Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

windowsExecutableCodeSignatureVerifier fails in PowerShell Constrained Language Mode #6917

Closed
jeremyspiegel opened this issue Jun 3, 2022 · 7 comments · Fixed by #7230
Closed

Comments

@jeremyspiegel
Copy link
Contributor

  • Electron-Builder Version: 23.0.3
  • Node Version: 16.14.0
  • Electron Version: 18.1.0
  • Electron Type (current, beta, nightly): current
  • electron-updater version: 5.0.1
  • Target: nsis

windowsExecutableCodeSignatureVerifier.ts is failing for some users with this error:

Cannot execute Get-AuthenticodeSignature, stderr: Cannot invoke method. Method invocation is supported only on core types in this language mode. At line:1 char:175 + ... ch-Object { [Convert]::ToBase64String([System.Text.Encoding]::UTF8.Ge ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage . Failing signature validation due to unknown stderr.

I believe this is due to PowerShell Constrained Language Mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/

@burgil
Copy link

burgil commented Jun 5, 2022

Hey, How do I reproduce this error do you know maybe?
image

@jeremyspiegel
Copy link
Contributor Author

Sorry I was wrong about it being the Get-AuthenticodeSignature part, it's actually the [Convert]::ToBase64String and [System.Text.Encoding]::UTF8.GetBytes that the result is piped into that's failing.

To reproduce, set a system environment variable __PSLockDownPolicy=4 (make sure to select OK in the Environment Variables window):
image

Then open a new PowerShell window and test [System.Text.Encoding]::UTF8.GetBytes or [Convert]::ToBase64String:
image

@jeremyspiegel jeremyspiegel changed the title Get-AuthenticodeSignature fails in PowerShell Constrained Language Mode windowsExecutableCodeSignatureVerifier fails in PowerShell Constrained Language Mode Jun 5, 2022
@burgil
Copy link

burgil commented Jun 5, 2022

Not sure if that helps:
image

And also did you know powershell is being maintained and updated by the minute? check it out:
https://github.com/PowerShell/PowerShell

You can also download the newest version there and it's supposed to be awesome, I was too afraid to get it to avoid compatibility issues..

I did not how ever set the env variables I was too lazy sorry let me know if you want me to lol

@jeremyspiegel
Copy link
Contributor Author

@burgil I think that electron-updater should still be able to work even when PowerShell is configured this way, and regardless of what version of PowerShell is installed.

@burgil
Copy link

burgil commented Jun 6, 2022

I just realized that the problem is coming from electron-updater, I think you are right yes it should work regardless of Powershell version, I just let you know you can update it, but yeah now I know that the problem is in other people computers, your users, I misread that part, perhaps one of the contributors here knows something, good luck with that

If you are looking for a quick hack, check if that environment variable is set, and delete it during the update process using some hook there, and as soon as it finished updating check if it was removed and restore it in that case.. (you can like store it in a file if it was removed)

Or you can like make a simply check that checks if that environement variable is there and if so it puts a message box saying your pc configuration is preventing the updater from running, please remove this, or do this
Could be a great start to debug it too, I will start from there and evolve to the first option..

But of course if anybody here can actually fix it yeah.. that will be the ultimate solution. I'm just a random guy here :)

@jeremyspiegel
Copy link
Contributor Author

The environment variable is a way to set PowerShell in that mode for debugging purposes, but there are other ways to set it that can't be circumvented (like AppLocker or Group Policy Software Restriction settings).

@jeremyspiegel
Copy link
Contributor Author

jeremyspiegel commented Nov 1, 2022

I've added a PR to address this: #7230

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants