Choco: PowerShell sees authenticode hash as changed in scripts that were signed with Unix Line Endings (`LF`) - unable to use `AllSigned`

Created on 17 Mar 2017  路  16Comments  路  Source: chocolatey/choco

What You Are Seeing?

Lots of security hash errors when I Install Chocolatey
"because the hash of the file does not match the hash stored in the digital signature"
Fresh install. Chocolatey installs but is not fully functional.

What is Expected?

A fresh functional Chocolatey

How Did You Get This To Happen? (Steps to Reproduce)

Install as per Website:
Admin Powershell. ExecutionPolicy AllSigned
iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex -Verbose -Debug
Typed [A] for Always run from RealDimensions

Output Log

PS C:\WINDOWS\system32> iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex -Verbose -Debug

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       17/03/2017   2:09 PM                chocInstall
Getting latest version of the Chocolatey package for download.
Getting Chocolatey from https://chocolatey.org/api/v2/package/chocolatey/0.10.3.
Downloading 7-Zip commandline tool prior to extraction.
Extracting C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.zip to C:\Users\natha\AppData\Local\Temp\
chocolatey\chocInstall...
Installing chocolatey on this machine
. : File
C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Format-FileSize.ps1
cannot be loaded. The contents of file
C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Format-FileSize.ps1
might have been changed by an unauthorized user or process, because the hash of the file does not match the hash
stored in the digital signature. The script cannot run on the specified system. For more information, run Get-Help
about_Signing..
At
C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\chocolateyInstaller.psm1:41
char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Get-Uninsta
llRegistryKey.ps1 cannot be loaded. The contents of file C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools
\chocolateyInstall\helpers\functions\Get-UninstallRegistryKey.ps1 might have been changed by an unauthorized user or
process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run
on the specified system. For more information, run Get-Help about_Signing..
At
C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\chocolateyInstaller.psm1:41
char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Set-PowerSh
ellExitCode.ps1 cannot be loaded. The contents of file C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\c
hocolateyInstall\helpers\functions\Set-PowerShellExitCode.ps1 might have been changed by an unauthorized user or
process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run
on the specified system. For more information, run Get-Help about_Signing..
At
C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\chocolateyInstaller.psm1:41
char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Uninstall-C
hocolateyEnvironmentVariable.ps1 cannot be loaded. The contents of file C:\Users\natha\AppData\Local\Temp\chocolatey\ch
ocInstall\tools\chocolateyInstall\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1 might have been
changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital
signature. The script cannot run on the specified system. For more information, run Get-Help about_Signing..
At
C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\chocolateyInstaller.psm1:41
char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Write-Funct
ionCallLogMessage.ps1 cannot be loaded. The contents of file C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\t
ools\chocolateyInstall\helpers\functions\Write-FunctionCallLogMessage.ps1 might have been changed by an unauthorized
user or process, because the hash of the file does not match the hash stored in the digital signature. The script
cannot run on the specified system. For more information, run Get-Help about_Signing..
At
C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\chocolateyInstaller.psm1:41
char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
Write-FunctionCallLogMessage : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Install-Chocolate
yEnvironmentVariable.ps1:96 char:3
+   Write-FunctionCallLogMessage -Invocation $MyInvocation -Parameters  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Set-EnvironmentVariable : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Install-Chocolate
yEnvironmentVariable.ps1:111 char:9
+         Set-EnvironmentVariable -Name $variableName -Value $variableV ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [Set-EnvironmentVariable], Command
   NotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException,Set-EnvironmentVariable

Write-FunctionCallLogMessage : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Install-Chocolate
yEnvironmentVariable.ps1:96 char:3
+   Write-FunctionCallLogMessage -Invocation $MyInvocation -Parameters  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Write-FunctionCallLogMessage : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Set-EnvironmentVa
riable.ps1:64 char:3
+   Write-FunctionCallLogMessage -Invocation $MyInvocation -Parameters  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Creating ChocolateyInstall as an environment variable (targeting 'Machine')
  Setting ChocolateyInstall to 'C:\ProgramData\chocolatey'
WARNING: It's very likely you will need to close and reopen your shell
  before you can use choco.
Write-FunctionCallLogMessage : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Install-Chocolate
yEnvironmentVariable.ps1:96 char:3
+   Write-FunctionCallLogMessage -Invocation $MyInvocation -Parameters  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Write-FunctionCallLogMessage : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Set-EnvironmentVa
riable.ps1:64 char:3
+   Write-FunctionCallLogMessage -Invocation $MyInvocation -Parameters  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Write-FunctionCallLogMessage : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Update-SessionEnv
ironment.ps1:48 char:3
+   Write-FunctionCallLogMessage -Invocation $MyInvocation -Parameters  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Restricting write permissions to Administrators
We are setting up the Chocolatey package repository.
The packages themselves go to 'C:\ProgramData\chocolatey\lib'
  (i.e. C:\ProgramData\chocolatey\lib\yourPackageName).
A shim file for the command line goes to 'C:\ProgramData\chocolatey\bin'
  and points to an executable in 'C:\ProgramData\chocolatey\lib\yourPackageName'.

