PowerShellGetv2 icon indicating copy to clipboard operation
PowerShellGetv2 copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

Update-Module throws exception Authenticode issuer

Open Ghufz opened this issue 4 years ago • 6 comments

Steps to reproduce

Published the new version of PowerShell module on PowerShell gallery.

use the cmdlet 
Update-Module  to update the latest module while previous module is installed.

I have the  module Cisco.IMC module version 3.0.0.10 installed locally.

Now I want to update the module Cisco.IMC version 3.0.1.2

Update-Module -Name Cisco.IMC   

it throws exception Authenticode issuer mismatch.

Expected behavior

Update-Module should install the cmdlet without any exception since all the file are signed.

Actual behavior

Update-module throws exception

PackageManagement\Install-Package : Authenticode issuer 'CN="xyz, INC.", O="xyz, INC.", L=San Jose, S=California, C=US, SERIALNUMBER=C1183477, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US' of the new module 'Cisco.IMC' with version '3.0.1.2' from root certificate authority 'CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US' is not matching with the authenticode issuer 'CN="xyz, INC.", O="CISCO SYSTEMS, INC.", L=San Jose, S=California, C=US' of the previously-installed module 'Cisco.IMC' with version '3.0.0.10' from root certificate authority 'CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US'. If you still want to install or update, use -SkipPublisherCheck parameter.
At C:\Users\user\Documents\PowerShell\Modules\PowerShellGet\2.2.5\PSModule.psm1:13069 char:20
+ ...           $sid = PackageManagement\Install-Package @PSBoundParameters
+                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (Microsoft.PowerShel\u2026lets.InstallPackage:InstallPackage) [Install-Package], Exception
+ FullyQualifiedErrorId : AuthenticodeIssuerMismatch,Validate-ModuleAuthenticodeSignature,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage

Environment data


Name                           Value
----                           -----
PSVersion                      6.2.3
PSEdition                      Core
GitCommitId                    6.2.3
OS                             Microsoft Windows 10.0.17134
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0




PS C:\BitBucket\powershell_sdk\PowerShellSDK_Testing\Sdk\intersight_powershell_sdk_v3_1.0.9.2687> get-module

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   1.2.3.0    Microsoft.PowerShell.Archive        {Compress-Archive, Expand-Archive}
Manifest   6.1.0.0    Microsoft.PowerShell.Management     {Add-Content, Clear-Content, Clear-Item, Clear-ItemProperty…}
Manifest   6.1.0.0    Microsoft.PowerShell.Security       {ConvertFrom-SecureString, ConvertTo-SecureString, Get-Acl, Get-AuthenticodeSignature…}
Manifest   6.1.0.0    Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable, Compare-Object…}
Manifest   6.1.0.0    Microsoft.WSMan.Management          {Connect-WSMan, Disable-WSManCredSSP, Disconnect-WSMan, Enable-WSManCredSSP…}
Script     1.4.7      PackageManagement                   {Find-Package, Find-PackageProvider, Get-Package, Get-PackageProvider…}
Script     2.2.5      PowerShellGet                       {Find-Command, Find-DscResource, Find-Module, Find-RoleCapability…}
Script     2.0.0      PSReadLine                          {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PSReadLineKeyHandler, Set-PSReadLineKeyHandler…}

Ghufz avatar Nov 19 '20 11:11 Ghufz

PSVersion 6.2.3

It is out support (or near the time). Please tests with latest PowerShell 7.1 release. Also the cmdlet is in PowerShellGet repository - please create new issue there.

iSazonov avatar Nov 19 '20 11:11 iSazonov

PowerShellGet requires the signature to be issued by the same certificate authority in order to update. Since Cisco has a new root CA it fails and you need to use the -SkipPublisherCheck switch to bypass it. I'd recommend moving this ticket over to https://github.com/PowerShell/PowerShellGet. As for getting past the error you need to run this command instead.

Install-Module -Name Cisco.IMC -Force -AcceptLicense -SkipPublisherCheck
GitHub
PowerShellGet is the package manager for PowerShell - PowerShell/PowerShellGet

ThomasNieto avatar Nov 19 '20 16:11 ThomasNieto

Thanks for your reply. The expected workaround is Install-Module -Name Cisco.IMC -Force -AcceptLicense -SkipPublisherCheck

My question is during the life cycle of single module it can happen that the CA may changes, and this issue will persists.

Ghufz avatar Nov 20 '20 04:11 Ghufz

This is still open. The update-module CMDLET does not allow us to specify a -skippublishercheck option. This Authenticode issue occurs on numerous modules (Vmware but also MS Graph!). Why can it not be addressed? It's very common for a developer of admin to want to update all modules ot the latest without messy workarounds to run install-module. Have I missed something here?

shockogit avatar Apr 11 '24 21:04 shockogit

@shockogit PowerShellGet is deprecated in favor of PSResourceGet. If you use that new module it doesn't have this issue as publisher checks aren't enabled by default.

ThomasNieto avatar Apr 11 '24 21:04 ThomasNieto

I see it at https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.psresourceget/?view=powershellget-3.x&viewFallbackFrom=powershellget-2.x. Thanks @ThomasNieto !

shockogit avatar Apr 11 '24 21:04 shockogit