We've set up a TFS package repository for hosting internally developed PS 5.1 modules. Before publishing, we sign these POSH modules using the GoDaddy code signing certificate. All was working fine until this morning when we start getting below mentioned error on
Install-Module -Name DeploymentHelpers -RequiredVersion 0.2.0 -Repository 'CI' -Force
I'm positive that nothing has been changed from the application development side or the cert.
This is the error we are getting:
PackageManagement\Install-Package : Authenticode issuer 'System.Object[]' of the new module 'DeploymentHelpers' with version '0.2.0' is not matching with the authenticode issuer 'System.Object[]' of the previously-installed module 'DeploymentHelpers' with version '0.2.0'. If you still want to install or update, use -SkipPublisherCheck parameter. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1772 char:21 + ... $null = PackageManagement\Install-Package @PSBoundParameters + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Exception + FullyQualifiedErrorId : AuthenticodeIssuerMismatch,Validate-ModuleAuthenticodeSignature,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage
I'm on Windows 2012 R2 and TFS 2017.1
Also, here is the CI repo details:
Register-PSRepository `
-Name CI `
-SourceLocation "http://tfs:8080/tfs/Projects/_packaging/CI/nuget/v2" `
-PublishLocation 'http://tfs:8080/tfs/Projects/_packaging/CI/nuget/v2' `
-PackageManagementProvider Nuget `
-InstallationPolicy Trusted
Any thoughts?
Authenticode issuer 'System.Object[]' of the new module 'DeploymentHelpers' with version '0.2.0' is not matching with the authenticode issuer 'System.Object[]' of the previously-installed module 'DeploymentHelpers' with version '0.2.0'.
This is a known issue which exists in PowerShellGet v1.0.0.1
. You can follow the file path to check the source validate script:C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1
.
Firstly, please focus on the function Get-AuthenticodePublisher
. This is the first function which used to get and validate the SignerCertificate
of the module. You can analyze its script. Express this logic in one sentence is it walks up the certificate chain. This means, now, you have been treated as the "same" publisher by PowerShellGet
because the signing certificate you provided same with the one in the chain of the cert which is being checked.
Now, there has 3 solution can for you refer to.
-SkipPublisherCheck
. With this parameter, it can proactively
ignore the certificate verification step. Thus, the error will disappear.PSModule.psm1
by adding the
script Select-Object -First 1
into the function
Get-AuthenticodePublisher
. As I mentioned previously, the treat
caused by the same certificates. Now, use Select-Object
can just
pick up the first one.PowerShellGet
version to the latest since this
logic issue has been fixed from PowerShellGet v2.1.4
: Module publisher verification.Note: if you choose the third one, you need pay attention to the requirements for the latest PowerShellGet
version: