PowerShell Script Signing

This forum can be browsed by the general public. Posting is limited to current SAPIEN license holders with active maintenance and does not offer a response time guarantee.
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 15 years and 2 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
User avatar
ryanba
Posts: 28
Last visit: Tue Feb 23, 2010 11:27 pm

PowerShell Script Signing

Post by ryanba »

I am trying to get PrimalScript Professional 2007 (4.5.574) to sign my Powershell Scripts automatically by using a PFX file but I cannot get it to work. I used this blog from Sapien.com on how to do this but the steps outlined do not work for me http://www.sapien.com/blog/2008/07/02/s ... l-scripts/.

I have not been able to find a way to do this other than installing the certificate to the personal store and having this as the first/only certificate. I do not want to do this as the company that I work for uses PrimalScript and when we deploy PowerShell we are only going to allow signed scripts to run. We have a certificate that we will use to sign our scripts but we do not want to have to install the certificate onto the computer in order to have PrimalScript automatically sign our scripts.

With this PFX file however I can use the Powershell cmdlet, Set-AuthenticodeSignature, to sign my powershell scirpts and that works just fine so I know it is not my PFX file. Also I am assuming that PrimalScript uses this cmdlet to sign the files and that why it allows you to specify a PFX file.

Below is the steps I have taken to try to configure PrimalScript to use sign PowerShell Scripts.

In PrimalScript, I go to Tools > Options
Then expand Script Settings and Select Script Security
Under the Windows PowerShell Security

Security Setting is set to AllSigned (This will be configured by default using Group Policy)
Certificate
User avatar
Alexander Riedel
Posts: 8479
Last visit: Thu Mar 28, 2024 9:29 am
Answers: 19
Been upvoted: 37 times

PowerShell Script Signing

Post by Alexander Riedel »

Ok, I am not quite sure I understand this correctly, so let me re-iterate.

- You want to sign files with a PFX file rather than a signature in the store
- Using Set-AuthenticodeSignature you can sign a file with your PFX.
So if you reload the file after signing you actually see the signature
- Having your setup in Tools - Options - Script Settings - Script Security,
what happens if you load an unsigned file and you press "Save"?
Normally the signature should appear in the file at the bottom.
- Please also specify what OS you are running this on.
- Is the PowerShell load indicator on PrimalScript's status bar visible and
blue?
- Do you receive any error messages when signing?


Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
ryanba
Posts: 28
Last visit: Tue Feb 23, 2010 11:27 pm

PowerShell Script Signing

Post by ryanba »

-Yes, I will like to use the PFX file rather than a signature in the store.

-Yes, I am able to see the signature after signing it and I am able also to use the Get-AuthenticodeSignature cmdlet to verify.

-If I have an unsigned file and I press save nothing happens or if I go to Script > Sign Script nothing happens in that the signature comments do not appear

-I am running PrimalScript on Windows XP SP2

-I believe that the PowerShell indicator is on PrimalScript's status bar and is blue as I am not quite sure what you are referring to but I have attach a picture of what I believe is the indicator you are talking about


-I do not recieve any error messages when trying to sign scripts using either the save or going to Script > Sign Script

Below is my window for configure


Thank you for your quick response,
-Ryan
User avatar
Alexander Riedel
Posts: 8479
Last visit: Thu Mar 28, 2024 9:29 am
Answers: 19
Been upvoted: 37 times

PowerShell Script Signing

Post by Alexander Riedel »

Hmm, ok, that is a bit strange as PrimalScript simply calls Set-AuthenticodeSignature as well.
I'll have to set up some diagnostics on the PowerShell host to see what might be the problem.

I'll try to do that tonight, so please ping if you don't hear anything by tomorrow.
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
Alexander Riedel
Posts: 8479
Last visit: Thu Mar 28, 2024 9:29 am
Answers: 19
Been upvoted: 37 times

PowerShell Script Signing

Post by Alexander Riedel »

Actually, I think I know what the problem is. We use the Get-PfxCertificate cmdlet to load the pfx. There is no parameter to specify
the password though, so I think this why it simply fails silently.
Not sure why it doesn't prompt.






I will see if there is a work around available from our end.
As far as I recall this is why I created a PFX with no password.

Alex
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
ryanba
Posts: 28
Last visit: Tue Feb 23, 2010 11:27 pm

PowerShell Script Signing

Post by ryanba »

Well I created the PFX file with a password and then specified it as the file to use and it will still not sign my PowerShell Script both by saving and going to Script > Sign Script.

I did verify that the PFX file was valid by signing a script in a PowerShell Command Window. Here is the code I did to verify that my certificate worked

PS C:Documents and Settingsryanba> $cert = Get-PfxCertificate "C:Documents and SettingsryanbaDesktoptest.pfx"PS C:Documents and Settingsryanba> $cert
Thumbprint Subject---------- -------805ECA9429F0F2E0270BE8B938E80A8046911C71 CN=DSI Macros
PS C:Documents and Settingsryanba> Set-AuthenticodeSignature "C:Documents and SettingsryanbaMy DocumentsScriptstest.ps1" -cert $cert
Directory: C:Documents and SettingsryanbaMy DocumentsScripts
SignerCertificate Status Path----------------- ------ ----805ECA9429F0F2E0270BE8B938E80A8046911C71 Valid test.ps1
PS C:Documents and Settingsryanba> Get-AuthenticodeSignature "C:Documents and SettingsryanbaMy DocumentsScriptstest.ps1"
Directory: C:Documents and SettingsryanbaMy DocumentsScripts
SignerCertificate Status Path----------------- ------ ----805ECA9429F0F2E0270BE8B938E80A8046911C71 Valid test.ps1

Now here is what my PowerShell Security settings are in PrimalScript:


Thanks,
-Ryanryanba2008-12-05 17:43:52
User avatar
Alexander Riedel
Posts: 8479
Last visit: Thu Mar 28, 2024 9:29 am
Answers: 19
Been upvoted: 37 times

PowerShell Script Signing

Post by Alexander Riedel »

That is really odd, you should at least get an error message in the output window. It's almost like it is not calling the cmdlet

Can you go this folder:C:Program FilesSAPIENPrimalScript 2007 Professional
and check the version of this file:
PWSHHelpCtrl.dll
it should be 1.0.3.0 and the file date should be 10/13/2008
Can you verify that please?
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
ryanba
Posts: 28
Last visit: Tue Feb 23, 2010 11:27 pm

PowerShell Script Signing

Post by ryanba »

That's is what I was thinking is that it wasn't even doing anything. I checked the PWSHelpCtrl.dll and the version was 1.0.3.0 and was created on 3/7/2008 but date it was last modified is 10/17/2008.
User avatar
Alexander Riedel
Posts: 8479
Last visit: Thu Mar 28, 2024 9:29 am
Answers: 19
Been upvoted: 37 times

PowerShell Script Signing

Post by Alexander Riedel »

Hmm, give a few. I'll cook something up and send you an email with something to try.

Alex
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
Alexander Riedel
Posts: 8479
Last visit: Thu Mar 28, 2024 9:29 am
Answers: 19
Been upvoted: 37 times

PowerShell Script Signing

Post by Alexander Riedel »

Sent you an email with a dll attached for testing.
Alexander Riedel
SAPIEN Technologies, Inc.
This topic is 15 years and 2 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.