SpacetimeDB
SpacetimeDB copied to clipboard
clockworklabs
Install spacetimedb using powershell - blocked by group policy
ello, Im trying to install spacetimedb because it looks super neat to me. but I run in this issue. I am in fact running iwr https://windows.spacetimedb.com -useb | iex using Administrator Powershell. I have no idea why this is or how to resolve it. Any hint would be nice. Ideally I don't want to deal with docker / wsl if possible.
Downloading installer...
iex : Program 'spacetime-install.exe' failed to run: This program is blocked by group policy. For more information,
contact your system administratorAt line:25 char:5
+ & $Executable
+ ~~~~~~~~~~~~~.
At line:1 char:45
+ iwr https://windows.spacetimedb.com -useb | iex
+ ~~~
+ CategoryInfo : ResourceUnavailable: (:) [Invoke-Expression], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed,Microsoft.PowerShell.Commands.InvokeExpressionCommand
If you are on perhaps a school licensed Windows, you might have school-enabled GPOs active on your system. This is how you e.g. get your school account setup on your computer and integrate into the "education ecosystem". If your case is similar where you are on "loaner hardware" or connected to a domain (such as school or work), please talk to your administrator. It's common to block executing PowerShell scripts in a controlled environment.
If you are the local admin and truly don't understand how you have accidentally blocked your PowerShell, this article about Set-ExecutionPolicy might help you. Long story short, it's there to stop you from accidentally installing viruses from the internet by running command such as iwr <some url> | iex, and encourages you to download the script and actually read what you are executing.
(I don't understand why vendors keep pushing this horrible security practice to the masses when they release their technology)
The checkmark is already enabled here. I'm not on a school laptop.
I even did download the script, which seems to download spacetimedb-update-x86_64-pc-windows-msvc.exe and add something to PATH. Running this executable manually is somehow blocked, or when executed it doesn't seem to do much.
Ill ask around if someone else also has same issues.
@markknol to clarify - is this your own laptop where you're the administrator, or is this a laptop issued/administered by some kind of organization? (work, school, etc.)
I made a few changes to the powershell script. I'm not sure which change made it all work. Sorry could not get the format right
Param( [Parameter(Mandatory=$false)] [Switch]$Nightly )
function UpdatePathIfNotExists { param ( [string]$DirectoryToAdd )
$currentPath = [Environment]::GetEnvironmentVariable("Path", "User")
if (-not $currentPath.Contains($DirectoryToAdd)) {
[Environment]::SetEnvironmentVariable("Path", $currentPath + ";" + $DirectoryToAdd, "User")
}
}
function Install { $ErrorActionPreference = 'Stop' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$DownloadUrl = "https://github.com/clockworklabs/SpacetimeDB/releases/download/v1.0.0/spacetimedb-update-x86_64-pc-windows-msvc.exe"
Write-Output "Downloading installer..."
Write-Output (Join-Path ([System.IO.Path]::GetTempPath()) "spacetime-install.exe")
$Executable = (Join-Path ([System.IO.Path]::GetTempPath()) "spacetime-install.exe")
Invoke-WebRequest $DownloadUrl -OutFile $Executable
$Executable
# TODO: do this in spacetimedb-update
$InstallDir = Join-Path ([Environment]::GetFolderPath("LocalApplicationData")) "SpacetimeDB"
UpdatePathIfNotExists $InstallDir
Write-Output "We have added SpacetimeDB to your Path. You may have to log out and log back in to reload your environment."
}
Install
Thank you! We'll try to reproduce the issue and work on incorporating this fix.
Assigning @rekhoff. It looks like there are some changes suggested above that might just fix this.
If this takes a while to investigate/fix, let's re-evaluate.
@BenCoden Thanks for the updated PowerShell script.
I'm having issue reproducing the problem, so I took a look at your changes to see if anything pointed at something that could impact Group Policy or the PowerShell Execution Policy on a system.
The key changes I see are:
- Extracting
UpdatePathIfNotExistsout to be outside theInstallfunction. - Updating the Download URL to target
v1.0.0rather thanlatest. - Printing the executable's install path during install.
- Removing the
-UseBasicParsingparameter on the web request invocation. (This is only really relevant pre-PowerShell 6.0.0, and will be ignored on newer versions)
None of these should really have any impact the execution policy of PowerShell, so it's also unclear what would have made that work. In general the other comments about how to enable execution of PowerShell are accurate.
@bfops Short of signing this PowerShell script, the contents of a PowerShell script shouldn't make a tangible differences on weather a machine's Execution Policy allows PowerShell be run from the internet.
I'm unsure how much work it would be to sign the scripts, but it sounds like this might be a default restriction on Windows machines? Unclear.
I think this would fix it in principle but essentially relaxes security settings for users:
Set-ExecutionPolicy Unrestricted -Scope LocalMachine
I'm unsure how much work it would be to sign the scripts, but it sounds like this might be a default restriction on Windows machines? Unclear.
This would require obtaining a Code Signing Certificate. Once obtained and setup on a system, that system can sign the PowerShell script. This will add the signature to the file, which is checked before execution.
This would allow the code to be run with an ExecutionPolicy level of RemoteSigned.