3

I'm trying to set up some PowerShell build scripts. I've got a self-signed certificate that I can use to sign the script and get it to run with AllSigned. The problem is, this doesn't carry across our scm (git).

Whenever I try to clone and run the script, or change it and revert, I get the error that the file is unsigned.

File <> cannot be loaded. The file <> is not digitally signed. The script will not execute on the system. ...

If I re-sign the script, the signature block changes and I can run it again.

Is there any way to preserve the signing?

Improve this question

2 Answers 2

Reset to default
3

Dug into this a little more this morning:

Along with the signature block appended to the actual file, there is signature information stored as extended attributes for the file.

As can be expected, git doesn't track ea's. For attributes like permissions, the standard advice is to use a git hook. I haven't been able to find any way to set the attributes for a digital signature without re-signing the file.

This leaves 3 options:

  • Switch the build server and any other computers needing to run the script to RemoteSigned.
  • Use some shell voodoo, git hooks, and SignTool to re-sign the file each time the attribute is removed. Fragile and hacky.
  • Rework the build / deploy process so that powershell scripts aren't required. I'm in the early stages, so this is my best option.
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Something related to your source control is modifying the script. For example, if you're using Subversion, expansion of keywords like $Id or $URL$ via svn:keywords will cause your script to change with each revision. Another possibility is EOL markers or file encoding (UTF-8 vs. ASCII) being modified.

Improve this answer

1 Comment

Well, the problem occurs even when reverting to a committed, signed version of the file (with EOL markers being the same). The root cause is that some signing information is stored as an extended attribute, which git doesn't track.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.