windows-powershell-docs icon indicating copy to clipboard operation
windows-powershell-docs copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

Unexpected behavior of Set-SecureBootUEFI with the -ContentFilePath parameter

Open wmjdgla opened this issue 2 years ago • 1 comments

I'm using the following commands to add a new key to my Secure Boot db:

$CurrentTime=Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ";Format-SecureBootUEFI -Name db -SignatureOwner 12345678-1234-1234-1234-123456789abc -FormatWithCert -Certificate .\dbKey.cer -ContentFilePath .\FormattedContent.bin -SignableFilePath GeneratedFileToSign.bin -Time $CurrentTime -AppendWrite
.\signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /a /f PrivateKey.pfx /p thePassword GeneratedFileToSign.bin
Set-SecureBootUEFI -ContentFilePath .\FormattedContent.bin -SignedFilePath GeneratedFileToSign.bin.p7

The first two commands succeeds but Set-SecureBootUEFI unexpectedly produces the following prompt:

Supply values for the following parameters:
Name:

Shouldn't it be able to obtain the name from FormattedContent.bin? This behavior isn't described anywhere in the documentation and is contrary to the behavior shown in example 2 where the command succeeds without any further prompt. I entered db, and then it prompted:

Time:

Again this should have been obtained from FormattedContent.bin, and the behavior isn't documented anywhere.

When I repeated everything in the same session with a slight modification, Set-SecureBootUEFI succeeds immediately as expected:

$CurrentTime=Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ";$ObjectFromFormat=Format-SecureBootUEFI -Name db -SignatureOwner 12345678-1234-1234-1234-123456789abc -FormatWithCert -Certificate .\dbKey.cer -SignableFilePath GeneratedFileToSign.bin -Time $CurrentTime -AppendWrite
.\signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /a /f PrivateKey.pfx /p thePassword GeneratedFileToSign.bin
$ObjectFromFormat | Set-SecureBootUEFI -SignedFilePath GeneratedFileToSign.bin.p7

The only different between the two sets of commands is that the first outputs the formatted data to a file which is then supplied as a parameter to Set-SecureBootUEFI while the second outputs the formatted data to a PowerShell object which is then piped to Set-SecureBootUEFI. Functionally both are identical and it is puzzling why they have different behavior.

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

wmjdgla avatar Mar 25 '22 04:03 wmjdgla

@e0i I believe this is also a doc issue because the 1st set of commands above corresponds to example 2 in the doc, but the actual behaviour of Set-SecureBootUEFI is different from what's shown in the example.

wmjdgla avatar May 19 '22 01:05 wmjdgla

This repository is for PowerShell core documentation. You seem to be looking for support, which we can't provide here.

I suggest you try posting your issue with context in one of the available community support forums.

scanum avatar Nov 07 '22 05:11 scanum