Skip to content

Fix hash mismatch on signed dotnet-install.ps1 (non-ASCII characters)#730

Merged
ellahathaway merged 1 commit into
mainfrom
ellahathaway-fix-ps1-hash-mismatch-non-ascii
Jul 7, 2026
Merged

Fix hash mismatch on signed dotnet-install.ps1 (non-ASCII characters)#730
ellahathaway merged 1 commit into
mainfrom
ellahathaway-fix-ps1-hash-mismatch-non-ascii

Conversation

@ellahathaway

@ellahathaway ellahathaway commented Jul 6, 2026

Copy link
Copy Markdown
Member

Why

Users running the signed dotnet-install.ps1 (from https://dot.net/v1/dotnet-install.ps1) under the AllSigned execution policy hit:

the hash of the file does not match the hash stored in the digital signature

This is a recurrence of #541 (previously fixed in #543 by removing an emoji).

Root cause

src/dotnet-install.ps1 contained two non-ASCII em dash characters (U+2014) in code comments on lines 942 and 959, introduced in #697. The file is saved without a byte-order mark, and when a script containing non-ASCII characters is Authenticode-signed without a BOM, its content hash fails validation on machines whose active code page differs from the signing machine. See the Microsoft troubleshooting guide. The .sh script was unaffected.

Approach

  • Replaced both em dashes with plain ASCII hyphens. Comments only, so there is no runtime behavior change. Verified the file has zero non-ASCII bytes, no BOM was introduced, and CRLF line endings are preserved.
  • Added a cross-platform regression test (ScriptEncodingTests) that reads both install scripts as bytes and fails with the exact line and offset if any byte is greater than 127. Since this bug class has now shipped twice, the test guards against a third recurrence.

Validation

  • The new test passes against both scripts after the fix.
  • Confirmed the guard actually works by temporarily injecting a non-ASCII byte (the test failed as expected), then reverting.

I chose to remove the characters rather than add a UTF-8 BOM, matching the precedent from #543.

Fixes: #729

The signed PowerShell script contained two non-ASCII em dash characters (U+2014) in comments, introduced by #697. When Authenticode-signed without a BOM, non-ASCII content causes the file hash to fail validation across differing code pages, producing the 'hash does not match the digital signature' error under AllSigned policy. This is a recurrence of #541 (fixed in #543 by removing an emoji).

Replace the em dashes with ASCII hyphens and add a regression test that asserts both install scripts contain only ASCII bytes, guarding against a third recurrence.

Fixes #729

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@ellahathaway ellahathaway merged commit 4a37a9f into main Jul 7, 2026
5 checks passed
@github-project-automation github-project-automation Bot moved this from Backlog to Rollout in .NET Install Scripts Jul 7, 2026
@ellahathaway ellahathaway deleted the ellahathaway-fix-ps1-hash-mismatch-non-ascii branch July 7, 2026 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Rollout

Development

Successfully merging this pull request may close these issues.

The script failed to execute due to hash mismatch

2 participants