ansible-core 2.19.0b3__py3-none-any.whl → 2.19.0b5__py3-none-any.whl

ansible/executor/module_common.py

@@ -40,6 +40,7 @@ from ansible._internal import _locking
 from ansible._internal._datatag import _utils
 from ansible.module_utils._internal import _dataclass_validation
 from ansible.module_utils.common.yaml import yaml_load
+from ansible.module_utils.datatag import deprecator_from_collection_name
 from ansible._internal._datatag._tags import Origin
 from ansible.module_utils.common.json import Direction, get_module_encoder
 from ansible.release import __version__, __author__
@@ -55,7 +56,6 @@ from ansible.template import Templar
 from ansible.utils.collection_loader._collection_finder import _get_collection_metadata, _nested_dict_get
 from ansible.module_utils._internal import _json, _ansiballz
 from ansible.module_utils import basic as _basic
-from ansible.module_utils.common import messages as _messages
 
 if t.TYPE_CHECKING:
     from ansible import template as _template
@@ -166,7 +166,7 @@ NEW_STYLE_PYTHON_MODULE_RE = re.compile(
 
 
 class ModuleDepFinder(ast.NodeVisitor):
-    # DTFIX-RELEASE: add support for ignoring imports with a "controller only" comment, this will allow replacing import_controller_module with standard imports
+    # DTFIX-FUTURE: add support for ignoring imports with a "controller only" comment, this will allow replacing import_controller_module with standard imports
     def __init__(self, module_fqn, tree, is_pkg_init=False, *args, **kwargs):
         """
         Walk the ast tree for the python module.
@@ -439,7 +439,7 @@ class ModuleUtilLocatorBase:
                 version=removal_version,
                 removed=removed,
                 date=removal_date,
-                deprecator=_messages.PluginInfo._from_collection_name(self._collection_name),
+                deprecator=deprecator_from_collection_name(self._collection_name),
             )
         if 'redirect' in routing_entry:
             self.redirected = True
@@ -618,7 +618,7 @@ class CollectionModuleUtilLocator(ModuleUtilLocatorBase):
         if pkg_path:
             origin = Origin(path=os.path.join(pkg_path, src_path))
         else:
-            # DTFIX-RELEASE: not sure if this case is even reachable
+            # DTFIX-FUTURE: not sure if this case is even reachable
             origin = Origin(description=f'<synthetic collection package for {collection_pkg_name}!r>')
 
         self.source_code = origin.tag(src)
@@ -658,7 +658,7 @@ metadata_versions: dict[t.Any, type[ModuleMetadata]] = {
 
 
 def _get_module_metadata(module: ast.Module) -> ModuleMetadata:
-    # DTFIX-RELEASE: while module metadata works, this feature isn't fully baked and should be turned off before release
+    # DTFIX2: while module metadata works, this feature isn't fully baked and should be turned off before release
     metadata_nodes: list[ast.Assign] = []
 
     for node in module.body:
@@ -928,7 +928,7 @@ class _BuiltModule:
 class _CachedModule:
     """Cached Python module created by AnsiballZ."""
 
-    # DTFIX-RELEASE: secure this (locked down pickle, don't use pickle, etc.)
+    # DTFIX5: secure this (locked down pickle, don't use pickle, etc.)
 
     zip_data: bytes
     metadata: ModuleMetadata
@@ -991,10 +991,8 @@ def _find_module_utils(
         module_substyle = 'powershell'
         b_module_data = b_module_data.replace(REPLACER_WINDOWS, b'#AnsibleRequires -PowerShell Ansible.ModuleUtils.Legacy')
     elif re.search(b'#Requires -Module', b_module_data, re.IGNORECASE) \
-            or re.search(b'#Requires -Version', b_module_data, re.IGNORECASE)\
-            or re.search(b'#AnsibleRequires -OSVersion', b_module_data, re.IGNORECASE) \
-            or re.search(b'#AnsibleRequires -Powershell', b_module_data, re.IGNORECASE) \
-            or re.search(b'#AnsibleRequires -CSharpUtil', b_module_data, re.IGNORECASE):
+            or re.search(b'#Requires -Version', b_module_data, re.IGNORECASE) \
+            or re.search(b'#AnsibleRequires -(OSVersion|PowerShell|CSharpUtil|Wrapper)', b_module_data, re.IGNORECASE):
         module_style = 'new'
         module_substyle = 'powershell'
     elif REPLACER_JSONARGS in b_module_data:

