Sign Script: How to reference a Certificate Thumbprint?

This forum can be browsed by the general public. Posting is limited to current SAPIEN license holders with active maintenance and does not offer a response time guarantee.
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
User avatar
Jehoschua
Posts: 63
Joined: Fri Jan 29, 2016 6:23 am

Sign Script: How to reference a Certificate Thumbprint?

Post by Jehoschua »

Product, version and build:
Product: PowerShell Studio 2019 (64 Bit)
Build: v5.6.170
OS: Windows 10 Enterprise (64 Bit)
Build: v10.0.18362.0


Good evening

It looks like Sapien PowerShell Studio needs a strange "Certificate Name" to sign Scripts. And it's unclear what the anonymous Button next to the "Certificate in local store" Textfield is doing, it looks like it always ignores the Value in "Certificate in local store".

We're working for different companies and use the same Certificate Issuer, so the 'Certificate Name' is always identical, therefore we prefer to use Certificate Thumbprints - they are unique. Forever :-)

How can we tell Sapien PowerShell Studio to use the usual Certificate Thumbprints to sign our scripts?

Thanks a lot, kind regards,
Thomas

User avatar
brittneyr
Site Admin
Posts: 615
Joined: Thu Jun 01, 2017 7:20 am
Answers: 6
Been upvoted: 5 times

Re: Sign Script: How to reference a Certificate Thumbprint?

Post by brittneyr »

The certificate name is the only thing that is displayed, but internally the certificate is saved with the name and thumbprint.
The button next to the textbox opens your certificate store, this is a windows dialog:
SPS_CertificateStore.png
SPS_CertificateStore.png (27.85 KiB) Viewed 603 times
After selecting a certificate from the store, the textbox is updated.

You are welcome to file a feature request here and we will see what we can do:
https://www.sapien.com/requests
Brittney Ryn
SAPIEN Technologies, Inc.

User avatar
Jehoschua
Posts: 63
Joined: Fri Jan 29, 2016 6:23 am

Re: Sign Script: How to reference a Certificate Thumbprint?

Post by Jehoschua »

Good evening
thank you for your answer!, but I also expected to get something like a Certificate Storage browser if I click to the button, but it just selects the 1st nice Looking certificate:
2019-12-18_21-36-37.png
2019-12-18_21-36-37.png (13.91 KiB) Viewed 1929 times
This certificate is wrong.

Why isn't it possible to just paste the right certificate thumbprint and click the button to validate it?

User avatar
Alexander Riedel
Posts: 7529
Joined: Tue May 29, 2007 4:43 pm
Answers: 1
Been upvoted: 3 times

Re: Sign Script: How to reference a Certificate Thumbprint?

Post by Alexander Riedel »

Let me jump in here.
First of all it is not ‘strange’ to use the certificate name to select a certificate. The ‘Friendly name’ attribute of a certificate exists for that very purpose. It would be a really bad UI design to require users to enter digital thumbprints nobody can remember.

Internally of course PowerShell Studio stores the thumbprint of the selected certificate to make sure the correct one is used when signing.

You can edit the friendly name for any certificate in your certificate store yourself. If you need help locating the app to see your local certificate store, please let us know.

The selection dialog you see is a Windows dialog. Not our dialog.
It shows the code signing certificates in your personal store so you can select one. Let me make this clear, we have no control over what this dialog looks like or how it functions. It is a dialog built into windows.

From the screenshot, you only have ONE code signing certificate in your personal store. That is all I can tell from it.
Maybe you have not imported the other signatures you have, maybe you imported them into another store than your personal store.
If it is the ‘wrong’ certificate, maybe you need to look where you imported them. Generally the Personal Certificate Store is used to store, maintain and select a users code signing certificates. Maybe you used a different user to import these certificates and they are stored in that users personal store.
Again, I do not know what’s on your machine, just trying to point out possible scenarios.

You can however ALWAYS use the external script signing option. You specify the external signing tool along with its command line, where you then can specify the digital thumbprint as you want.

Last but not least, I need to point out that we do not support the use of multiple signatures. Generally you set one signature which you use to sign scripts, executables, installers and so forth to identify you as the author.
Even as you work for different entities, you are the author and YOUR signature should be used. At least that is how the authenticode system was designed to be used. I would be curious to hear why you would need to use a multitude of signatures. I would also extend an invitation here to anyone lurking to submit feedback if you have the same use case. Please feel free to open your own topic, use the feedback forum or submit a feature request.

Hope this helps.
Alexander Riedel
SAPIEN Technologies, Inc.

User avatar
Jehoschua
Posts: 63
Joined: Fri Jan 29, 2016 6:23 am

Re: Sign Script: How to reference a Certificate Thumbprint?

Post by Jehoschua »

Thank you very much for your explanations!,
if the anonymous Button would have a ToolTip like
"Select a CodeSigning Certificate from the current user Certificate Storage"
then everything would have been clear.

But without any useful help, we must ask Google and the Forums, which is not that easy because the term 'sign' occurs surprisingly often.


We work on behalf of companies, therefore we switch the Certificate according to the mandate. But if the Certificate is in the right storage and we know how to handle Sapien PowerShell Studio, then it's easy to use it / to switch.

In the last 30 years, I never used a friendly name for a certificate nor does anyone on our team..
It is nice to have - but given the security context, certainly not recommended. We always turn it around: we use thumbprints to sign - and then check if the signing has produced the desired result.
This way we're sure nobody has injected a Certificate with the same Friendly name - and we deploy it to the world.

Thanks a lot for your help, you solved our issue.