I'm working in an environment where we're using Applocker/CLM, so all of our PowerShell scripts (PS1) need to be code-signed. However, I've run into a strange issue: when I download a code-signed PS1 script from our GitHub repository, it shows `NotSigned` when I check it with Get-AuthenticodeSignature, and there are no digital signatures displayed at all. Oddly enough, if I share the script via OneDrive, the digital signature remains intact. Is this behavior with GitHub expected for PS1 scripts? What could I look into to fix this? We store a lot of scripts on GitHub, and I didn't realize this was an issue until now. Thanks for any insights!
4 Answers
PowerShell signatures can be super sensitive to newline characters. They need `rn` for line separators; if they’re using just `n`, the signature might not be recognized. You might want to use cmdlets like `Format-Hex` to check the line endings. It’s possible that the issue is happening when the scripts are committed to the repo or during the checkout process.
Have you checked if the signing block is still intact at the end of the script? Sometimes when you download files, they can get blocked. Right-click on the script file, go to properties, and see if there's an "Unblock" checkbox. If it’s there, try unblocking it and see if that helps!
When you access the repo, are you viewing it directly on the website or pulling it to your local machine? If someone already signed it before pushing, you could check with them to see if it still appears signed on their end. There may be tools or security settings involved in uploading or downloading that are modifying the file.
It's worth noting that using GitHub or any git repository, all commits are immutable. Once something is in there, it can't just disappear. Are you sure the signed version was what's pushed? Remember, signing scripts for a git repo complicates things since changing and resigning files just bloats your commits without any real advantage. You might want to deploy an unsigned script and sign it when you're ready to release it.
That logic doesn’t completely apply. Git is designed for tracking changes, so while you can’t change a commit, you can absolutely change files until the commit is made. Also, Git manages line endings between operating systems, which could lead to issues if your file's line endings aren’t set up correctly before you check it out.
The signing block is still there, but the file isn't blocked and the digital signature tab is still empty.