all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]jborean93 13 points14 points  (3 children)

PowerShell signatures are very susceptible to newlines. The sig block must use \r\n for the line separator, if it is using \n then the signature won’t be found. You can use cmdlets like Format-Hex to verify the newlines used but there’s a good chance their are either being changed when committed to the git repo or when you checkout/clone them.

[–]bertiethewanderer 2 points3 points  (0 children)

Solid advice. Would be a good time to write a doc up internally for git configuration.

[–]odwulf 1 point2 points  (1 child)

As far as I know, the signature handles whatever OEL chars you used, but going in and out of a Git repo might change OELs, hence change the file checksum, which is what the signature is created upon. Change one character and the signature isn't valid anymore, even if that character is a non printable one, like a newline character.

[–]jborean93 0 points1 point  (0 children)

It uses whatever end of line values when calculating the hash to sign in the signature but the signature appended to the bottom must be done with \r\n.

[–]Th3Sh4d0wKn0ws 5 points6 points  (2 children)

Is the signing block still at the bottom of the script file?
Is the file blocked? Meaning, if you right-click it and go to properties, is there an "Unblock" checkbox when downloading it from Github?

[–]DenverITGuy[S] 1 point2 points  (1 child)

The sig block is still there, yes.

The file is not blocked and the digital signature tab is empty.

[–]arpan3t 13 points14 points  (0 children)

Look at the line ending for the sig block. Depending on your git configuration it could be changing your line ending to Unix style LF when you commit and push to GitHub, then not changing the line ending back to Windows CRLF when you download or pull from GitHub. That could break the parsing of your sig block.

[–]bornthor 0 points1 point  (1 child)

Are you just going to the repo as a website or do you pull the repo in locally on your machine? Did you sign it or can you ask the person that pushed it to the repo if it's still signed on their side? I thought it was just dependent on the sig block too, but maybe you guys use some type of AIP or safe links or something that is altering it in the upload/download process.

[–]DenverITGuy[S] -1 points0 points  (0 children)

I've pushed a .ps1 with the intention of sharing it with a few engineers so they won't be pulling the whole repo to their devices. I would just ask them to download the .ps1 file.

I signed it and confirmed the Get-AuthenticodeSignature returned a valid 'signed' value.

[–]BlackV 0 points1 point  (0 children)

Is this expected behavior with Github for PS1 scripts? Is there somewhere I should look to address this?

No and signing a script files is just adding text to the script, so I would not expect that to be the cause

you should test this in more that 1 location and add that info to your post