Install-ADOPSModule fails for signed packages on linux

[keklinke]

Hi Sebastian, I hope you're doing well! I don't expect this to get fixed (I think the bug may actually be in the underlying PowershellGet module), but figured I'd report it anyways to document it and just in case you were curious and wanted to investigate :)

We have the following in our build pipeline:

- pwsh: |
    Install-Module ADOPowershellGet -Force -Verbose
    Install-ADOPSModule azurefrontdoor/azurefrontdoor Azure.FrontDoor.EVXecutor -AccessToken $(System.AccessToken) -SkipPublisherCheck -Verbose -MinimumVersion 0.4.2

This used to work fine before we added a .signature.p7s file to the nuget package (to sign the package). But now that it's signed, when running this from a windows container on our build agent, it works fine. But when running from a linux container on our build agent, we get the following error for the second command:

Install-Package: /opt/microsoft/powershell/7/Modules/PowerShellGet/PSModule.psm1:9711
Line |
9711 |  … talledPackages = PackageManagement\Install-Package @PSBoundParameters
     |                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Administrator rights are required to install or update. Log on
     | to the computer with an account that has Administrator rights,
     | and then try again, or install by adding "-Scope CurrentUser"
     | to your command. You can also try running the Windows
     | PowerShell session with elevated rights (Run as Administrator).

But here's where things get REALLY weird. If I add a -Debug flag to the Install-ADOPSModule cmdlet (which is really just a wrapper around Install-Module)... it works. Every time. Like this:

- pwsh: |
    Install-Module ADOPowershellGet -Force -Verbose
    Install-ADOPSModule azurefrontdoor/azurefrontdoor Azure.FrontDoor.EVXecutor -AccessToken $(System.AccessToken) -SkipPublisherCheck -Verbose -MinimumVersion 0.4.2 -Debug

I also tried calling the Install-ADOPSModule cmdlet twice in a row without the -Debug flag and it results in the second attempt "succeeding" too:

- pwsh: |
    Install-Module ADOPowershellGet -Force -Verbose
    Install-ADOPSModule azurefrontdoor/azurefrontdoor Azure.FrontDoor.EVXecutor -AccessToken $(System.AccessToken) -SkipPublisherCheck -Verbose -MinimumVersion 0.4.2
    # Second attempt to call this cmdlet succeeds
    Install-ADOPSModule azurefrontdoor/azurefrontdoor Azure.FrontDoor.EVXecutor -AccessToken $(System.AccessToken) -SkipPublisherCheck -Verbose -MinimumVersion 0.4.2

But digging more, it looks both of these methods (adding the debug flag and calling the cmdlet twice) both fail - the error is suppressed but the operation really fails because the module is never installed.

I think it's possible that it's related to https://github.com/PowerShell/PowerShellGetv2/issues/586, just because it's the same error message. Not sure if it's really the same root cause or not, but from that issue it sounds like the error messages returned from Install-Module can be quite misleading and will give that Administrator error even if it's something unrelated or if the user is already running as Administrator.

[Ansh688]

@keklinke Were you able to get a resolution for this issue? I am hitting the same issue in one of my builds.

[sagmor]

Is the certificate chain that signed the package trusted by the machine trying to install the package?

My hunch is that the machine is just rejecting the cert as it's not in the trust store.