Change signature validation logic to call first without the file content (PowerShell#14849)

JamesWTruher · web-flow · commit 907746cb2eb6 · 2021-02-23T12:23:16.000-08:00
diff --git a/src/System.Management.Automation/security/SecurityManager.cs b/src/System.Management.Automation/security/SecurityManager.cs
@@ -11,6 +11,7 @@
 using System.Management.Automation.Security;
 using System.Security;
 using System.Security.Cryptography.X509Certificates;
+using System.Text;
 
 using Dbg = System.Management.Automation;
 
@@ -516,15 +517,28 @@ private static void UntrustPublisher(Signature signature)
             }
         }
 
+        // Check the signature via the SIP which should never erroneously validate an invalid signature
+        // or altered script.
         private static Signature GetSignatureWithEncodingRetry(string path, ExternalScriptInfo script)
         {
-            string verificationContents = System.Text.Encoding.Unicode.GetString(script.OriginalEncoding.GetPreamble()) + script.ScriptContents;
-            Signature signature = SignatureHelper.GetSignature(path, verificationContents);
+            // Invoke the SIP directly with the most simple method
+            Signature signature = SignatureHelper.GetSignature(path, fileContent: null);
+            if (signature.Status == SignatureStatus.Valid)
+            {
+                return signature;
+            }
+
+            // try harder to validate the signature by being explicit about encoding
+            // and providing the script contents
+            string verificationContents = Encoding.Unicode.GetString(script.OriginalEncoding.GetPreamble()) + script.ScriptContents;
+            signature = SignatureHelper.GetSignature(path, verificationContents);
 
+            // A last ditch effort -
             // If the file was originally ASCII or UTF8, the SIP may have added the Unicode BOM
-            if ((signature.Status != SignatureStatus.Valid) && (script.OriginalEncoding != System.Text.Encoding.Unicode))
+            if (signature.Status != SignatureStatus.Valid
+                && script.OriginalEncoding != Encoding.Unicode)
             {
-                verificationContents = System.Text.Encoding.Unicode.GetString(System.Text.Encoding.Unicode.GetPreamble()) + script.ScriptContents;
+                verificationContents = Encoding.Unicode.GetString(Encoding.Unicode.GetPreamble()) + script.ScriptContents;
                 Signature fallbackSignature = SignatureHelper.GetSignature(path, verificationContents);
 
                 if (fallbackSignature.Status == SignatureStatus.Valid)
