EPiServer deployment center and powershell digital signatures

As I mentioned in my last post I would like the installation of Progressive EPiServer Templates to be handled via the deployment center. There’s an excellent blog post about this written by Fredrik Tjärnberg. This post is about a problem I encountered (which Fredrik also mentions in his blog) regarding digital signing of the powershell files. But first some info on how to build a package for EPiServer deployment server.

Creating a MSI-installer

Fredrik has created a project template which can be used to get the base needed for the template package. After selecting what files you want included in the package a set of files are genereted for you. Included in these files is a powershell file that is run as part of the installation. By default this file performs some common scenarios that should cover very basic installation needs (like copying your application files, perform web.config transformations and so on).

Powershell and digital signatures

If you look at the end of the generated powershell file you will notice a signature. This is based on EPiServers certificate and is partly generated by a hash of the content of the generated file. What this means that if you change the content of the file, which is a likely scenario when creating your own template package, the signature is no longer valid and you will be presented with the following message in the deployment center:

Error – File C:\Program Files (x86)\EPiServer\CMS\6.0.530.0\Install\Modules\PET\Install PET.ps1 cannot be loaded. The contents of file C:\Program Files (x86)\EPiServer\CMS\6.0.530.0\Install\Modules\PET\Install PET.ps1 may have been tampered because the hash of the file does not match the hash stored in the digital signature. The script will not execute on the system. Please see “get-help about_signing” for more details.

As you can see if you open the generated poweshell script the top line says “To make changes in the file, you have to remove the signature at the bottom of the script“. If you do that you will most likely get the following message:

Error – File C:\Program Files (x86)\EPiServer\CMS\6.0.530.0\Install\Modules\PET\Install PET.ps1 cannot be loaded. The file C:\Program Files (x86)\EPiServer\CMS\6.0.530.0\Install\Modules\PET\Install PET.ps1 is not digitally signed. The script will not execute on the system. Please see “get-help about_signing” for more details.

Powershell and execution policies

This error message is related to the execution policy of poweshell files. The error message is pretty self explanatory; we removed the signature and the system does not allow unsigned scripts to run. If you do get this error chances are the your current policy is set to AllSigned which requires all powershell scripts to have a signature.

Solutions

The simplest solution is to create a digital signature and sign your script. The downside to this is that getting a certificate will cost money. A lot of it. This option is a no-go for me.

The other solution is to get the end user to change their execution policy to allow for unsigned scripts to run. While this is very simple in theory (start poweshell in X86 mode and type “Set-ExecutionPolicy RemoteSigned” which allows local scripts to run without a signature) there are obviously security aspects as well as another step that needs to be performed.

So, I’m currently at a loss about this issue and I’m not sure about how to move forward from this. But hey, at least it works on my machine!

(A big thanks to Markus Ljung, Cristian Libardo and Fredrik Tjärnberg for helping me along the way.)

  • Steve

    I agree, this is a pain. Getting people to make installations like this is hard enough, as one typically needs to learn some powersjell scripting too. I’ve created my own certificate and signing with that, but that does not help when distributing stuff.

    Sigh…

  • Patrik Akselsson

    I guess episerver could help by providing some kind of signing programme. That would also enable them to offer a repository of third party modules that could be available from deployment center.