Fix SignCheck PowerShell script verification on .NET Core#16657
Merged
ViktorHofer merged 1 commit intomainfrom Apr 1, 2026
Merged
Fix SignCheck PowerShell script verification on .NET Core#16657ViktorHofer merged 1 commit intomainfrom
ViktorHofer merged 1 commit intomainfrom
Conversation
The AuthentiCodeVerifier uses PEReader which only works for PE files (.exe/.dll), not text-based script files. When SignCheck encounters .ps1/.psd1/.psm1/.ps1xml files, PEReader throws 'Unknown file format'. Add PowerShellScriptVerifier (modeled after JavaScriptVerifier) with a custom ISecurityInfoProvider that reads '# SIG # Begin/End signature block' comment-embedded signatures from PowerShell scripts. This also makes PowerShell file verification cross-platform (previously Windows-only) and removes the dead .vsix header-detection branch since VsixVerifier was deleted. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
73c18d8 to
2fe4293
Compare
akoeplinger
approved these changes
Apr 1, 2026
ViktorHofer
added a commit
to dotnet/dotnet
that referenced
this pull request
Apr 1, 2026
Port of dotnet/arcade#16657. The AuthentiCodeVerifier uses PEReader which only works for PE files (.exe/.dll), not text-based script files. When SignCheck encounters .ps1/.psd1/.psm1/.ps1xml files, PEReader throws 'Unknown file format'. Add PowerShellScriptVerifier (modeled after JavaScriptVerifier) with a custom ISecurityInfoProvider that reads '# SIG # Begin/End signature block' comment-embedded signatures from PowerShell scripts. This also makes PowerShell file verification cross-platform (previously Windows-only) and removes the dead .vsix header-detection branch since VsixVerifier was deleted. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ViktorHofer
added a commit
to dotnet/dotnet
that referenced
this pull request
Apr 1, 2026
…form PS script signing (#5829) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The \AuthentiCodeVerifier\ uses \PEReader\ which only works for PE files (.exe/.dll), not text-based script files. When SignCheck encounters .ps1/.psd1/.psm1/.ps1xml files inside NuGet packages, \PEReader\ throws an \Unknown file format\ error:
\
[File] ...ps1, Signed: False, Virtual path: MSTest.Analyzers.4.2.1-preview.26181.4.nupkg/tools/install.ps1, Full Name: tools/install.ps1 [Error] Unknown file format.
\\
This was introduced in dotnet/dotnet@4e09105 which replaced #if NETFRAMEWORK\ P/Invoke-based AuthentiCode verification with a \PEReader-based approach.
Changes