Powershell: Running Authenticode-signed script under AllSigned fails when script has `LF` line endings

Created on 17 Mar 2017 · 10Comments · Source: PowerShell/PowerShell

Related to #1195 / Found with https://github.com/chocolatey/choco/issues/1203

You are likely to see this more now that PowerShell is cross platform. We just had an issue filed about attempting to run scripts with execution policy "AllSigned". Upon researching this, we were able to determine that any scripts that were UTF-8 / CRLF, those would load just fine. However any scripts that were UTF8 / LF, it would error saying 'filename "may have been tampered because the hash of the file does not match the hash stored in the digital signature."'

I have not had an attempted to check this with the new versions of PowerShell just yet but I did check it against PowerShell v3 and v4 (so far). After talking to @lzybkr and @vors (https://gitter.im/PowerShell/PowerShell?at=58cc405c6d7eb18404dbca07), they said to followup with an issue as they have not had a report of this anywhere.

Steps to reproduce

Create a script with LF line endings. Save it as FileSignedWithUnixLineEndings.ps1
Authenticode sign the script.
Open the script and note that it now has LF in the script code and CRLF in the authenticode signature (Mixed mode line endings).
Check to be sure the signature is valid. Get-AuthenticodeSignature .\FileSignedWithUnixLineEndings.ps1
Change execution policy to all signed. Set-ExecutionPolicy AllSigned
Attempt to run the script. .\FileSignedWithUnixLineEndings.ps1

Expected behavior

It should run the script as it has not been modified since it was signed.

Actual behavior

It thinks the file has been modified:

~~~sh
.FileSignedWithUnixLineEndings.ps1 : File FileSignedWithUnixLineEndings.ps1 cannot be
loaded. The contents of file FileSignedWithUnixLineEndings.ps1 may have been tampered
because the hash of the file does not match the hash stored in the digital signature. The
script will not execute on the system. Please see "get-help about_signing" for more
details..
At line:1 char:1

.FileSignedWithUnixLineEndings.ps1
~~~~~~~
- CategoryInfo : SecurityError: (:) [], PSSecurityException
- FullyQualifiedErrorId : UnauthorizedAccess
  
  ~~~

Area-Cmdlets Issue-Bug OS-Windows Resolution-Answered

Source

ferventcoder

Most helpful comment

It gets better. :/

If the file is UTF8 with no BOM but contains a unicode character, it also fails.

ferventcoder on 31 Mar 2017

👍3

All 10 comments

To be clear, this was all when running on Windows.

ferventcoder on 17 Mar 2017

@SteveL-MSFT @joeyaiello It seems we should definitely fix this in Beta.

iSazonov on 18 Mar 2017

It gets better. :/

If the file is UTF8 with no BOM but contains a unicode character, it also fails.

ferventcoder on 31 Mar 2017

👍3

Followed up with related https://github.com/PowerShell/PowerShell/issues/3466

ferventcoder on 31 Mar 2017

If #3466 overlaps the Issue please close the Issue.

iSazonov on 31 Mar 2017

Not able to repro this with alpha.18 on Win10 Creators Update. Here I have a simple script. I show it only has a LF. I sign it. Changed executionpolicy. And it successfully ran. I show that the script portion has LF and the signature has CRLF (unfortunately, we can't control this aspect as we're calling a Win32 api to sign the file and there's no options for line endings).

PS C:\Users\slee\test> .\script_lf.ps1
hello
PS C:\Users\slee\test> Format-Hex .\script_lf.ps1

           Path: C:\Users\slee\test\script_lf.ps1

           00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000   77 72 69 74 65 2D 68 6F 73 74 20 22 68 65 6C 6C  write-host "hell
00000010   6F 22 0A                                         o".

PS C:\Users\slee\test> Set-AuthenticodeSignature -Certificate $cert .\script_lf.ps1

    Directory: C:\Users\slee\test

SignerCertificate                         Status                                 Path
-----------------                         ------                                 ----
E761F5ACD89D25CBFED6D07BDD3117E27F9E4538  Valid                                  script_lf.ps1

PS C:\Users\slee\test> Set-ExecutionPolicy AllSigned -Scope CurrentUser
PS C:\Users\slee\test> .\script_lf.ps1
hello
PS C:\Users\slee\test> Get-AuthenticodeSignature .\script_lf.ps1

    Directory: C:\Users\slee\test

SignerCertificate                         Status                                 Path
-----------------                         ------                                 ----
E761F5ACD89D25CBFED6D07BDD3117E27F9E4538  Valid                                  script_lf.ps1

PS C:\Users\slee\test> Format-Hex .\script_lf.ps1

           Path: C:\Users\slee\test\script_lf.ps1

           00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000   77 72 69 74 65 2D 68 6F 73 74 20 22 68 65 6C 6C  write-host "hell
00000010   6F 22 0A 0D 0A 23 20 53 49 47 20 23 20 42 65 67  o"...# SIG # Beg
00000020   69 6E 20 73 69 67 6E 61 74 75 72 65 20 62 6C 6F  in signature blo
00000030   63 6B 0D 0A 23 20 4D 49 49 45 4D 77 59 4A 4B 6F  ck..# MIIEMwYJKo
00000040   5A 49 68 76 63 4E 41 51 63 43 6F 49 49 45 4A 44  ZIhvcNAQcCoIIEJD
00000050   43 43 42 43 41 43 41 51 45 78 43 7A 41 4A 42 67  CCBCACAQExCzAJBg
00000060   55 72 44 67 4D 43 47 67 55 41 4D 47 6B 47 43 69  UrDgMCGgUAMGkGCi
00000070   73 47 41 51 51 42 0D 0A 23 20 67 6A 63 43 41 51  sGAQQB..# gjcCAQ