Creating Chocolatey folders if they do not already exist.

WARNING: You can safely ignore errors related to missing log files when
  upgrading from a version of Chocolatey less than 0.9.9.
  'Batch file could not be found' is also safe to ignore.
  'The system cannot find the file specified' - also safe.
chocolatey.nupkg file not installed in lib.
 Attempting to locate it from bootstrapper.
Write-FunctionCallLogMessage : The term 'Write-FunctionCallLogMessage' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\natha\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\functions\Update-SessionEnv
ironment.ps1:48 char:3
+   Write-FunctionCallLogMessage -Invocation $MyInvocation -Parameters  ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Write-FunctionCallLogMessage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

. : File C:\ProgramData\chocolatey\helpers\functions\Format-FileSize.ps1 cannot be loaded. The contents of file
C:\ProgramData\chocolatey\helpers\functions\Format-FileSize.ps1 might have been changed by an unauthorized user or
process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run
on the specified system. For more information, run Get-Help about_Signing..
At C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1:41 char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\ProgramData\chocolatey\helpers\functions\Get-UninstallRegistryKey.ps1 cannot be loaded. The contents of
file C:\ProgramData\chocolatey\helpers\functions\Get-UninstallRegistryKey.ps1 might have been changed by an
unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature.
The script cannot run on the specified system. For more information, run Get-Help about_Signing..
At C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1:41 char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\ProgramData\chocolatey\helpers\functions\Set-PowerShellExitCode.ps1 cannot be loaded. The contents of file
C:\ProgramData\chocolatey\helpers\functions\Set-PowerShellExitCode.ps1 might have been changed by an unauthorized user
or process, because the hash of the file does not match the hash stored in the digital signature. The script cannot
run on the specified system. For more information, run Get-Help about_Signing..
At C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1:41 char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1 cannot be loaded. The
contents of file C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1 might have
been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the
digital signature. The script cannot run on the specified system. For more information, run Get-Help about_Signing..
At C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1:41 char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
. : File C:\ProgramData\chocolatey\helpers\functions\Write-FunctionCallLogMessage.ps1 cannot be loaded. The contents
of file C:\ProgramData\chocolatey\helpers\functions\Write-FunctionCallLogMessage.ps1 might have been changed by an
unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature.
The script cannot run on the specified system. For more information, run Get-Help about_Signing..
At C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1:41 char:6
+       . $_.FullName;
+         ~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
WARNING: Not setting tab completion: Profile file does not exist at
'C:\Users\natha\OneDrive\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'.
Chocolatey (choco.exe) is now ready.
You can call choco from anywhere, command line or powershell by typing choco.
Run choco /? for a list of functions.
You may need to shut down and restart powershell and/or consoles
 first prior to using choco.
Ensuring chocolatey commands are on the path
Ensuring chocolatey.nupkg is in the lib folder


PS C:\WINDOWS\system32> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.14393.953
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.953
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1


PS C:\WINDOWS\system32> [System.Environment]::OSVersion

Platform ServicePack Version      VersionString
-------- ----------- -------      -------------
 Win32NT             10.0.14393.0 Microsoft Windows NT 10.0.14393.0


PS C:\WINDOWS\system32> Get-ExecutionPolicy
AllSigned
PS C:\WINDOWS\system32> Get-ChildItem Cert:\CurrentUser\TrustedPublisher\ | sls RealDimensions

[Subject]
  CN="RealDimensions Software, LLC", O="RealDimensions Software, LLC", L=Topeka, S=Kansas, C=US

