Comments (15)
I'm not blaming you guys, don't feel attacked.
🙂 Similarly any comments below are not meant as a personal attack, just interested in the topic.
When I see a certificate like that as a security engineer, I could think it's a self signed cert of a threat actor, and block it using WDAC. I'm not blaming you guys, don't feel attacked.
You could but it's not how the process works. A self signed certificate has the same subject and issuer. Our certificate is issued after strict identity verification by a reputable certificate authority included in Microsoft's trusted root program. It's trusted just the same as github.com's certificate. As long as the subject (publisher) is who you except for the software, something we've verified here, there's nothing wrong.
If we used a self-signed certificate you would get errors like this because the certificate chain did not start from a trusted root certificate in your certificate store:
Install-Module pester -Repository demo -Scope CurrentUser -Force
PackageManagement\Install-Package : The module 'Pester' cannot be installed or updated because the authenticode signature of the file 'Pester.psd1' is not valid.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1809 char:21
+ ... $null = PackageManagement\Install-Package @PSBoundParameters
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Exception
+ FullyQualifiedErrorId : InvalidAuthenticodeSignature,ValidateAndGet-AuthenticodeSignature,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage
# or during import with AllSigned execution policy:
C:\Temp\5.5.0\Pester.Format.ps1xml: The file was skipped because of the following validation exception: File C:\Temp\5.5.0\Pester.Format.ps1xml cannot be loaded. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
In my environment i already blocked this certificate and the module until it gets improved
That's your choice and absolutely fine, but I wouldn't except any changes in the near future.
For now you can review, build and deploy the code unsigned if you need. You could even resign it with a internal certificate as part of a security review process. I wouldn't recommend adding the complexity just because you/company prefers vague organization names like "DOTPDN LLC" (Paint.Net) over the name of a personally identifiable long-term public maintainer. Just my two cents, so feel free to ignore.
from pester.
I also want to echo that I don't feel attacked in any way, and am hoping that my comment did not sound overly aggressive. 😊
@fflaten thanks for responding here, I would not be able to put it better.
from pester.
@nohwnd Wasn't this resolved?
from pester.
By the way, I consider this also also as a security issue, powershell modules should not be signed by indivuduals.
from pester.
Just downloaded the nupkg of Pester v5.5.0 from the PSGallery and looked at the Digital Signature for the DLLs. They are still using the certificate Acenl12 reported.
from pester.
Just downloaded the nupkg of Pester v5.5.0 from the PSGallery and looked at the Digital Signature for the DLLs. They are still using the certificate Acenl12 reported.
The certificate with subject Jakub Jareš
is the expected certificate.
The warning while installing the module is what I believe should've been resolved.
from pester.
Just downloaded the nupkg of Pester v5.5.0 from the PSGallery and looked at the Digital Signature for the DLLs. They are still using the certificate Acenl12 reported.
The certificate with subject
Jakub Jareš
is the expected certificate.The warning while installing the module is what I believe should've been resolved.
Ah, my mistake. I think the fixed warning might have been the one that appeared when -SkipPublisherCheck
wasn't given to Install-Module
. Since the binaries have the expected certificate the warning here seems reasonable, as the Publisher is different from the previous one (Microsoft) and indicates a change of ownership (which may not be expected or desirable). Actually, the odd thing is that they didn't put that kind of change behind a -confirm
flag.
from pester.
Yeah that's it, but I believe it was fixed somehow. At one point we changed the README from a warning to this because it just worked. 🙂
📦🔐 Pester is now signed. -SkipPublisherCheck should no longer be used to install from PowerShell Gallery on Windows 10
from pester.
By the way, I consider this also also as a security issue, powershell modules should not be signed by indivuduals.
Unless we become a registered company I can't get a certificate for Pester specifically AFAIK, and such certificate would be pretty expensive. There is also technically no difference between a certificate for my name, and certificate for a company, other than if I drop from this project others can take over more easily.
I don't think this is a security incident, most other modules come unsigned, and they can change ownership or be tampered with without your knowledge. So if anything we are getting punished here for doing the right thing.
Yeah that's it, but I believe it was fixed somehow.
I believe there was a check in PowerShellGet that was specific to Pester to suppress this issue. @ay-azara which version of PowerShellGet are you using?
