This project is read-only.
1
Vote

Unsigned script will not load in Powershell 5.0 [Solved]

description

When I try to import showUI into PowerShell 5.0 ISE I get an error message saying that I cannot import an unsigned script.
import-module : Errors occurred while loading the format data file: 
C:\Users\Trent\Documents\WindowsPowerShell\Modules\showUI\ShowUI.Formats.ps1xml, , 
C:\Users\Trent\Documents\WindowsPowerShell\Modules\showUI\ShowUI.Formats.ps1xml: The file was skipped because of the following 
validation exception: File C:\Users\Trent\Documents\WindowsPowerShell\Modules\showUI\ShowUI.Formats.ps1xml cannot be loaded. The file 
C:\Users\Trent\Documents\WindowsPowerShell\Modules\showUI\ShowUI.Formats.ps1xml is not digitally signed. You cannot run this script on 
the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at 
http://go.microsoft.com/fwlink/?LinkID=135170..
At line:1 char:1
+ import-module showUI
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Import-Module], RuntimeException
    + FullyQualifiedErrorId : FormatXmlUpdateException,Microsoft.PowerShell.Commands.ImportModuleCommand

comments

Jaykul wrote Apr 21, 2016 at 5:59 PM

You will need to
Set-ExecutionPolicy RemoteSigned -Scope Process
In order to disable the code-signing requirement in PowerShell.
The releases on the PowerShellGallery should be signed.

zipster1967 wrote Apr 22, 2016 at 11:09 PM

I changed the execution policy as per your suggestion but the script still will not import.
I still get
PS C:\WINDOWS\system32> import-module showUI
import-module : Errors occurred while loading the format data file: 
C:\Users\Trent\Documents\WindowsPowerShell\Modules\showUI\ShowUI.Formats.ps1xml, , 
C:\Users\Trent\Documents\WindowsPowerShell\Modules\showUI\ShowUI.Formats.ps1xml: The file was skipped because of the following 
validation exception: File C:\Users\Trent\Documents\WindowsPowerShell\Modules\showUI\ShowUI.Formats.ps1xml cannot be loaded. The file 
C:\Users\Trent\Documents\WindowsPowerShell\Modules\showUI\ShowUI.Formats.ps1xml is not digitally signed. You cannot run this script on 
the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at 
http://go.microsoft.com/fwlink/?LinkID=135170..
At line:1 char:1
+ import-module showUI
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Import-Module], RuntimeException
    + FullyQualifiedErrorId : FormatXmlUpdateException,Microsoft.PowerShell.Commands.ImportModuleCommand

zipster1967 wrote Apr 26, 2016 at 9:43 AM

I tried downloading the gallery version and installing that and it seemed to install okay but now when I type any ShowUI commands I get an error message. if I try :
Get-UICommand<enter>
I get back:
.\Get-UICommand.ps1 : File 
C:\Users\Trent\Documents\windowspowershell\modules\showui\Get-UICommand.ps1 cannot be loaded. 
The file C:\Users\Trent\Documents\windowspowershell\modules\showui\Get-UICommand.ps1 is not 
digitally signed. You cannot run this script on the current system. For more information about 
running scripts and setting execution policy, see about_Execution_Policies at 
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ .\Get-UICommand.ps1
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
I am running powershell 5.0 under windows 10. I wish this was as easy as they make it seem in the instructional videos they show on youtube but I have been fighting with this for a few days now and I am considering giving up using this thing at all.

Jaykul wrote Apr 26, 2016 at 6:25 PM

So. Yeah. It's not signed. Try reading the help file that PowerShell mentioned:
get-help about_Execution_Policies
You're going to need to permanently change the execution policy for yourself (or your system):
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
Or
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
Or
Set-ExecutionPolicy Unrestricted -Scope LocalMachine
But you should read the help file to understand what you're doing first :-)

zipster1967 wrote Apr 27, 2016 at 8:12 AM

I am aware of how to change the executionpolicy settings but I don't believe a script should be constructed that is not signed if it is meant for distribution. Is there any way that I can sign the script since I will not be distributing it to anyone else once I have it running on my machine? I doubt that everyone who has downloaded this script has had the problems I am having.

Jaykul wrote Apr 27, 2016 at 4:32 PM

Well, you can believe all you like about code signing, but at the end of the day, this is an open source project. There's no company, so it's impossible for me to get a code certificate in the name of "ShowUI" that the team could share for publishing purposes, and in the absence of a corporate entity, code signing exposes the individual human beings behind an account, including their full names and locations.

That is to say, I could sign it myself, with my personal code-signing certificate (and I sometimes do), but I am philosophically opposed to doing so:
  1. Signing files implies authorship which is only partly true in the case of open source partnerships
  2. My authorship doesn't imply any warranty or liability
  3. Signing isn't more authoritative than the package being published by my account on a trusted site
  4. Signing doesn't guarantee there are no bugs
  5. Using a personal cert prevents my partners from publishing
  6. Code signing perpetuates the idea that others must code sign
  7. A $60-200 cert is a substantial barrier to publishing software.

Jaykul wrote Apr 27, 2016 at 4:36 PM

You can absolutely sign the code yourself to ensure that if someone modifies it on your box, you won't run it. That is a great thing for people to do -- especially for corporations to do with code they've reviewed and approved for use and distribution within their organization.

You basically can just do:
Get-ChildItem ShowUI -Recurse | Set-AuthenticodeSignature
Passing the appropriate arguments to Set-AuthenticodeSignature to tell it what certificate to use. You will get a few errors from files that aren't able to be signed, but that won't matter.

zipster1967 wrote Apr 27, 2016 at 10:45 PM

I apologize for my ignorance. I was under the impression that the script was created by a company or team from a large company. I can understand the fact that since the script is open-sourced that it is distributed unsigned. That is the way I would do it also. I have created a selfSigned certifiacte and signed it with that and now it works. I can;t wait to start using it but I wanted to take a moment to let you know how much I appreciate your halp in this. From what I have seen of ShowUI's capabilities so far it seems like the kind of utility I would write myself if I had the time. Thanks for all your work and I will think of you and the other programmers every time I use it.

Jaykul wrote Apr 28, 2016 at 6:37 PM

Thanks for understanding, and ... you're welcome :-)