This bit me in the back today.
Some days ago I started signing all my Hybrid Runbook Worker Runbooks. I sync to my Automation Accounts via GitHub so after making changes I had the following code in a script that would sign my Runbooks:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# Sign the runbook. Needs to be from an admin pwsh so relaunch as that if not in one already. # Snippet below modified from https://stackoverflow.com/a/40003511 $script = $MyInvocation.MyCommand.Definition $ps = Join-Path $PSHome 'pwsh.exe' # Check if the user is in the local admin group $isLocalAdmin = [bool]((net localgroup administrators) -match "$env:USERDOMAIN\\$env:USERNAME") if ($isLocalAdmin) { # If the user is a local admin, check whether the current session is running as an admin if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator')) { # If so launch the script as admin Start-Process $ps -Verb RunAs -ArgumentList "$script" exit } } else { Start-Process $ps -ArgumentList (@('-File', $script) + $args) -Credential (Get-Credential) exit } $SigningCert = (Get-ChildItem -Path cert:\LocalMachine\My\$SigningCertThumb)) Set-AuthenticodeSignature .\Runbooks\*.ps1 -Certificate $SigningCert |
The script works, and if I create new Runbooks with the signed Runbooks they execute fine. But if I sign a Runbook, sync to GitHub, then sync down to the Automation Account… they fail with the error in the post title. Not sure why but it sounds like the signature is not visible any more?
For now I don’t have time to troubleshoot further as I have to go and manually upload all my signed Runbooks. :( It’s not even a case of overwriting the existing contents with the signed version – I have to delete the Runbook and recreate it.