ansible/executor/powershell/async_watchdog.ps1

@@ -40,7 +40,7 @@ param([ScriptBlock]$ScriptBlock, $Param)
 & $ScriptBlock.Ast.GetScriptBlock() @Param
 '@).AddParameters(
     @{
-        ScriptBlock = $execInfo.ScriptBlock
+        ScriptBlock = $execInfo.ScriptInfo.ScriptBlock
         Param = $execInfo.Parameters
     })
 
@@ -64,7 +64,7 @@ $jobError = $null
 try {
     $jobAsyncResult = $ps.BeginInvoke($pipelineInput, $invocationSettings, $null, $null)
     $jobAsyncResult.AsyncWaitHandle.WaitOne($Timeout * 1000) > $null
-    $result.finished = 1
+    $result.finished = $true
 
     if ($jobAsyncResult.IsCompleted) {
         $jobOutput = $ps.EndInvoke($jobAsyncResult)

ansible/executor/powershell/async_wrapper.ps1

@@ -113,7 +113,7 @@ try {
     }
     $execWrapper = @{
         name = 'exec_wrapper-async.ps1'
-        script = $execAction.Script
+        script = $execAction.ScriptInfo.Script
         params = $execAction.Parameters
     } | ConvertTo-Json -Compress -Depth 99
     $asyncInput = "$execWrapper`n`0`0`0`0`n$($execAction.InputData)"
@@ -135,8 +135,8 @@ try {
     # We need to write the result file before the process is started to ensure
     # it can read the file.
     $result = @{
-        started = 1
-        finished = 0
+        started = $true
+        finished = $false
         results_file = $resultsPath
         ansible_job_id = $localJid
         _ansible_suppress_tmpdir_delete = $true

ansible/executor/powershell/become_wrapper.ps1

@@ -7,6 +7,7 @@ using namespace System.Collections
 using namespace System.Diagnostics
 using namespace System.IO
 using namespace System.Management.Automation
+using namespace System.Management.Automation.Security
 using namespace System.Net
 using namespace System.Text
 
@@ -53,7 +54,7 @@ $executablePath = Join-Path -Path $PSHome -ChildPath $executable
 $actionInfo = Get-AnsibleExecWrapper -EncodeInputOutput
 $bootstrapManifest = ConvertTo-Json -InputObject @{
     n = "exec_wrapper-become-$([Guid]::NewGuid()).ps1"
-    s = $actionInfo.Script
+    s = $actionInfo.ScriptInfo.Script
     p = $actionInfo.Parameters
 } -Depth 99 -Compress
 
@@ -68,9 +69,26 @@ $m=foreach($i in $input){
 $m=$m|ConvertFrom-Json
 $p=@{}
 foreach($o in $m.p.PSObject.Properties){$p[$o.Name]=$o.Value}
+'@
+
+if ([SystemPolicy]::GetSystemLockdownPolicy() -eq 'Enforce') {
+    # If we started in CLM we need to execute the script from a file so that
+    # PowerShell validates our exec_wrapper is trusted and will run in FLM.
+    $command += @'
+$n=Join-Path $env:TEMP $m.n
+$null=New-Item $n -Value $m.s -Type File -Force
+try{$input|&$n @p}
+finally{if(Test-Path -LiteralPath $n){Remove-Item -LiteralPath $n -Force}}
+'@
+}
+else {
+    # If we started in FLM we pass the script through stdin and execute in
+    # memory.
+    $command += @'
 $c=[System.Management.Automation.Language.Parser]::ParseInput($m.s,$m.n,[ref]$null,[ref]$null).GetScriptBlock()
-$input | & $c @p
+$input|&$c @p
 '@
+}
 
 # Strip out any leading or trailing whitespace and remove empty lines.
 $command = @(

ansible/executor/powershell/bootstrap_wrapper.ps1

@@ -18,10 +18,32 @@ foreach ($obj in $code.params.PSObject.Properties) {
     $splat[$obj.Name] = $obj.Value
 }
 