FWIW you can uninstall the old Pester from the system using this script: https://gist.github.com/nohwnd/5c07fe62c861ee563f69c9ee1f7c9688 and then there is no change of ownership.
from pester.
@nohwnd I'm using Pester v5.5.0 and have PowershellGet 2.2.5 & 1.0.0.1. Pester v3.4.0 is still installed. Maybe I was still using 1.0.0.1 by accident when I installed?
from pester.
By the way, I consider this also also as a security issue, powershell modules should not be signed by indivuduals.
Unless we become a registered company I can't get a certificate for Pester specifically AFAIK, and such certificate would be pretty expensive. There is also technically no difference between a certificate for my name, and certificate for a company, other than if I drop from this project others can take over more easily.
I don't think this is a security incident, most other modules come unsigned, and they can change ownership or be tampered with without your knowledge. So if anything we are getting punished here for doing the right thing.
Yeah that's it, but I believe it was fixed somehow.
I believe there was a check in PowerShellGet that was specific to Pester to suppress this issue. @ay-azara which version of PowerShellGet are you using?
FWIW you can uninstall the old Pester from the system using this script: https://gist.github.com/nohwnd/5c07fe62c861ee563f69c9ee1f7c9688 and then there is no change of ownership.
When I see a certificate like that as a security engineer, I could think it's a self signed cert of a threat actor,and block it using WDAC. I'm not blaming you guys, don't feel attacked. Im just concerned that if a PowerShell module use a certificate with a personal name in it. Pester has become such a core module in PowerShell and so widely used that's it not acceptable for me. In my environment i already blocked this certificate and the module until it gets improved
from pester.
The module is signed by me, the certificate is trusted by digicert, and the warning can be either ignored or the older module uninstalled by the script provided.
@fflaten I can see reference to Pester and PSReadline whitelisting here https://github.com/PowerShell/PowerShellGetv2/blob/master/src/PowerShellGet/PowerShellGet.psd1#L199
https://grep.app/search?q=WhitelistedModules&filter[repo][0]=PowerShell/PowerShellGetv2 The code still seems to be in master on v2.
from pester.
@fflaten I can see reference to Pester and PSReadline whitelisting here https://github.com/PowerShell/PowerShellGetv2/blob/master/src/PowerShellGet/PowerShellGet.psd1#L199
https://grep.app/search?q=WhitelistedModules&filter[repo][0]=PowerShell/PowerShellGetv2 The code still seems to be in master on v2.
Thanks. I thought it was more fancy tbh 😁 In PSResourceGet (v3) I believe they removed the publisher check by default. So should be good going forward.
from pester.
I thought it was more fancy tbh 😁
Yeah same.
from pester.
The module is signed by me, the certificate is trusted by digicert, and the warning can be either ignored or the older module uninstalled by the script provided.
Closing because of this ^^^ our signing works correctly, and we can't do more than that.
from pester.
Related Issues (20)
- CodeCoverage.OutputEncoding ignored in xml encoding-attribute
- Invoke-Pester breaks on invalid CodeCoverage.OutputEncoding format
- TestResults.OutputEncoding option ignored
- Pester Should -Invoke -Scope "It" not working as expected HOT 1
- SkipRemainingOnFailure does not trigger on block failure
- Update how test registry entry is generated
- Improve Should-BeString assertion
- Fix Should-*Collection and their tests
- Make sure new assertion docs are in showing up on pester.dev
- Export Should-Invoke and Should-HaveParameter
- Output should result to Assert assertions
- Add soft assertions to new assertions
- Expose GlobalPluginData to all plugin steps
- Infinite loop for `FileInfo` and `DirectoryInfo` due to `Root` properties in `DirectoryInfo`. Should we restrict depth as a general fix in addition to specialcasing `DirectoryInfo` in `Get-DisplayProperty2`? HOT 1
- Measure Code Coverage for Pester
- `Get-Help Should-Be` will still show `Assert-Be`. We'll also need to modify `generate-command-reference.ps1` in docs-repo to rename files and title to match alias.
- `Get-EquivalencyOption` is not exposed, so unable to customize/no docs on expected hashtable. HOT 2
- Inconsistent behavior mocking external command between output verbosity 'Detailed' and 'Diagnostic' HOT 3
- Calling mock of Get-ChildItem with -File parameter fails on Linux
- Does Pester support to view the code coverage report in browser? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pester.