Certificate warning when upgrading to 5.6.0-beta1

Question

Certificate warning when upgrading to 5.6.0-beta1

fflaten opened this issue 3 months ago · comments

Frode Flaten commented 3 months ago

Checklist

Issue has a meaningful title
I have searched the existing issues. See all issues
I have tested using the latest version of Pester. See Installation and update guide.

What is the issue?

The new code signing certificate unfortunately triggers a new publisher warning when calling Update-Module

Install-Package: Authenticode issuer 'CN=Jakub Jareš, O=Jakub Jareš, L=Praha, C=CZ' of the new module 'Pester' with version '5.6.0' from
root certificate authority 'CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US' is not matching
with the authenticode issuer 'CN=Jakub Jareš, O=Jakub Jareš, L=Praha, C=CZ' of the previously-installed module 'Pester'
with version '5.5.0' from root certificate authority 'CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert
Inc, C=US'. If you still want to install or update, use -SkipPublisherCheck parameter.

Expected Behavior

No warning.

Steps To Reproduce

Install-Module -Name Pester -RequiredVersion 5.5.0 -Force -SkipPublisherCheck
Update-Module -Name Pester -AllowPrerelease

Describe your environment

Pester version : 5.5.0 C:\Users\Frode\Documents\PowerShell\Modules\Pester\5.5.0\Pester.psm1
PowerShell version : 7.4.2
OS version : Microsoft Windows NT 10.0.22631.0
PowerShellGet version: 2.2.5

Possible Solution?

No response

Jakub Jareš · Answer 1 · Fri Apr 26 2024 04:39:46 GMT+0800 (China Standard Time)

There is no solution unfortunately. If I stop signing the certificate there will be warning. If I rename the certificate people won't be able to find it. This will just continue happening if the root will change again in 3 years for new certificate. Unless the logic in powershell changes, and everyone will update.

Thomas Nieto · Answer 2 · Wed Jun 05 2024 22:25:12 GMT+0800 (China Standard Time)

This issue does not occur with PSResourceGet.

PS C:\> Get-PSResource Pester

Name   Version Prerelease Repository Description
----   ------- ---------- ---------- -----------
Pester 5.5.0              PSGallery  Pester provides a framework for running…

PS C:\> Update-PSResource Pester -PassThru

Name   Version Prerelease Repository Description
----   ------- ---------- ---------- -----------
Pester 5.6.0              PSGallery  Pester provides a framework for running…

Frode Flaten · Answer 3 · Wed Jun 05 2024 22:45:43 GMT+0800 (China Standard Time)

IIRC they removed the whole publisher check in v3. Most users still use older out-of-box modules unfortunately.

Thomas Nieto · Answer 4 · Wed Jun 05 2024 22:46:40 GMT+0800 (China Standard Time)

It's still there but is now opt in rather than opt out.

Philip Meholm · Answer 5 · Thu Jun 13 2024 06:53:20 GMT+0800 (China Standard Time)

Could there be a notice of this on the readme? i mean it wont really help with the module system being stupid, but it does feel better if the first thing you saw when searching for "pester powershell" be a "please note: certificate from previous versions have changed.."

Jakub Jareš · Answer 6 · Thu Jun 13 2024 15:31:48 GMT+0800 (China Standard Time)

Sure, do you want to PR it?

Bernie White · Answer 7 · Thu Jun 13 2024 22:17:34 GMT+0800 (China Standard Time)

Pinned issue was a good call.

Selvi Kalaiselvi · Answer 8 · Sat Jun 15 2024 01:02:03 GMT+0800 (China Standard Time)

We have pinned version for long time, and I get this same cert error. Only way to workaround is by adding -SkipPublisherCheck fixes

Install-Module -Name 'Pester' -RequiredVersion 5.3.1 -Force | Out-Null
Import-Module -Name Pester -RequiredVersion 5.3.1 -Force

"C:\Program Files\PowerShell\7\pwsh.exe" -NoLogo -NoProfile -NonInteractive -Command D:\a_temp\434bdabc-db7b-4fdc-9743-7ddeeb878098.ps1
92Install-Package: Authenticode issuer 'CN=Jakub Jareš, O=Jakub Jareš, L=Praha, C=CZ' of the new module 'Pester' with version '5.3.1' from
93root certificate authority 'CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US' is not matching
94with the authenticode issuer 'CN=Jakub Jareš, O=Jakub Jareš, L=Praha, C=CZ' of the previously-installed module 'Pester'
95with version '5.6.0' from root certificate authority 'CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc,
96C=US'. If you still want to install or update, use -SkipPublisherCheck parameter.
97Import-Module: D:\a_temp\434bdabc-db7b-4fdc-9743-7ddeeb878098.ps1:4
98Line |
99 4 | Import-Module -Name Pester -RequiredVersion 5.3.1 -Force
100 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
101 | The specified module 'Pester' with version '5.3.1' was not loaded because no valid module file was found in any
102 | module directory.
103Error: Error: The process 'C:\Program Files\PowerShell\7\pwsh.exe' failed with exit code 1

Frode Flaten · Answer 9 · Sat Jun 15 2024 21:45:30 GMT+0800 (China Standard Time)

@RKSelvi Looks like it's because you've already installed 5.6.0 locally. Same issue just different direction, downgrade vs upgrade with mismatching certs.