I didn't know about the timestamping-thanks, I just googled that and am adding it into our process. Is it normal to use a public timestamp server such as http://timestamp.verisign.com/scripts/timestamp.dll, or should we be doing something to run one internally and stamp from there?
But, adding a timestamp didn't help. Since I'm currently on the machine doing the signing (Win 8.1), the cert is both in the user's personal store and in the machine's trusted publishers store. I've also tried from another Win 10 pc under another account where it's just in the machine's trusted publishers. I did remove the old certs from both personal and trusted publishers in an attempt to fix the issue and have re-signed the file since (and again with a timestamp today), but no luck on that. I can see that the new template is being used and that the "Intended Purposes" lists Code Signing. To Damien, I just looked at the explorer properties of the signed file and as far as I can see, it all looks good and says "This digital signature is OK". I can view the certificate and everything in the certification path (Root, Intermediate, and cert) also says "This certificate is OK". -Bonnie From: [email protected] [mailto:[email protected]] On Behalf Of Brian Desmond Sent: Tuesday, December 6, 2016 3:13 PM To: [email protected] Subject: [NTSysADM] RE: code-signing cert for PS untrusted Is there a behavior difference whether it's in the local user or local machine Trusted Publishers store? I haven't done much with this but that comes to mind as something to check. Also don't forget to timestamp the signature when you do the signing. Thanks, Brian Desmond w - 312.625.1438 | c - 312.731.3132 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Tuesday, December 6, 2016 4:03 PM To: ntsysadm <[email protected]<mailto:[email protected]>> Subject: [NTSysADM] code-signing cert for PS untrusted I feel like I must be missing a step here, so am hoping someone has seen this. I'm most of the way through standing up a new internal CA root/subordinate combo for our internal AD and migrating certificates, but have run into a problem with code signing certs. The new servers are 2012 R2, done mostly to best practice with root not in the domain (offline) and subordinate in the domain for issuing certs. The old single server is 2008 R2. I already have most of our certs migrated and working, including those for Kerberos (Domain controllers) authentication, client pcs, web server, etc. The Root CA is showing up in the client's Trusted root store, and both the root and subordinate are in the Intermediate Certificates store. I've published a new template for (powershell) code signing today from the new intermediate server, and was able to follow all of the same steps to get a cert enrolled for my user account that I had done with 2008 R2. I see the new cert in the Personal store and have imported it into Trusted publishers. But, if I sign some code with the new cert, I still get prompted by powershell with "Do you want to run software from this untrusted publisher?". I've tried deleting the old cert from Personal and from Trusted publishers, and even re-signed the code to verify it's using the new one that I think it is. Is there another place I need to be adding the cert that I'm missing here? Is there an issue with signing it from the Intermediary vs the root CA when it comes to code signing? I'm not a PS guru and there are really only two of us using this, in an attempt to not allow unrestricted PS on our domain workstations. Code signing certs have worked fine from our 2008 R2, but there is only the one server involved. Any pointers would be appreciated. -Bonnie
