Another thing to check; right click one of the signed scripts in Explorer and choose Properties. Then flip to the Digital Signature tab and check out the cert and chain to make sure it looks right. I had a similar weird issue that was caused by an extra code signing cert in my store and it defaulting to the wrong one. :)
DAMIEN SOLODOW Senior Systems Engineer 317.447.6033 (office) 317.447.6014 (fax) HARRISON COLLEGE ________________________________ From: [email protected] <[email protected]> on behalf of Brian Desmond <[email protected]> Sent: Tuesday, December 6, 2016 6:12:30 PM To: [email protected] Subject: [NTSysADM] RE: code-signing cert for PS untrusted Is there a behavior difference whether it's in the local user or local machine Trusted Publishers store? I haven't done much with this but that comes to mind as something to check. Also don't forget to timestamp the signature when you do the signing. Thanks, Brian Desmond w - 312.625.1438 | c - 312.731.3132 From: [email protected] [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Tuesday, December 6, 2016 4:03 PM To: ntsysadm <[email protected]> Subject: [NTSysADM] code-signing cert for PS untrusted I feel like I must be missing a step here, so am hoping someone has seen this. I'm most of the way through standing up a new internal CA root/subordinate combo for our internal AD and migrating certificates, but have run into a problem with code signing certs. The new servers are 2012 R2, done mostly to best practice with root not in the domain (offline) and subordinate in the domain for issuing certs. The old single server is 2008 R2. I already have most of our certs migrated and working, including those for Kerberos (Domain controllers) authentication, client pcs, web server, etc. The Root CA is showing up in the client's Trusted root store, and both the root and subordinate are in the Intermediate Certificates store. I've published a new template for (powershell) code signing today from the new intermediate server, and was able to follow all of the same steps to get a cert enrolled for my user account that I had done with 2008 R2. I see the new cert in the Personal store and have imported it into Trusted publishers. But, if I sign some code with the new cert, I still get prompted by powershell with "Do you want to run software from this untrusted publisher?". I've tried deleting the old cert from Personal and from Trusted publishers, and even re-signed the code to verify it's using the new one that I think it is. Is there another place I need to be adding the cert that I'm missing here? Is there an issue with signing it from the Intermediary vs the root CA when it comes to code signing? I'm not a PS guru and there are really only two of us using this, in an attempt to not allow unrestricted PS on our domain workstations. Code signing certs have worked fine from our 2008 R2, but there is only the one server involved. Any pointers would be appreciated. -Bonnie
