Skip to content

PowerShell.MCP v1.7.7 - Authenticode-Signed Windows Binaries

Choose a tag to compare

View all tags
@yotsuda yotsuda released this 18 Apr 02:45
· 49 commits to main since this release
v1.7.7
da7e527

Authenticode-Signed Windows Binaries

PowerShell.MCP.dll and PowerShell.MCP.Proxy.exe (win-x64) are now Authenticode-signed with the yotsuda code-signing certificate. This unblocks installation on machines with Windows Defender Application Control (WDAC) / Device Guard policies that require trusted publisher signatures.

The same certificate signs binaries across all yotsuda OSS projects, so trusting it once covers future releases of all of them.

Closes #46 — thanks @rblinton for the report!

What's New

Authenticode signing (Windows binaries)

Windows binaries are now signed with a self-signed certificate. The public certificate (yotsuda.cer) and full installation instructions for personal PCs, Active Directory domains, and WDAC environments are published at:

https://github.com/yotsuda/code-signing

Verify a signed binary on your machine:

Get-AuthenticodeSignature `
    "$((Get-Module PowerShell.MCP -ListAvailable).ModuleBase)\bin\win-x64\PowerShell.MCP.Proxy.exe"

The signer thumbprint should match the values below.

Certificate details

Field Value
Subject CN=yotsuda, O=Yoshifumi Tsuda, C=JP
Validity 2026-04-18 to 2036-04-18
Thumbprint (SHA-1) 74E5208228DFB12A067747D536BF497B6E98C73C
Thumbprint (SHA-256) ABCE0AFEE35BD19EE1DF8F16E64436439516DDC3FD40229EA7786A8B23BC8013

Note on other platforms: Authenticode is Windows-specific. macOS and Linux binaries are not signed in this release — their security models differ (macOS uses Gatekeeper/notarization with a paid Apple Developer ID; Linux has no comparable system enforcement).

Third-party license notices (Ude.NetStandard)

The bundled Ude.NetStandard.dll (used for character set detection) is redistributed under LGPL-2.1. The full license text and attribution are now included in the module under licenses/Ude.NetStandard/ and THIRD_PARTY_NOTICES.md.

Status line fix (multi-line pipelines)

Pipelines with leading newlines previously rendered a useless Pipeline: ... (or empty Pipeline:) in the status line. Status line truncation now strips leading whitespace before extracting the first line, so multi-line scripts are summarized correctly.

macOS console launch fix (Terminal.app / zsh quoting)

On macOS, Terminal.app's zsh parsed ''default'' in the spawned pwsh -Command argument as the bareword default, breaking $global:PowerShellMCPAgentId assignment and the IPC handshake — so the MCP connection would briefly show "Connected" and then drop. The init command is now written to a temp .ps1 file and executed with pwsh -File, avoiding shell quoting entirely. Same class of bug as #39 (Linux), now fixed for macOS.

Closes #45 — thanks @ben1440 for the detailed report with reproduction steps and the pointer to the Linux fix, and @mikenelson-io for confirming the issue!

What's Changed Since v1.7.6

  • Authenticode signing for PowerShell.MCP.dll and PowerShell.MCP.Proxy.exe (win-x64)
  • Build-AllPlatforms.ps1 gains a -Sign switch (off by default; signing only happens on publish builds, with the PFX passphrase prompted interactively)
  • licenses/Ude.NetStandard/ and THIRD_PARTY_NOTICES.md added (LGPL-2.1 compliance for bundled Ude.NetStandard.dll)
  • README: new "Enterprise Deployment (WDAC / Device Guard)" section linking to the code-signing repo
  • Status line: leading whitespace/newlines no longer collapse the displayed pipeline to ... or empty
  • macOS: Terminal.app/zsh quoting fix — init script now delivered via temp .ps1 file to avoid ''default'' bareword parsing (closes #45)

Installation & Upgrade

Windows

# New installation
Install-PSResource PowerShell.MCP

# Upgrade existing
Update-PSResource PowerShell.MCP

Linux / macOS

# Install
Install-PSResource PowerShell.MCP

# Set execute permission
chmod +x (Get-MCPProxyPath)

Update MCP Configuration

For Claude Code:

Register-PwshToClaudeCode

For Claude Desktop:

Register-PwshToClaudeDesktop

For other MCP clients: Run Get-MCPProxyPath -Escape to get the JSON-escaped executable path, then add it to your client's configuration file manually.

Restart your MCP client after updating.

Full Documentation: https://github.com/yotsuda/PowerShell.MCP

Questions? GitHub Discussions | Report Issues: GitHub Issues

Contributors

mikenelson-io, rblinton, and ben1440
Assets 2
Loading