macOS pwsh binary for v7.4.4 is not code signed

[NoahRJ]

Prerequisites

• [X] Write a descriptive title.
• [X] Make sure you are able to repro it on the latest released version
• [X] Search the existing issues.
• [X] Refer to the FAQ.
• [X] Refer to Differences between Windows PowerShell 5.1 and PowerShell.

Steps to reproduce

The pwsh binary for version 7.4.4, located at /usr/local/microsoft/powershell/7/pwsh (symlinked to /usr/local/bin/pwsh) is not code signed, and was in previous releases, most recently 7.4.2.

This constitutes a security issue as there is no way to confirm pwsh has not been modified without a valid Microsoft application signature attached.

Expected behavior

Running `codesign -dvv` on the 7.4.4 binary shows a proper certificate chain with Microsoft's signing authority and team identifier, like is displayed with the 7.4.2 release:


➜  Payload codesign -dvv usr/local/microsoft/powershell/7/pwsh
Executable=/private/tmp/powershell-7.4.2-osx-arm64.pkg/powershell-7.4.2.pkg/Payload/usr/local/microsoft/powershell/7/pwsh
Identifier=apphost-55554944334c276ec52934338e28e21fac52c69a
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=1044 flags=0x0(none) hashes=26+2 location=embedded
Signature size=9013
Authority=Developer ID Application: Microsoft Corporation (UBF8T346G9)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Apr 9, 2024 at 6:11:26 PM
Info.plist=not bound
TeamIdentifier=UBF8T346G9
Sealed Resources=none
Internal requirements count=1 size=208

### Actual behavior

```console
Running `codesign -dvv` on the 7.4.4 binary shows an ad hoc signature with no way to validate integrity and confirm it is a genuine Microsoft release:


➜  Payload codesign -dvv usr/local/microsoft/powershell/7/pwsh
Executable=/private/tmp/powershell-7.4.4-osx-arm64.pkg/powershell-7.4.4.pkg/Payload/usr/local/microsoft/powershell/7/pwsh
Identifier=apphost-55554944ebbb141c7c103d9ebac3a924d1f83baa
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=1033 flags=0x2(adhoc) hashes=26+2 location=embedded
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

### Error details

_No response_

### Environment data

```powershell
Name                           Value
----                           -----
PSVersion                      7.4.4
PSEdition                      Core
GitCommitId                    7.4.4
OS                             Darwin 23.1.0 Darwin Kernel Version 23.1.0: Mon Oct  9 21:26:29 PDT 2023; root:xnu-10002.41.9~6/RELEASE_ARM64_VM…
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

### Visuals

_No response_

[SteveL-MSFT]

Following-up on this

[janparttimaa]

This is also related to previous issue #23974.

[dechkovanen]

This should be treated with higher priority now that macOS 15 is out and there are additional steps required to allow unsigned software to run.

[janparttimaa]

I agree.

Sent from Outlook for iOShttps://aka.ms/o0ukef

---

From: Henri Kovanen @.> Sent: Thursday, September 19, 2024 8:48:57 AM To: PowerShell/PowerShell @.> Cc: Jan Parttimaa @.>; Comment @.> Subject: Re: [PowerShell/PowerShell] macOS pwsh binary for v7.4.4 is not code signed (Issue #24088)

This should be treated with higher priority now that macOS 15 is out and there are additional steps required to allow unsigned software to run.

— Reply to this email directly, view it on GitHubhttps://github.com/PowerShell/PowerShell/issues/24088#issuecomment-2360031991, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHQ75CHYGXH2YYIRNZHAUW3ZXJQUTAVCNFSM6AAAAABLOXG56KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRQGAZTCOJZGE. You are receiving this because you commented.Message ID: @.***>