node icon indicating copy to clipboard operation
node copied to clipboard
verified publisher icon nodejs

A digitally signed PowerShell script does not work with non LTS Node.js version with "AllSigned" PowerShell policy

Open amit-turnkey opened this issue 1 year ago • 4 comments

Version

Non LTS version of Node.js( e.g. 22.6 )

Platform

Windows 10 64 bit and Windows server 2022 standard edition 64 bit

Subsystem

No response

What steps will reproduce the bug?

We have a PowerShell script that is digitally signed using our organization's code signing certificate. This script is responsible for launching a local Node.js service. When the PowerShell execution policy is set to "AllSigned," the script works as expected with the Long Term Support (LTS) version of Node.js. However, the script fails to run with other versions of Node.js under the "AllSigned" policy. If the PowerShell execution policy is changed from "AllSigned" to another policy, the script successfully runs with these other Node.js versions.

  • Set the PowerShell execution policy to "AllSigned."
  • Attempt to run the signed PowerShell script with a non-LTS version of Node.js installed.
  • Observe that the script fails to launch the Node.js service.
  • Change the PowerShell execution policy to something other than "AllSigned." e.g. "Remote Signed"
  • Attempt to run the script again with the same non-LTS Node.js version.
  • Observe that the script now runs successfully and the Node.js service is up and running.

How often does it reproduce? Is there a required condition?

It always failed to run with another version of node.js except LTS.

What is the expected behavior? Why is that the expected behavior?

Expected Behavior: Node.js service must be up. The signed PowerShell script should launch Node.js service with any version of Node.js when the execution policy is set to "AllSigned."

Actual Behavior: The Node.js service only runs successfully with the LTS version of Node.js when the execution policy is "AllSigned." For other versions, it fails unless the policy is changed.

What do you see instead?

Actual Behavior: The Node.js service only runs successfully with the LTS version of Node.js when the execution policy is "AllSigned." For other versions, it fails unless the policy is changed.

Additional information

Environment:

PowerShell Execution Policy: AllSigned Node.js Versions: LTS and other versions Digital Signature: Organization-based code signing certificate

amit-turnkey avatar Sep 24 '24 11:09 amit-turnkey

Duplicate of #54607

avivkeller avatar Sep 24 '24 12:09 avivkeller

Would you please reopen this ticket. As original Ticket #54607 (https://github.com/nodejs/node/issues/54607) has been closed. This is important as previous ticket was created by user and he is not associated with this issue. I request you to reopen this ticket and we can discuss further.

amit-turnkey avatar Sep 25 '24 04:09 amit-turnkey

When the PowerShell execution policy is set to "AllSigned," the script works as expected with the Long Term Support (LTS) version of Node.js. However, the script fails to run with other versions of Node.js

Can you provide more information about this statement?

Something like a table would be nice:

| Version  | `AllSigned` | W/O `AllSigned` |
|----------|-------------|-----------------|
| v22.9.0  | ✅ OR ❎      | ✅ OR ❎          |
| v20.17.0 | ✅ OR ❎      | ✅ OR ❎          |
| v18.20.4 | ✅ OR ❎      | ✅ OR ❎          |

avivkeller avatar Sep 25 '24 17:09 avivkeller

Hi,

Please find below required information: image

Thanks & Regards Amit From: Aviv Keller @.> Sent: 25 September 2024 23:07 To: nodejs/node @.> Cc: Amit Rohatgi @.>; Author @.> Subject: Re: [nodejs/node] A digitally signed PowerShell script does not work with non LTS Node.js version with "AllSigned" PowerShell policy (Issue #55097)

When the PowerShell execution policy is set to "AllSigned," the script works as expected with the Long Term Support (LTS) version of Node.js. However, the script fails to run with other versions of Node.js

Can you provide more information about this statement?

Something like a table would be nice Version AllSigned W/O AllSigned v22.9.0 ✅ OR ❎ ✅ OR ❎ v20.17.0 ✅ OR ❎ ✅ OR ❎ v18.20.4 ✅ OR ❎ ✅ OR ❎

— Reply to this email directly, view it on GitHubhttps://github.com/nodejs/node/issues/55097#issuecomment-2374744708, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BLQO6RJU33PDXDSOSBTU7DTZYLYB5AVCNFSM6AAAAABOYC7VPWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZUG42DINZQHA. You are receiving this because you authored the thread.Message ID: @.@.>>

amit-turnkey avatar Sep 27 '24 11:09 amit-turnkey

I tried to reproduce this locally with the following steps but I wasn't able to. Can you share a repro example to investigate it in detail?

  • Add-Signature.ps1
$params = @{
    Subject = 'CN=PowerShell Code Signing Cert'
    Type = 'CodeSigning'
    CertStoreLocation = 'Cert:\CurrentUser\My'
    HashAlgorithm = 'sha256'
}
$cert = New-SelfSignedCertificate @params
Set-AuthenticodeSignature run.ps1 $cert
Export-Certificate -Cert $cert -FilePath "exported_cert.cer"
Set-AuthenticodeSignature -FilePath "run.ps1" -Certificate $cert
  • run.ps1 node 54607.js
  • 54607.js console.log("Hello world");
  • Run Add-Signature.ps1
  • Install the exported certificate (exported_cert.cer)
  • Set-ExecutionPolicy -Scope CurrentUser AllSigned
  • Run run.ps1 and see the output.

I tried this script with Node.js LTS versions and v10. All worked as expected.

huseyinacacak-janea avatar Oct 04 '24 12:10 huseyinacacak-janea

Since there has not been any feedback since the last comment for more than a month, I'll close this one. Feel free to reopen if needed.

StefanStojanovic avatar Nov 14 '24 12:11 StefanStojanovic