-$cmd = [System.Management.Automation.Language.Parser]::ParseInput(
-    $code.script,
-    "$($code.name).ps1", # Name is used in stack traces.
-    [ref]$null,
-    [ref]$null).GetScriptBlock()
+$filePath = $null
+try {
+    $cmd = if ($ExecutionContext.SessionState.LanguageMode -eq 'FullLanguage') {
+        # In FLM we can just invoke the code as a scriptblock without touching the
+        # disk.
+        [System.Management.Automation.Language.Parser]::ParseInput(
+            $code.script,
+            "$($code.name).ps1", # Name is used in stack traces.
+            [ref]$null,
+            [ref]$null).GetScriptBlock()
+    }
+    else {
+        # CLM needs to execute code from a file for it to run in FLM when trusted.
+        # Set-Item on 5.1 doesn't have a way to use UTF-8 without a BOM but luckily
+        # New-Item does that by default for both 5.1 and 7. We need to ensure we
+        # use UTF-8 without BOM so the signature is correct.
+        $filePath = Join-Path -Path $env:TEMP -ChildPath "$($code.name)-$(New-Guid).ps1"
+        $null = New-Item -Path $filePath -Value $code.script -ItemType File -Force
+
+        $filePath
+    }
 
-$input | & $cmd @splat
+    $input | & $cmd @splat
+}
+finally {
+    if ($filePath -and (Test-Path -LiteralPath $filePath)) {
+        Remove-Item -LiteralPath $filePath -Force
+    }
+}

ansible/executor/powershell/coverage_wrapper.ps1

@@ -28,8 +28,12 @@ $Host.Runspace.Debugger.SetDebugMode([DebugModes]::RemoteScript)
 Function New-CoverageBreakpointsForScriptBlock {
     Param (
         [Parameter(Mandatory)]
-        [ScriptBlock]
-        $ScriptBlock,
+        [string]
+        $ScriptName,
+
+        [Parameter(Mandatory)]
+        [ScriptBlockAst]
+        $ScriptBlockAst,
 
         [Parameter(Mandatory)]
         [String]
@@ -39,7 +43,7 @@ Function New-CoverageBreakpointsForScriptBlock {
     $predicate = {
         $args[0] -is [CommandBaseAst]
     }
-    $scriptCmds = $ScriptBlock.Ast.FindAll($predicate, $true)
+    $scriptCmds = $ScriptBlockAst.FindAll($predicate, $true)
 
     # Create an object that tracks the Ansible path of the file and the breakpoints that have been set in it
     $info = [PSCustomObject]@{
@@ -68,7 +72,7 @@ Function New-CoverageBreakpointsForScriptBlock {
         }
 
         # Action is explicitly $null as it will slow down the runtime quite dramatically.
-        $b = $lineCtor.Invoke(@($ScriptBlock.File, $cmd.Extent.StartLineNumber, $cmd.Extent.StartColumnNumber, $null))
+        $b = $lineCtor.Invoke(@($ScriptName, $cmd.Extent.StartLineNumber, $cmd.Extent.StartColumnNumber, $null))
         $info.Breakpoints.Add($b)
     }
 
@@ -102,11 +106,16 @@ try {
     $coveragePathFilter = $PathFilter.Split(":", [StringSplitOptions]::RemoveEmptyEntries)
     $breakpointInfo = @(
         foreach ($scriptName in @($ModuleName; $actionParams.PowerShellModules)) {
-            $scriptInfo = Get-AnsibleScript -Name $scriptName -IncludeScriptBlock
+            # We don't use -IncludeScriptBlock as the script might be untrusted
+            # and will run under CLM. While we recreate the ScriptBlock here it
+            # is only to get the AST that contains the statements and their
+            # line numbers to create the breakpoint info for.
+            $scriptInfo = Get-AnsibleScript -Name $scriptName
 
             if (Compare-PathFilterPattern -Patterns $coveragePathFilter -Path $scriptInfo.Path) {
                 $covParams = @{
-                    ScriptBlock = $scriptInfo.ScriptBlock
+                    ScriptName = $scriptInfo.Name
+                    ScriptBlockAst = [ScriptBlock]::Create($scriptInfo.Script).Ast
                     AnsiblePath = $scriptInfo.Path
                 }
                 New-CoverageBreakpointsForScriptBlock @covParams

ansible/executor/powershell/exec_wrapper.ps1

@@ -9,6 +9,7 @@ using namespace System.Linq
 using namespace System.Management.Automation
 using namespace System.Management.Automation.Language
 using namespace System.Management.Automation.Security
+using namespace System.Reflection
 using namespace System.Security.Cryptography
 using namespace System.Text
 
