Cannot install chocolatey - chocolateyInstall.ps1 is not digitally signed

[opoplawski]

Checklist

• [X] I have verified this is the correct repository for opening this issue.
• [X] I have verified no other issues exist related to my problem.
• [X] I have verified this is not an issue for a specific package.
• [X] I have verified this issue is not security related.
• [X] I confirm I am using official, and not unofficial, or modified, Chocolatey products.

What You Are Seeing?

Trying to do an initial chocolatey install on a Windows 11 Enterprise machine I get:

fatal: [HOSTNAME]: FAILED! => {
    "changed": false,
    "command": "",
    "invocation": {
        "module_args": {
            "allow_empty_checksums": false,
            "allow_multiple": false,
            "allow_prerelease": false,
            "architecture": "default",
            "bootstrap_script": null,
            "bootstrap_tls_version": [
                "tls12",
                "tls13"
            ],
            "checksum": null,
            "checksum64": null,
            "checksum_type": null,
            "checksum_type64": null,
            "choco_args": null,
            "force": false,
            "ignore_checksums": false,
            "ignore_dependencies": false,
            "install_args": null,
            "name": [
                "chocolatey"
            ],
            "override_args": false,
            "package_params": null,
            "pinned": null,
            "proxy_password": null,
            "proxy_url": null,
            "proxy_username": null,
            "remove_dependencies": false,
            "skip_scripts": false,
            "source": null,
            "source_password": null,
            "source_username": null,
            "state": "latest",
            "timeout": 2700,
            "validate_certs": true,
            "version": null
        }
    },
    "msg": "Chocolatey bootstrap installation failed.",
    "rc": 1,
    "stderr": "& : File \r\nC:\\Users\\USER\\AppData\\Local\\Temp\\ansible-tmp-1702336268.5886993-69281-230291664240022\\chocolateyInstall.ps1 \r\ncannot be loaded. The file \r\nC:\\Users\\USER\\AppData\\Local\\Temp\\ansible-tmp-1702336268.5886993-69281-230291664240022\\chocolateyInstall.ps1 is \r\nnot digitally signed. You cannot run this script on the current system. For more information about running scripts and \r\nsetting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.\r\nAt line:1 char:3\r\n+ & \"C:\\Users\\USER\\AppData\\Local\\Temp\\ansible-tmp-1702336268.588 ...\r\n+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : SecurityError: (:) [], PSSecurityException\r\n    + FullyQualifiedErrorId : UnauthorizedAccess\r\n",
    "stderr_lines": [
        "& : File ",
        "C:\\Users\\USER\\AppData\\Local\\Temp\\ansible-tmp-1702336268.5886993-69281-230291664240022\\chocolateyInstall.ps1 ",
        "cannot be loaded. The file ",
        "C:\\Users\\USER\\AppData\\Local\\Temp\\ansible-tmp-1702336268.5886993-69281-230291664240022\\chocolateyInstall.ps1 is ",
        "not digitally signed. You cannot run this script on the current system. For more information about running scripts and ",
        "setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.",
        "At line:1 char:3",
        "+ & \"C:\\Users\\USER\\AppData\\Local\\Temp\\ansible-tmp-1702336268.588 ...",
        "+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~",
        "    + CategoryInfo          : SecurityError: (:) [], PSSecurityException",
        "    + FullyQualifiedErrorId : UnauthorizedAccess"
    ],
    "stdout": "",
    "stdout_lines": []
}

What is Expected?

Chocolatey is installed

How Did You Get This To Happen?

- hosts: windows
  gather_facts: false
  tasks:
    - name: "Install chocolatey"
      win_chocolatey:
        name:
          - chocolatey
        state: latest

System Details

• Operating System: 10.0.22621.0
• Windows PowerShell version: 5.1.22621.2506
• Chocolatey CLI Version: 2.2.2
• Chocolatey Licensed Extension version:
• Chocolatey License type:
• Terminal/Emulator:

Installed Packages

N/A

Output Log

N/A

Additional Context

I can fix the signing issue by adding -NoNewline to the Set-Content call. But then I get:

    "stderr": "& : AuthorizationManager check failed.\r\nAt line:1 char:3\r\n+ & \"C:\\Users\\USER\\AppData\\Local\\Temp\\ansible-moduletmp-13346812 ...\r\n+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : SecurityError: (:) [], PSSecurityException\r\n    + FullyQualifiedErrorId : UnauthorizedAccess\r\n",
    "stderr_lines": [
        "& : AuthorizationManager check failed.",
        "At line:1 char:3",
        "+ & \"C:\\Users\\USER\\AppData\\Local\\Temp\\ansible-moduletmp-13346812 ...",
        "+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~",
        "    + CategoryInfo          : SecurityError: (:) [], PSSecurityException",
        "    + FullyQualifiedErrorId : UnauthorizedAccess"
    ],

[vexx32]

@opoplawski looking into the latter error it sounds like we might also need to run Unblock-File on the script? https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0713009

Although I had thought that this wasn't something that would normally happen for files created in this manner 🤔

[vexx32]

@opoplawski Can you try the branch from #161 to see if that helps any for the issue you're seeing?

More information about the client machine would be useful, too; this isn't a signing issue exactly, Ansible automatically runs scripts with the execution policy set to Unrestricted, this is something else. The error reminds me a bit of perhaps AppLocker or something of that nature, perhaps?

[github-actions[bot]]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? This issue will be closed in 14 days if it continues to be inactive.