DSInternals icon indicating copy to clipboard operation
DSInternals copied to clipboard
verified publisher icon MichaelGrafnetter

Authenticode signature failure for v6.2.0 release

Open ralish opened this issue 3 months ago • 1 comments

The v6.2.0 release doesn't have an Authenticode signature which breaks install and update using PowerShellGet cmdlets:

PS C:\Windows\system32> Install-Module -Name DSInternals -Verbose
PackageManagement\Install-Package : The module 'DSInternals' cannot be installed or updated because the authenticode signature of the file 'DSInternals.cat' is not valid.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1809 char:21
+ ...          $null = PackageManagement\Install-Package @PSBoundParameters
+                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Exception
    + FullyQualifiedErrorId : InvalidAuthenticodeSignature,ValidateAndGet-AuthenticodeSignature,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage

I've verified this is the case by manually downloading the new release and inspecting the security catalogue in the .nupkg. The immediately prior release, v6.1.1, does have a valid signature on its security catalogue.

The error can be overridden using the -SkipPublisherCheck parameter, but that's obviously not ideal, particularly given previous releases did have a valid signature.

ralish avatar Dec 10 '25 07:12 ralish

Hi @ralish , I am aware of this issue and it is also stated in the release notes.

Here is some context: My previous code signing certificate has expired in November and Sectigo no longer supports issuance to Azure Key Vault because of attestation requirements. I thus had to cancel the renewal request and switch to DigiCert. I have been stuck in their identity verification process for 6+ weeks, which is totally unexpected.

After some consideration, I decided to release the new version of the PowerShell module without the signature, as it contains a couple of bugfixes. I hope to get a new certificate soon, so that the next release can be properly signed again. The -SkipPublisherCheck parameter would still be unavoidable though, because of CA change.

If the bugs fixed in v6.2.0 do not affect you, there is no need to upgrade from v6.1.1.

MichaelGrafnetter avatar Dec 11 '25 10:12 MichaelGrafnetter

Hi @MichaelGrafnetter, sorry for missing the release notes! It didn't occur to me this might be a known issue. Having had to acquire code-signing certificates several times I know first-hand how much of a pain it can be.

It might be worthwhile keeping this issue open until the certificate is issued and a new signed release published just to help with discoverability? Regardless, thanks for all the work you put into this excellent module.

ralish avatar Dec 15 '25 05:12 ralish