@@ -53,6 +54,10 @@ begin {
     $ErrorActionPreference = "Stop"
     $ProgressPreference = "SilentlyContinue"
 
+    if ($PSCommandPath -and (Test-Path -LiteralPath $PSCommandPath)) {
+        Remove-Item -LiteralPath $PSCommandPath -Force
+    }
+
     # Try and set the console encoding to UTF-8 allowing Ansible to read the
     # output of the wrapper as UTF-8 bytes.
     try {
@@ -89,6 +94,9 @@ begin {
     }
 
     # $Script:AnsibleManifest = @{}  # Defined in process/end.
+    $Script:AnsibleShouldConstrain = [SystemPolicy]::GetSystemLockdownPolicy() -eq 'Enforce'
+    $Script:AnsibleTrustedHashList = [HashSet[string]]::new([StringComparer]::OrdinalIgnoreCase)
+    $Script:AnsibleUnsupportedHashList = [HashSet[string]]::new([StringComparer]::OrdinalIgnoreCase)
     $Script:AnsibleWrapperWarnings = [List[string]]::new()
     $Script:AnsibleTempPath = @(
         # Wrapper defined tmpdir
@@ -110,6 +118,8 @@ begin {
             $false
         }
     } | Select-Object -First 1
+    $Script:AnsibleTempScripts = [List[string]]::new()
+    $Script:AnsibleClrFacadeSet = $false
 
     Function Convert-JsonObject {
         param(
@@ -147,7 +157,11 @@ begin {
 
             [Parameter()]
             [switch]
-            $IncludeScriptBlock
+            $IncludeScriptBlock,
+
+            [Parameter()]
+            [switch]
+            $SkipHashCheck
         )
 
         if (-not $Script:AnsibleManifest.scripts.Contains($Name)) {
@@ -172,11 +186,93 @@ begin {
                 [ref]$null).GetScriptBlock()
         }
 
