Other machine certificates, how do they get installed

This forum can be browsed by the general public. Posting is limited to current SAPIEN license holders with active maintenance and does not offer a response time guarantee.
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 6 years and 2 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
User avatar
crude1
Posts: 3
Last visit: Tue Jul 31, 2018 11:27 am

Other machine certificates, how do they get installed

Post by crude1 »

QUESTION: Does powersapien installer add the certifcate in their local certificate store on other machines.

In other words if I install the generated .msi file on another machine does the installer add the code signing
certificate to other machines certificate store.
Code Signing seems to work locally, I suspect because I manually added the certificate to my local machine,
however when I run the msi on another machine and import-Module it fails if the code ExecutionPolicy is AllSigned.

If the sapien installer doesn't install the certificates is this a feature that you plan on adding or
maybe because each company is different and maybe most companies use active directory policies
to populate the certificates that its not planned? Do you have any suggestions on links on this remote machine
cert import?

Sample output on other machine:
import-module Test
import-module : File C:\Users\crude\Documents\WindowsPowerShell\Modules\Test\Test.psm1 cannot be loaded.
The file C:\Users\crude\Documents\WindowsPowerShell\Modules\Test\Test.psm1 is not digitally signed.
You cannot run this script on the current system. For more information about running scripts and setting execution policy, see

about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ import-module Test -force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [Import-Module], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand
PS C:\Windows\system32>



QUESTION: I am getting this error when I run build installer upon selecting 'Deploy' -> 'Installer' -> 'Build'

---------------------------
Digital Signature Wizard
---------------------------
The Digital Signing wizard cannot start.
---------------------------
OK
---------------------------

..I manually added the code signing blocks does this mean my msi is not signed?


Sapien Product:
Sapien Powershell Studio 2017
Version 5.4.145
64BIT version of product


Operating System:
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 58 Stepping 9 GenuineIntel ~2601 Mhz
BIOS Version: LENOVO G1ET41WW (1.16 ), 5/25/2012
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 16,108 MB
Available Physical Memory: 8,041 MB
Virtual Memory: Max Size: 32,214 MB
Virtual Memory: Available: 19,694 MB
Virtual Memory: In Use: 12,520 MB
Page File Location(s): C:\pagefile.sys
User avatar
Alexander Riedel
Posts: 8479
Last visit: Thu Mar 28, 2024 9:29 am
Answers: 19
Been upvoted: 37 times

Re: Other machine certificates, how do they get installed

Post by Alexander Riedel »

Neither PowerShell Studio nor Windows Installer are adding any certificates to any store. That is not how this works.

"The Digital Signing wizard cannot start." If you get this message, your MSI file is not signed. Please provide what details you specified for the MSI part.

Signing the MSI file will not sign your module or script. These are two distinctly different stages. You need to do this before you roll that up into an installer.
I am not sure what type of certificate you have, but if you have a proper code signing certificate, you sign the script or module on your machine.
The other machines will validate that signature with the certificates root authority (the issuer) and if that root authority is trusted, your script or module can be executed.
Most root certificates are already trusted on any given Windows machine, so all you need to do is sign your script.
Note, if you have self-issued certificate this won't work. This is meant for testing and will only work on your machine, since there is no root authority that can be trusted.
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
crude1
Posts: 3
Last visit: Tue Jul 31, 2018 11:27 am

Re: Other machine certificates, how do they get installed

Post by crude1 »

Thanks so much for the super fast response.

I am using a self signed certifcate with a pfx that seems to work well locally cause I imported the cert into the local cert store.

I am rather new to certificates, but if understand you correctly
* if I use a real Certificate Authority like verisign,
* then generate a certifcate from that verisign root cert and
* combine this root cert with my powershell cert ultimately to generate a new .pfx file,
* then run the powershell studio 2017 tool 'sign script' (as I have and seems to work great)

Where does the sign script tool get the certificate to sign the code with? Is that in the installer settings the pfx file or browse local store?

So I don't even need to add any certificate to the 'other' machines (not my msi build machine) certificate store because it will only look at the root cert right? So no modification is needed on those machine right, other then install the module and it should work?

I have attached some of the msi settings, hope that helps, I did blank out my company name. I saw another post and it was chalked up to bad com object? Seems odd though, maybe cause I have windows 7?
Attachments
msi_signingSettings.png
msi_signingSettings.png (10.33 KiB) Viewed 2393 times
msi_ProductDetails.png
msi_ProductDetails.png (12.45 KiB) Viewed 2393 times
msi_FilesFolder.png
msi_FilesFolder.png (22.9 KiB) Viewed 2393 times
User avatar
Alexander Riedel
Posts: 8479
Last visit: Thu Mar 28, 2024 9:29 am
Answers: 19
Been upvoted: 37 times

Re: Other machine certificates, how do they get installed

Post by Alexander Riedel »

No no no. Just get a certificate. A real one. Add it to your personal store. Then just put in the name of the certificate or select it from your store. You do not need a pfx file.
And uncheck that wizard thing. Windows broke that one anyway, so it will go away.
You do not need to do anything with any root certificate. If your target machines are properly updated the trusted root certificate is already there.
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
crude1
Posts: 3
Last visit: Tue Jul 31, 2018 11:27 am

Re: Other machine certificates, how do they get installed

Post by crude1 »

Ok, cool, I see so the certificate I get from:

Symantec, Certum, Entrust, GlobalSign, Comodo, DigiCert

or is there (better or common Powershell Public CA?), will have both the root and the non-root part of the cert all in one package (maybe they will give me a pfx file) that they give me?

The cert they give me will be backed by their trusted root (e.g. Symantec) and I wont need to change anything on other machines because the trusted root cert (e.g. Symantec) will already be there.
Worst case (if the root isn't already there) I could have customers add that manually if needed (import a pfx or something similar), or have users add an AD group policy to promote it to the entire domain.

Does this sound correct?
User avatar
Alexander Riedel
Posts: 8479
Last visit: Thu Mar 28, 2024 9:29 am
Answers: 19
Been upvoted: 37 times

Re: Other machine certificates, how do they get installed

Post by Alexander Riedel »

You will only get your signing certificate. Root certificates are generally automatically installed or updated via Windows Update.
Alexander Riedel
SAPIEN Technologies, Inc.
This topic is 6 years and 2 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.