Skip to content

Add warning when AuthenticodeCheck is used on non-Windows platforms #1891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

Add warning when AuthenticodeCheck is used on non-Windows platforms #1891

wants to merge 5 commits into from

Conversation

Copilot
Copy link

@Copilot Copilot AI commented Oct 8, 2025
edited
Loading

Summary

Fixes an issue where the AuthenticodeCheck parameter on Install-PSResource, Save-PSResource, and Update-PSResource cmdlets would silently do nothing on Linux and MacOS platforms, leaving users unaware that signature verification was not being performed.

Changes

This PR adds a user-facing warning message when the AuthenticodeCheck parameter is used on non-Windows platforms:

WARNING: Authenticode check cannot be performed on Linux or MacOS.

The warning appears once per operation and informs users that while the operation will complete successfully, authenticode signature verification is only supported on Windows platforms.

Implementation Details

  • Modified CheckAuthenticodeSignature method in Utils.cs to emit a warning before returning true on non-Windows platforms
  • The fix automatically applies to all three cmdlets (Install-PSResource, Save-PSResource, Update-PSResource) since they all share the same code path through InstallHelper
  • Added comprehensive test coverage with three new test cases (one per cmdlet) that verify the warning is displayed on non-Windows systems
  • All tests use -Skip:(Get-IsWindows) to ensure they only run on Linux/MacOS

Testing

# Before: No warning displayed
Install-PSResource -Name MyModule -AuthenticodeCheck -Repository PSGallery -TrustRepository

# After: Warning is displayed
Install-PSResource -Name MyModule -AuthenticodeCheck -Repository PSGallery -TrustRepository
# WARNING: Authenticode check cannot be performed on Linux or MacOS.

The operation still completes successfully, but users are now properly informed about the platform limitation.

Resolves #2020

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • 1k9vsblobprodcus379.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • 37cvsblobprodcus359.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • 4myvsblobprodcus32.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • 51yvsblobprodcus36.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • 5dkvsblobprodcus355.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • 7devsblobprodcus323.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • 7k6vsblobprodcus337.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • 7tjvsblobprodcus341.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • bcnvsblobprodcus378.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • c50vsblobprodcus330.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • c78vsblobprodcus322.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • dlbvsblobprodcus316.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • fdpvsblobprodcus345.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • gbsvsblobprodcus365.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • kh4vsblobprodcus325.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • kmuvsblobprodcus389.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • l49vsblobprodcus358.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • m6xvsblobprodcus342.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • pkvvsblobprodcus321.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • s4uvsblobprodcus326.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • tphvsblobprodcus375.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • uy6vsblobprodcus34.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)
  • yttvsblobprodcus357.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet publish --configuration Debug --framework net472 --output bin/Debug/net472/publish (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>AuthenticodeCheck should warn/error on non-Windows</issue_title>
<issue_description>### Prerequisites

  • Write a descriptive title.
  • Make sure you are able to repro it on the latest released version
  • Search the existing issues.

Steps to reproduce

If you use AuthenticodeCheck parameter on non-Windows it silently passes instead of writing a message to the user that signatures wasn't actually checked.

PSResourceGet/src/code/Utils.cs

Lines 2005 to 2009 in 949c26a

// Because authenticode and catalog verifications are only applicable on Windows, we allow all packages by default to be installed on unix systems.
if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
return true;
}

Expected behavior

Write warning/error that parameter isn't supported on non-Windows.

Actual behavior

Nothing

Error details

No response

Environment data

n/a

Visuals

No response</issue_description>

<agent_instructions>Instead of just 'return true' here, add a warning that that "Authenticode check cannot be preformed on Linux or MacOS": // Because authenticode and catalog verifications are only applicable on Windows, we allow all packages by default to be installed on unix systems.
if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
return true;
}
</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@SydneyhSmith A warning seems appropriate here
Fixes #1754

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@Copilot Copilot AI changed the title [WIP] Fix AuthenticodeCheck to warn on non-Windows systems Add warning when AuthenticodeCheck is used on non-Windows platforms Oct 8, 2025
@Copilot Copilot AI requested a review from alerickson October 8, 2025 18:43
Copilot finished work on behalf of alerickson October 8, 2025 18:43
@alerickson
Copy link
Member

/azp run PowerShell.PSResourceGet

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@alerickson
Copy link
Member

/azp run PowerShell.PSResourceGet

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alerickson alerickson Awaiting requested review from alerickson alerickson is a code owner

@anamnavi anamnavi Awaiting requested review from anamnavi anamnavi will be requested when the pull request is marked ready for review anamnavi is a code owner

@adityapatwardhan adityapatwardhan Awaiting requested review from adityapatwardhan adityapatwardhan will be requested when the pull request is marked ready for review adityapatwardhan is a code owner

@SydneyhSmith SydneyhSmith Awaiting requested review from SydneyhSmith SydneyhSmith will be requested when the pull request is marked ready for review SydneyhSmith is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@alerickson alerickson

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AuthenticodeCheck should warn/error on non-Windows
2 participants
@Copilot @alerickson