-        [PSCustomObject]@{
+        $outputValue = [PSCustomObject]@{
             Name = $Name
             Script = $scriptContents
             Path = $scriptInfo.path
             ScriptBlock = $sbk
+            ShouldConstrain = $false
+        }
+
+        if (-not $Script:AnsibleShouldConstrain) {
+            $outputValue
+            return
+        }
+
+        if (-not $SkipHashCheck) {
+            $sha256 = [SHA256]::Create()
+            $scriptHash = [BitConverter]::ToString($sha256.ComputeHash($scriptBytes)).Replace("-", "")
+            $sha256.Dispose()
+
+            if ($Script:AnsibleUnsupportedHashList.Contains($scriptHash)) {
+                $err = [ErrorRecord]::new(
+                    [Exception]::new("Provided script for '$Name' is marked as unsupported in CLM mode."),
+                    "ScriptUnsupported",
+                    [ErrorCategory]::SecurityError,
+                    $Name)
+                $PSCmdlet.ThrowTerminatingError($err)
+            }
+            elseif ($Script:AnsibleTrustedHashList.Contains($scriptHash)) {
+                $outputValue
+                return
+            }
+        }
+
+        # If we have reached here we are running in a locked down environment
+        # and the script is not trusted in the signed hashlists. Check if it
+        # contains the authenticode signature and verify that using PowerShell.
+        # [SystemPolicy]::GetFilePolicyEnforcement(...) is a new API but only
+        # present in Server 2025+ so we need to rely on the known behaviour of
+        # Get-Command to fail with CommandNotFoundException if the script is
+        # not allowed to run.
+        $outputValue.ShouldConstrain = $true
+        if ($scriptContents -like "*`r`n# SIG # Begin signature block`r`n*") {
+            Set-WinPSDefaultFileEncoding
+
+            # If the script is manually signed we need to ensure the signature
+            # is valid and trusted by the OS policy.
+            # We must use '.ps1' so the ExternalScript WDAC check will apply.
+            $tmpFile = [Path]::Combine($Script:AnsibleTempPath, "ansible-tmp-$([Guid]::NewGuid()).ps1")
+            try {
+                [File]::WriteAllBytes($tmpFile, $scriptBytes)
+                $cmd = Get-Command -Name $tmpFile -CommandType ExternalScript -ErrorAction Stop
+
+                # Get-Command caches the file contents after loading which we
+                # use to verify it was not modified before the signature check.
+                $expectedScript = $cmd.OriginalEncoding.GetString($scriptBytes)
+                if ($expectedScript -ne $cmd.ScriptContents) {
+                    $err = [ErrorRecord]::new(
+                        [Exception]::new("Script has been modified during signature check."),
+                        "ScriptModifiedTrusted",
+                        [ErrorCategory]::SecurityError,
+                        $Name)
+                    $PSCmdlet.ThrowTerminatingError($err)
+                }
+
+                $outputValue.ShouldConstrain = $false
+            }
+            catch [CommandNotFoundException] {
+                $null = $null  # No-op but satisfies the linter.
+            }
+            finally {
+                if (Test-Path -LiteralPath $tmpFile) {
+                    Remove-Item -LiteralPath $tmpFile -Force
+                }
+            }
+        }
+
+        if ($outputValue.ShouldConstrain -and $IncludeScriptBlock) {
+            # If the script is untrusted and a scriptblock was requested we
+            # error out as the sbk would have run in FLM.
+            $err = [ErrorRecord]::new(
+                [Exception]::new("Provided script for '$Name' is not trusted to run."),
+                "ScriptNotTrusted",
+                [ErrorCategory]::SecurityError,
+                $Name)
+            $PSCmdlet.ThrowTerminatingError($err)
+        }
+        else {
+            $outputValue
         }
     }
 
@@ -223,7 +319,7 @@ begin {
             $IncludeScriptBlock
         )
 
-        $sbk = Get-AnsibleScript -Name exec_wrapper.ps1 -IncludeScriptBlock:$IncludeScriptBlock
+        $scriptInfo = Get-AnsibleScript -Name exec_wrapper.ps1 -IncludeScriptBlock:$IncludeScriptBlock
         $params = @{
             # TempPath may contain env vars that change based on the runtime
             # environment. Ensure we use that and not the $script:AnsibleTempPath
@@ -244,8 +340,7 @@ begin {
         }
 
         [PSCustomObject]@{
-            Script = $sbk.Script
-            ScriptBlock = $sbk.ScriptBlock
+            ScriptInfo = $scriptInfo
             Parameters = $params
             InputData = $inputData
         }
@@ -279,11 +374,16 @@ begin {
 
         $isBasicUtil = $false
         $csharpModules = foreach ($moduleName in $Name) {
-            (Get-AnsibleScript -Name $moduleName).Script
+            $scriptInfo = Get-AnsibleScript -Name $moduleName
 
+            if ($scriptInfo.ShouldConstrain) {
+                throw "C# module util '$Name' is not trusted and cannot be loaded."
+            }
             if ($moduleName -eq 'Ansible.Basic.cs') {
                 $isBasicUtil = $true
             }
+
+            $scriptInfo.Script
         }
 
