Search code examples
powershelltfspowershell-5.0

Error: Install-Package Authenticode issuer in PowerShell module

We've set up a TFS package repository for hosting internally developed PS 5.1 modules. Before publishing, we sign these POSH modules using the GoDaddy code signing certificate. All was working fine until this morning when we start getting below mentioned error on 

Install-Module -Name DeploymentHelpers -RequiredVersion 0.2.0 -Repository 'CI' -Force

I'm positive that nothing has been changed from the application development side or the cert.

This is the error we are getting:

PackageManagement\Install-Package : Authenticode issuer 'System.Object[]' of the new module 'DeploymentHelpers' with version '0.2.0' is not matching with the authenticode issuer 'System.Object[]' of the previously-installed module 'DeploymentHelpers' with version '0.2.0'. If you still want to install or update, use -SkipPublisherCheck parameter. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1772 char:21 + ... $null = PackageManagement\Install-Package @PSBoundParameters + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Exception + FullyQualifiedErrorId : AuthenticodeIssuerMismatch,Validate-ModuleAuthenticodeSignature,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage

I'm on Windows 2012 R2 and TFS 2017.1

Also, here is the CI repo details:

Register-PSRepository `
    -Name CI `
    -SourceLocation "http://tfs:8080/tfs/Projects/_packaging/CI/nuget/v2" `
    -PublishLocation 'http://tfs:8080/tfs/Projects/_packaging/CI/nuget/v2' `
    -PackageManagementProvider Nuget `
    -InstallationPolicy Trusted

Any thoughts?

Solution

  • Authenticode issuer 'System.Object[]' of the new module 'DeploymentHelpers' with version '0.2.0' is not matching with the authenticode issuer 'System.Object[]' of the previously-installed module 'DeploymentHelpers' with version '0.2.0'.

    This is a known issue which exists in PowerShellGet v1.0.0.1. You can follow the file path to check the source validate script:C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1.

    Firstly, please focus on the function Get-AuthenticodePublisher. This is the first function which used to get and validate the SignerCertificate of the module. You can analyze its script. Express this logic in one sentence is it walks up the certificate chain. This means, now, you have been treated as the "same" publisher by PowerShellGet because the signing certificate you provided same with the one in the chain of the cert which is being checked.

    Now, there has 3 solution can for you refer to.

    • The first one is add the parameter which shown in the error message: -SkipPublisherCheck. With this parameter, it can proactively ignore the certificate verification step. Thus, the error will disappear.
    • The second solution is modify the file PSModule.psm1 by adding the script Select-Object -First 1 into the function Get-AuthenticodePublisher. As I mentioned previously, the treat caused by the same certificates. Now, use Select-Object can just pick up the first one.
    • The last solution is, you'd better upgrade the PowerShellGet version to the latest since this logic issue has been fixed from PowerShellGet v2.1.4: Module publisher verification.

    Note: if you choose the third one, you need pay attention to the requirements for the latest PowerShellGet version:

    enter image description here