I'm running into an issue with my PowerShell scripts that need to be code-signed due to our Applocker/CLM setup. I have a PS1 script that's properly code-signed, but after downloading it from our GitHub repository, it shows as 'NotSigned' when I check with Get-AuthenticodeSignature. Strangely, the digital signature remains intact when I share the same script via OneDrive. Is this a common problem with downloading PS1 scripts from GitHub, and what can I do to troubleshoot it? I wasn't aware this could happen, and it's important for us since we store many scripts in GitHub. Any insights would be appreciated!
5 Answers
Make sure your script's line endings are set correctly. PowerShell signatures need `rn` (Windows style) for signatures to be recognized. If your script is using `n` (Unix style), the signature might not be detected properly when cloned from GitHub. Check this using cmdlets like `Format-Hex` to verify the line endings.
It's actually quite complicated. Once the script is in Git, it's essentially immutable, so losing the signature shouldn't happen under normal conditions. You might be better off deploying an unsigned version and signing it upon release instead, since checking signed scripts into git can lead to issues.
Are you downloading the script through the GitHub website or pulling the repo onto your machine? You might want to ask the person who committed the script to see if it retains the signature on their end. It's possible something's getting altered during the upload or download process.
Check if the signature block is still there at the bottom of your script. If you right-click on the file after downloading and see an 'Unblock' option in properties, that means it's blocked, which can affect the signature too.
The signature block is still there, but the properties don't show it as blocked.
Exactly! Git does handle end-of-line conversions, which can mess with how the signature is read on Windows. If the script downloaded from GitHub has LF line endings, it'll cause issues when PowerShell checks the signature. You can test this by modifying the endings in Notepad++ and seeing how it affects the signature tab in the file properties.
That’s confusing because Git tracks changes. If everything was immutable, why would it need a change tracker? Plus, Git can handle line endings on different OS. Using LF could definitely affect how Windows reads the signature block.