vscode-powershell: v2024.2.0: PowerShell Terminal Fails to Load Due to PSES change to non-Windows-trusted Certificate
Prerequisites
- I have written a descriptive issue title.
- I have searched all open and closed issues to ensure it has not already been reported.
- I have read the troubleshooting guide.
- I am sure this issue is with the extension itself and does not reproduce in a standalone PowerShell instance.
- I have verified that I am using the latest version of Visual Studio Code and the PowerShell extension.
- If this is a security issue, I have read the security issue reporting guidance.
Summary
Hello, Since the extension updated itself to V 2024.2.0, I can’t use the integrated Powershell terminal of my VS Code anymore, it won’t load. My ExecutionPolicy is set by GPO to AllSigned : it has always been like that, it worked like that, and it’s not planned to change. It’s like the code in PSReadLine.format.ps1xml is now signed using an unapproved certificate on my side, or it tries desperately to force the ExecutionPolicy to change, which it did not do before.
When I finally kill the terminal, here’s the output :
[Error - 8:47:47 AM] Microsoft.PowerShell.EditorServices.Services.PowerShell.Host.PsesInternalHost: Unable to load PSReadLine. Will fall back to legacy readline implementation. - System.Management.Automation.CmdletInvocationException: Des erreurs se sont produites lors du chargement du fichier de données de format :
C:\Users\XXX\.vscode\extensions\ms-vscode.powershell-2024.2.0\modules\PSReadLine\2.4.0\PSReadLine.format.ps1xml, , C:\Users\XXX\.vscode\extensions\ms-vscode.powershell-2024.2.0\modules\PSReadLine\2.4.0\PSReadLine.format.ps1xml : le fichier a été ignoré en raison de l’exception de validation suivante : Impossible de charger le fichier C:\Users\XXX\.vscode\extensions\ms-vscode.powershell-2024.2.0\modules\PSReadLine\2.4.0\PSReadLine.format.ps1xml. Une chaîne de certificats a été traitée mais s’est terminée par un certificat racine qui n’est pas approuvé par le fournisseur d’approbation..
---> System.Management.Automation.RuntimeException: Des erreurs se sont produites lors du chargement du fichier de données de format :
C:\Users\XXX\.vscode\extensions\ms-vscode.powershell-2024.2.0\modules\PSReadLine\2.4.0\PSReadLine.format.ps1xml, , C:\Users\XXX\.vscode\extensions\ms-vscode.powershell-2024.2.0\modules\PSReadLine\2.4.0\PSReadLine.format.ps1xml : le fichier a été ignoré en raison de l’exception de validation suivante : Impossible de charger le fichier C:\Users\XXX\.vscode\extensions\ms-vscode.powershell-2024.2.0\modules\PSReadLine\2.4.0\PSReadLine.format.ps1xml. Une chaîne de certificats a été traitée mais s’est terminée par un certificat racine qui n’est pas approuvé par le fournisseur d’approbation..
à System.Management.Automation.Runspaces.InitialSessionState.ThrowTypeOrFormatErrors(String resourceString, String errorMsg, String errorId)
à System.Management.Automation.Runspaces.InitialSessionState.UpdateFormats(ExecutionContext context, Boolean update)
à System.Management.Automation.Runspaces.InitialSessionState.Bind_UpdateFormats(ExecutionContext context, Boolean updateOnly)
à System.Management.Automation.Runspaces.InitialSessionState.Bind(ExecutionContext context, Boolean updateOnly, PSModuleInfo module, Boolean noClobber, Boolean local)
à System.Management.Automation.Runspaces.InitialSessionState.Bind(ExecutionContext context, Boolean updateOnly)
à Microsoft.PowerShell.Commands.ModuleCmdletBase.LoadModuleManifest(String moduleManifestPath, ExternalScriptInfo manifestScriptInfo, Hashtable data, Hashtable localizedData, ManifestProcessingFlags manifestProcessingFlags, Version minimumVersion, Version maximumVersion, Version requiredVersion, Nullable`1 requiredModuleGuid, ImportModuleOptions& options, Boolean& containedErrors)
--- Fin de la trace de la pile d'exception interne ---
à System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
à System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
à System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
à System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
à System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
à System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
à Microsoft.PowerShell.EditorServices.Services.PowerShell.Utility.PowerShellExtensions.InvokeAndClear(PowerShell pwsh, PSInvocationSettings invocationSettings)
à Microsoft.PowerShell.EditorServices.Services.PowerShell.Console.PSReadLineProxy.LoadAndCreate(ILoggerFactory loggerFactory, String bundledModulePath, PowerShell pwsh)
à Microsoft.PowerShell.EditorServices.Services.PowerShell.Host.PsesInternalHost.TryLoadPSReadLine(PowerShell pwsh, EngineIntrinsics engineIntrinsics, IReadLine& psrlReadLine) |
[Error - 8:47:47 AM] Microsoft.PowerShell.EditorServices.Services.PowerShell.Host.PsesInternalHost: Error occurred calling 'Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force' - System.Management.Automation.CmdletInvocationException: Windows PowerShell a correctement mis à jour votre stratégie d’exécution, mais ce paramétrage est remplacé par une stratégie définie dans un contexte plus spécifique. Votre environnement va donc conserver sa stratégie d’exécution actuelle, AllSigned. Tapez « Get-ExecutionPolicy -List » pour afficher les paramètres de stratégie d’exécution. Pour plus d’informations, voir « Get-Help Set-ExecutionPolicy ». ---> System.Security.SecurityException: Erreur de sécurité.