         $fakeModule = [PSCustomObject]@{
@@ -303,6 +403,112 @@ begin {
         }
     }
 
+    Function Import-SignedHashList {
+        [CmdletBinding()]
+        param (
+            [Parameter(Mandatory, ValueFromPipeline)]
+            [string]
+            $Name
+        )
+
+        process {
+            try {
+                # We skip the hash check to ensure we verify based on the
+                # authenticode signature and not whether it's trusted by an
+                # existing signed hash list.
+                $scriptInfo = Get-AnsibleScript -Name $Name -SkipHashCheck
+                if ($scriptInfo.ShouldConstrain) {
+                    throw "script is not signed or not trusted to run."
+                }
+
+                $hashListAst = [Parser]::ParseInput(
+                    $scriptInfo.Script,
+                    $Name,
+                    [ref]$null,
+                    [ref]$null)
+                $manifestAst = $hashListAst.Find({ $args[0] -is [HashtableAst] }, $false)
+                if ($null -eq $manifestAst) {
+                    throw "expecting a single hashtable in the signed manifest."
+                }
+
+                $out = $manifestAst.SafeGetValue()
+                if (-not $out.Contains('Version')) {
+                    throw "expecting hash list to contain 'Version' key."
+                }
+                if ($out.Version -ne 1) {
+                    throw "unsupported hash list Version $($out.Version), expecting 1."
+                }
+
+                if (-not $out.Contains('HashList')) {
+                    throw "expecting hash list to contain 'HashList' key."
+                }
+
+                $out.HashList | ForEach-Object {
+                    if ($_ -isnot [hashtable] -or -not $_.ContainsKey('Hash') -or $_.Hash -isnot [string] -or $_.Hash.Length -ne 64) {
+                        throw "expecting hash list to contain hashtable with Hash key with a value of a SHA256 strings."
+                    }
+
+                    if ($_.Mode -eq 'Trusted') {
+                        $null = $Script:AnsibleTrustedHashList.Add($_.Hash)
+                    }
+                    elseif ($_.Mode -eq 'Unsupported') {
+                        # Allows us to provide a better error when trying to run
+                        # something in CLM that is marked as unsupported.
+                        $null = $Script:AnsibleUnsupportedHashList.Add($_.Hash)
+                    }
+                    else {
+                        throw "expecting hash list entry for $($_.Hash) to contain a mode of 'Trusted' or 'Unsupported' but got '$($_.Mode)'."
+                    }
+                }
+            }
+            catch {
+                $_.ErrorDetails = [ErrorDetails]::new("Failed to process signed manifest '$Name': $_")
+                $PSCmdlet.WriteError($_)
+            }
+        }
+    }
+
+    Function New-TempAnsibleFile {
+        [OutputType([string])]
+        [CmdletBinding()]
+        param (
+            [Parameter(Mandatory)]
+            [string]
+            $FileName,
+
+            [Parameter(Mandatory)]
+            [string]
+            $Content
+        )
+
+        $name = [Path]::GetFileNameWithoutExtension($FileName)
+        $ext = [Path]::GetExtension($FileName)
+        $newName = "$($name)-$([Guid]::NewGuid())$ext"
+
+        $path = Join-Path -Path $Script:AnsibleTempPath $newName
+        Set-WinPSDefaultFileEncoding
+        [File]::WriteAllText($path, $Content, [UTF8Encoding]::new($false))
+
+        $path
+    }
+
+    Function Set-WinPSDefaultFileEncoding {
+        [CmdletBinding()]
+        param ()
+
+        # WinPS defaults to the locale encoding when loading a script from the
+        # file path but in Ansible we expect it to always be UTF-8 without a
+        # BOM. This lazily sets an internal field so pwsh reads it as UTF-8.
+        # If we don't do this then scripts saved as UTF-8 on the Ansible
+        # controller will not run as expected.
+        if ($PSVersionTable.PSVersion -lt '6.0' -and -not $Script:AnsibleClrFacadeSet) {
+            $clrFacade = [PSObject].Assembly.GetType('System.Management.Automation.ClrFacade')
+            $defaultEncodingField = $clrFacade.GetField('_defaultEncoding', [BindingFlags]'NonPublic, Static')
+            $defaultEncodingField.SetValue($null, [UTF8Encoding]::new($false))
+            $Script:AnsibleClrFacadeSet = $true
+        }
+    }
+
     Function Write-AnsibleErrorJson {
         [CmdletBinding()]
         param (
@@ -414,6 +620,10 @@ begin {
             $Script:AnsibleManifest = $Manifest
         }
 
+        if ($Script:AnsibleShouldConstrain) {
+            $Script:AnsibleManifest.signed_hashlist | Import-SignedHashList
+        }
+
         $actionInfo = Get-NextAnsibleAction
         $actionParams = $actionInfo.Parameters
 