[Issuer]
  CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

[Serial Number]
  077466EDA2676F3AEC9217D230537110

[Not Before]
  24/03/2016 11:00:00 AM

[Not After]
  28/03/2017 11:00:00 PM

[Thumbprint]
  C9F7FD1A91F078DB6BFCFCCE28B9749F8F2A0C38


PS C:\WINDOWS\system32> choco upgrade chocolately
Chocolatey v0.10.3
Upgrading the following packages:
chocolately
By upgrading you accept licenses for the packages.
chocolately is not installed. Installing...
chocolately not installed. The package was not found with the source(s) listed.
 If you specified a particular version and are receiving this message, it is possible that the package name exists but t
he version does not.
 Version: ""
 Source(s): "https://chocolatey.org/api/v2/"

Chocolatey upgraded 0/1 packages. 1 packages failed.
 See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

Failures
 - chocolately - chocolately not installed. The package was not found with the source(s) listed.
 If you specified a particular version and are receiving this message, it is possible that the package name exists but t
he version does not.
 Version: ""
 Source(s): "https://chocolatey.org/api/v2/"
3 - Done Bug Priority_HIGH Security
Source
picture delurker

All 16 comments

You know, I wonder if this has something to do with packing and unpacking the file. Since it is packaged as a nupkg, when it is unpacked with Choco / NuGet, it probably does something additional during decompression that maybe just simply running 7zip does not (which is done with first install). Give me a little more time to dive in on this.

ferventcoder picture ferventcoder on 17 Mar 2017

I'm seeing this same issue - currently not yet sure exactly what is causing it. It shows the signature valid when you run Get-AuthenticodeSignature, but for some reason it sees the file as changed. I wonder if there is some limitation in file format.

ferventcoder picture ferventcoder on 17 Mar 2017

@delurker Okay, I see the problem. It's a bug in PowerShell. The line endings are mixed when the file gets signed. If the PowerShell file had LF line endings like the ones showing issues, it errors saying the hash changed. If the file had CRLF line endings prior to signature, all is well.

image

ferventcoder picture ferventcoder on 17 Mar 2017
👍1

@delurker I filed https://github.com/PowerShell/PowerShell/issues/3361 after asking the PowerShell folks about this issue.

ferventcoder picture ferventcoder on 17 Mar 2017

@delurker we are able to move it all over to CRLF, so I will make that adjustment for 0.10.4.

ferventcoder picture ferventcoder on 17 Mar 2017

@delurker can I ask what version of POSH you are running?

ferventcoder picture ferventcoder on 17 Mar 2017

@ferventcoder
~~~sh
PS C:WINDOWSsystem32> $PSVersionTable

Name Value
---- -----
PSVersion 5.1.14393.953
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.953
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
~~~

delurker picture delurker on 17 Mar 2017
👍1

@delurker Thanks! Just wanted to validate it is an issue across all versions of PowerShell.

ferventcoder picture ferventcoder on 18 Mar 2017

This is fixed for 0.10.4

ferventcoder picture ferventcoder on 22 Mar 2017

@delurker thanks for reporting that issue. Not only will that help Chocolatey, but it looks like the PowerShell folks are looking to fix the behavior as well!

ferventcoder picture ferventcoder on 22 Mar 2017

When do you expect version 0.10.4 would be deployed with https://chocolatey.org/install.ps1 ?? I just tried to install and got the issue mentioned... Thanks!

luferogo picture luferogo on 30 Mar 2017

Soon...

ferventcoder picture ferventcoder on 30 Mar 2017

@luferogo to give you a better answer, we just closed the final known issue for the milestone about 30 minutes ago - https://github.com/chocolatey/choco/issues?q=is%3Aopen+is%3Aissue+milestone%3A0.10.4

You can always get a sense of when a release will occur by going to issues, clicking on Milestones, and selecting the milestone you are interested in. HTH

ferventcoder picture ferventcoder on 30 Mar 2017
👍1

Okay, I'm thinking there is more to this than just line endings. Packing and unpacking the file may have something to do here as well. Or it could be the UTF8 with no BOM.

ferventcoder picture ferventcoder on 31 Mar 2017

Wow... so this was fixed for 0.10.4, but then I updated the copyright in #1209 . Which added a unicode copyright symbol. And these are UTF8 (w/no BOM). So back to broken again.

If I convert the file to be UTF8 w/BOM, then sign. It works.

ferventcoder picture ferventcoder on 31 Mar 2017

I filed a followup with https://github.com/chocolatey/choco/issues/1225

ferventcoder picture ferventcoder on 31 Mar 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

boskowski picture boskowski  路  3Comments
morochena picture morochena  路  5Comments
runxctry picture runxctry  路  4Comments
xmha97 picture xmha97  路  4Comments
bc3tech picture bc3tech  路  5Comments