à System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
--- Fin de la trace de la pile d'exception interne ---
à System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
à System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
à System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
à System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
à System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
à System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
à Microsoft.PowerShell.EditorServices.Services.PowerShell.Utility.PowerShellExtensions.InvokeAndClear(PowerShell pwsh, PSInvocationSettings invocationSettings)
à Microsoft.PowerShell.EditorServices.Services.PowerShell.Utility.PowerShellExtensions.SetCorrectExecutionPolicy(PowerShell pwsh, ILogger logger) | Policy='Unrestricted'
[Warn - 8:52:46 AM] OmniSharp.Extensions.LanguageServer.Server.LspServerOutputFilter: Tried to send request or notification before initialization was completed and will be sent later OmniSharp.Extensions.JsonRpc.RequestCancelled | @Request='OmniSharp.Extensions.JsonRpc.RequestCancelled'
[Error - 10:48:27 AM] Server initialization failed.
Message: Pending response rejected since connection got disposed
Code: -32097
[Error - 10:48:27 AM] Connection to PowerShell Editor Services (the Extension Terminal) was closed. See below prompt to restart!
[Error - 10:48:27 AM] PowerShell Editor Services Client client: couldn't create connection to server.
Message: Pending response rejected since connection got disposed
Code: -32097
I rolled back to version 2024.0.0 and it works again.
PowerShell Version
Name Value
---- -----
PSVersion 5.1.19041.4170
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.4170
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Name : ConsoleHost
Version : 5.1.19041.4170
InstanceId : 86e284ae-6000-426e-aa83-129c82a8b98b
UI : System.Management.Automation.Internal.Host.InternalHostUserInterface
CurrentCulture : fr-FR
CurrentUICulture : fr-FR
PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
DebuggerEnabled : True
IsRunspacePushed : False
Runspace : System.Management.Automation.Runspaces.LocalRunspace
Visual Studio Code Version
1.88.1
e170252f762678dec6ca2cc69aba1570769a5d39
x64
Extension Version
ms-vscode.powershell@2024.2.0
Steps to Reproduce
- Open VS Code and wait for the Integrated Powershell Terminal to load and wait for prompt
- It never happens and stays like
PowerShell Extension v2024.2.0
Copyright (c) Microsoft Corporation.
https://aka.ms/vscode-powershell
Type 'help' to get help.
- Kill the terminal to see the output
Visuals
No response
Logs
No response
About this issue
- Original URL
- State: open
- Created 3 months ago
- Comments: 36 (16 by maintainers)
The Reactive DLL hasn’t changed but it may have been being incorrectly signed as Microsoft First Party when it is in fact Microsoft Community, that was my main query to @andyleejordan that may have been “fixed” but now breaks the ability for the extension to be wholly “pre-signed” on windows systems.
This is more of a legal issue than a technical one, so I have to defer to Andy as to whether that DLL can continue to be signed as it was before since it hasn’t changed, but future versions may still have the problem anyways. I imagine this may be a change in policy as supply-chain attacks such as Solarwinds, xz, etc. have probably made Microsoft extremely sensitive about these sorts of things.
That lines up with what I heard internally about AppLocker (that while it still exists, it’s mostly been deprecated in favor of WDAC due to better security boundaries, and hence its lack of support for dual-signing). Essentially, with the migration to an internal build/sign/release system called OneBranch, I am required to sign all the libraries I ship. When those are signed with a third-party certificate already, I must counter-sign it with that Microsoft 3rdparty Application Component certificate. I don’t really have a way around this, the pipeline fails otherwise.
Maybe it is in fact having a problem with those other DLLs, it just is erroring and exiting first on reactive
Reopening the issue to address
System.Reactivesigning status.As an aside, I found the reference to
System.Reactivewhich @TylerLeonhardt added 4 years ago C:\Users\JGrote\Projects\PowerShellEditorServices\test\PowerShellEditorServices.Test.E2E\Processes\ServerProcess.csWhile we could unwind that, It is also referenced in OmniSharp.Extensions.JsonRPC as a transitive dependency
So we wouldn’t be able to remove the assembly due to that entrenched dependency.
Also, doing a sigcheck looks like the DLL itself hasn’t changed in PSES from 2024.2.0 from 2024.3.2, so was this just a new detection that was a previous mis-signing?
Not resolved yet
Couldn’t agree more.