@@ -500,5 +710,8 @@ end {
     }
     finally {
         $actionPipeline.Dispose()
+        if ($Script:AnsibleTempScripts) {
+            Remove-Item -LiteralPath $Script:AnsibleTempScripts -Force -ErrorAction Ignore
+        }
     }
 }

ansible/executor/powershell/module_manifest.py

@@ -30,6 +30,7 @@ from ansible.plugins.loader import ps_module_utils_loader
 class _ExecManifest:
     scripts: dict[str, _ScriptInfo] = dataclasses.field(default_factory=dict)
     actions: list[_ManifestAction] = dataclasses.field(default_factory=list)
+    signed_hashlist: list[str] = dataclasses.field(default_factory=list)
 
 
 @dataclasses.dataclass(frozen=True, kw_only=True)
@@ -54,6 +55,11 @@ class PSModuleDepFinder(object):
     def __init__(self) -> None:
         # This is also used by validate-modules to get a module's required utils in base and a collection.
         self.scripts: dict[str, _ScriptInfo] = {}
+        self.signed_hashlist: set[str] = set()
+
+        if builtin_hashlist := _get_powershell_signed_hashlist():
+            self.signed_hashlist.add(builtin_hashlist.path)
+            self.scripts[builtin_hashlist.path] = builtin_hashlist
 
         self._util_deps: dict[str, set[str]] = {}
 
@@ -119,6 +125,15 @@ class PSModuleDepFinder(object):
         lines = module_data.split(b'\n')
         module_utils: set[tuple[str, str, bool]] = set()
 
+        if fqn and fqn.startswith("ansible_collections."):
+            submodules = fqn.split('.')
+            collection_name = '.'.join(submodules[:3])
+
+            collection_hashlist = _get_powershell_signed_hashlist(collection_name)
+            if collection_hashlist and collection_hashlist.path not in self.signed_hashlist:
+                self.signed_hashlist.add(collection_hashlist.path)
+                self.scripts[collection_hashlist.path] = collection_hashlist
+
         if powershell:
             checks = [
                 # PS module contains '#Requires -Module Ansible.ModuleUtils.*'
@@ -315,6 +330,10 @@ def _bootstrap_powershell_script(
         )
     )
 
+    if hashlist := _get_powershell_signed_hashlist():
+        exec_manifest.signed_hashlist.append(hashlist.path)
+        exec_manifest.scripts[hashlist.path] = hashlist
+
     bootstrap_wrapper = _get_powershell_script("bootstrap_wrapper.ps1")
     bootstrap_input = _get_bootstrap_input(exec_manifest)
     if has_input:
@@ -339,6 +358,14 @@ def _get_powershell_script(
     if code is None:
         raise AnsibleFileNotFound(f"Could not find powershell script '{package_name}.{name}'")
 
+    try:
+        sig_data = pkgutil.get_data(package_name, f"{name}.authenticode")
+    except FileNotFoundError:
+        sig_data = None
+
+    if sig_data:
+        code = code + b"\r\n" + b"\r\n".join(sig_data.splitlines()) + b"\r\n"
+
     return code
 
 
@@ -501,6 +528,7 @@ def _create_powershell_wrapper(
     exec_manifest = _ExecManifest(
         scripts=finder.scripts,
         actions=actions,
+        signed_hashlist=list(finder.signed_hashlist),
     )
 
     return _get_bootstrap_input(
@@ -551,3 +579,27 @@ def _prepare_module_args(module_args: dict[str, t.Any], profile: str) -> dict[st
     encoder = get_module_encoder(profile, Direction.CONTROLLER_TO_MODULE)
 
     return json.loads(json.dumps(module_args, cls=encoder))
+
+
+def _get_powershell_signed_hashlist(
+    collection: str | None = None,
+) -> _ScriptInfo | None:
+    """Gets the signed hashlist script stored in either the Ansible package or for
+    the collection specified.
+
+    :param collection: The collection namespace to get the signed hashlist for or None for the builtin.
+    :return: The _ScriptInfo payload of the signed hashlist script if found, None if not.
+    """
+    resource = 'ansible.config' if collection is None else f"{collection}.meta"
+    signature_file = 'powershell_signatures.psd1'
+
+    try:
+        sig_data = pkgutil.get_data(resource, signature_file)
+    except FileNotFoundError:
+        sig_data = None
+
+    if sig_data:
+        resource_path = f"{resource}.{signature_file}"
+        return _ScriptInfo(content=sig_data, path=resource_path)
+
+    return None