Internal Certificate Chain Error

Thursday, July 02, 2009 10:12 PML.E.E.

0
Sign In to Vote
I wrote my first PowerShell script that accesses a short-cut (.lnk),

to obtain its target, and then access that target to copy all of the files in that target directory to another directory.

It works fine on my lap-top. I have admin privileges on my lap-top so I could easily change my executionPolicy to remoteSigned. The person who really is going to run the script only has "AllSigned" executionPolicy. And he does not have admin on his lap-top so he cannot change his exeuctionPolicy.

So, I read some articles about certificates and signing files. This certificate facility is new to me.

I found some scripts which allowed me to create a ".cer" certificate. And I exported it.

I found a script that allows me to sign a file. I ran that script and it looks like it signed the file.

== script ==============================================

# *** sos *************************************************************
# * Return the target directory locatin of a ".lnk" type object      *
# *********************************************************************
#
function link_target( $link)
{
$shell = New-Object -com wscript.shell
$lnk   = $shell.CreateShortcut($link)
$tgt   = $lnk.TargetPath
return $tgt
}
#
# *** eos *************************************************************
del c:\ISSS\Reports\*.xls -exclude *_report.xls
$s = link_target("C:\Source_locations\User_reports.lnk")
dir C:\ISSS\Reports\*.xls
copy $s\*.xls    C:\Reports

# SIG # Begin signature block
# MIIEMwYJKoZIhvcNAQcCoIIEJDCCBCACAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR
# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQU1me2pCTaKosL7n9ON5WMAEYT
# +nSgggI9MIICOTCCAaagAwIBAgIQmdia+k7om71HpfJvI46IADAJBgUrDgMCHQUA
# MCwxKjAoBgNVBAMTIVBvd2VyU2hlbGwgTG9jYWwgQ2VydGlmaWNhdGUgUm9vdDAe
# Fw0wOTA2MTExOTQ2NDNaFw0zOTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMTD1Bvd2Vy
# U2hlbGwgVXNlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA04s/pKSzkAkU
# A1vP9TL9MhZ1+5JCXj6lYdlV9GUoHoX5lZBkXAY9NofXXeLwzcbQ9XqukvvQ73oN
# MxodIPJc84ngg6RQUDFm5lgjHgiTua/cczohCNyvfCV+kduP2fE8trnUqJokzxDI
# lN5zQHdfd7ptB+98rhTkabM3Dv6umz0CAwEAAaN2MHQwEwYDVR0lBAwwCgYIKwYB
# BQUHAwMwXQYDVR0BBFYwVIAQXvn0+W06mVY6T7MBJEkriKEuMCwxKjAoBgNVBAMT
# IVBvd2VyU2hlbGwgTG9jYWwgQ2VydGlmaWNhdGUgUm9vdIIQ6k4XJepngoFPl/yI
# L95tkzAJBgUrDgMCHQUAA4GBALGnM4LTHzi9IGH8NwMlliaICqyrFbtzJCa44t/9
# li2ijU9DReuA/stqiBmpFQX1/m4IQcc8Lbt9xcQg6kOakRXjiNFp2jWPPyXLmz7h
# XbSZvfTDq8Py69LNjYIwKRZIK9Gj37o+5D4l/sj6+c96+qw31DCbrvr6Bsm9mr3r
# OTX/MYIBYDCCAVwCAQEwQDAsMSowKAYDVQQDEyFQb3dlclNoZWxsIExvY2FsIENl
# cnRpZmljYXRlIFJvb3QCEJnYmvpO6Ju9R6XybyOOiAAwCQYFKw4DAhoFAKB4MBgG
# CisGAQQBgjcCAQwxCjAIoAKAAKECgAAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcC
# AQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYE
# FEYNyIl6IAawtsGKa0qU0J/+GxclMA0GCSqGSIb3DQEBAQUABIGAxrkRaHLev7G1
# QKU+0s/EH+xLr6BAR9UVl/pCxPiw5xuSc6pHBrwtFLXUN45pOCE0TP/ENEUdOYBM
# FgoOT5PrihJgGRaBFKhBK6bhhg/sRSduXvY/jz23WsCVDWXM2OI2iOU+CUrDRv3v
# cQw3tIT6qVv6qy11obITjKz2BCnblBY=
# SIG # End signature block

=== script ===============================================

It works correctly on my lap-top, but we receive "internal certificate chain error" when
we try to run it on his computer.

I did an export of my ".cer" file and we ran certmgr.msc on his computer and imported that certificate into his personal store. The certificate has the "all" properties.

Maybe my signing process did not use my certificate to sign it. I don't know.
Is this possible? How do I tell the sign script which certificate to use?

Here is the script I use to sign my scripts:

=== script ==============================================
## sign-file.ps1
## Sign a file
param([string] $file=$(throw "Please specify a filename."))
$cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
Set-AuthenticodeSignature $file $cert

# SIG # Begin signature block
....
=== script =======================================
- Reply
- Quote

All Replies

Friday, July 03, 2009 7:48 AMGrégory SchiroMVP

0
Sign In to Vote
Hi,

All certificate chain has to be trusted. You need a trusted root certification Authority which generate certificate to all users executing your script.

Check that the certification autority root certificate is stored in the Trusted Root Store.
Grégory Schiro - PowerShell MVP - PowerShell & MOF
- Proposed As Answer byGrégory SchiroMVPFriday, July 03, 2009 8:26 AM
- Reply
- Quote
Wednesday, October 07, 2009 1:58 PMgoooly

0
Sign In to Vote
Hm, but what about this (my) case?

# my script folder:
$dir   = "C:\Users\cas\Documents\sysTools\Windows PowerShell\prg"
$cert = @(Get-ChildItem cert:\CurrentUser\My -CodeSigning)[0]

foreach ($scr in Dir -path $dir -filter *.ps1) {
    $scr = $dir+"\"+$scr
    echo $scr
    Set-AuthenticodeSignature $scr $cert
}
### done ###
this causes one script is valid, tow others have an unkonwn error ?

SignerCertificate                         Status                            Path
-----------------                         ------                            ----
                                          UnknownError                      get-Gmail.ps1
C:\Users\cas\Documents\sysTools\Windows PowerShell\prg\readDAXmail.ps1
                                          UnknownError                      readDAXmail.ps1
C:\Users\cas\Documents\sysTools\Windows PowerShell\prg\send-TcpRequest.ps1
B305..B53D20 Valid                             send-TcpRequest.ps1

and a : get-childitem cert:\. -recurse -codesigningcert

prints to me:
    Verzeichnis: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
B305..B53D20 CN=PowerShell User
The sig has been created by

So I think my local certificat was found, but why the ____ my scripts aren't sigend?
- Reply
- Quote