        "+ & \"C:\\Users\\USER\\AppData\\Local\\Temp\\ansible-moduletmp-13346812 ...",
        "+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~",
        "    + CategoryInfo          : SecurityError: (:) [], PSSecurityException",
        "    + FullyQualifiedErrorId : UnauthorizedAccess"
    ],

vexx32 commented 3 months ago

@opoplawski looking into the latter error it sounds like we might also need to run Unblock-File on the script? https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0713009

Although I had thought that this wasn't something that would normally happen for files created in this manner 🤔

vexx32 commented 5 days ago

@opoplawski Can you try the branch from #161 to see if that helps any for the issue you're seeing?

More information about the client machine would be useful, too; this isn't a signing issue exactly, Ansible automatically runs scripts with the execution policy set to Unrestricted, this is something else. The error reminds me a bit of perhaps AppLocker or something of that nature, perhaps?

chocolatey / chocolatey-ansible