Internal Certificate Chain Error

Thu, 02 Jul 2009 22:12:31 Z

I wrote my first PowerShell script that accesses a short-cut (.lnk),

to obtain its target, and then access that target to copy all of the files in that target directory to another directory.

It works fine on my lap-top. I have admin privileges on my lap-top so I could easily change my executionPolicy to remoteSigned. The person who really is going to run the script only has "AllSigned" executionPolicy. And he does not have admin on his lap-top so he cannot change his exeuctionPolicy.

So, I read some articles about certificates and signing files. This certificate facility is new to me.

I found some scripts which allowed me to create a ".cer" certificate. And I exported it.

I found a script that allows me to sign a file. I ran that script and it looks like it signed the file.

== script ==============================================

# *** sos *************************************************************
# * Return the target directory locatin of a ".lnk" type object      *
# *********************************************************************
#
function link_target( $link)
{
$shell = New-Object -com wscript.shell
$lnk   = $shell.CreateShortcut($link)
$tgt   = $lnk.TargetPath
return $tgt
}
#
# *** eos *************************************************************
del c:\ISSS\Reports\*.xls -exclude *_report.xls
$s = link_target("C:\Source_locations\User_reports.lnk")
dir C:\ISSS\Reports\*.xls
copy $s\*.xls    C:\Reports

# SIG # Begin signature block
# MIIEMwYJKoZIhvcNAQcCoIIEJDCCBCACAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR
# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQU1me2pCTaKosL7n9ON5WMAEYT
# +nSgggI9MIICOTCCAaagAwIBAgIQmdia+k7om71HpfJvI46IADAJBgUrDgMCHQUA
# MCwxKjAoBgNVBAMTIVBvd2VyU2hlbGwgTG9jYWwgQ2VydGlmaWNhdGUgUm9vdDAe
# Fw0wOTA2MTExOTQ2NDNaFw0zOTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMTD1Bvd2Vy
# U2hlbGwgVXNlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA04s/pKSzkAkU
# A1vP9TL9MhZ1+5JCXj6lYdlV9GUoHoX5lZBkXAY9NofXXeLwzcbQ9XqukvvQ73oN
# MxodIPJc84ngg6RQUDFm5lgjHgiTua/cczohCNyvfCV+kduP2fE8trnUqJokzxDI
# lN5zQHdfd7ptB+98rhTkabM3Dv6umz0CAwEAAaN2MHQwEwYDVR0lBAwwCgYIKwYB
# BQUHAwMwXQYDVR0BBFYwVIAQXvn0+W06mVY6T7MBJEkriKEuMCwxKjAoBgNVBAMT
# IVBvd2VyU2hlbGwgTG9jYWwgQ2VydGlmaWNhdGUgUm9vdIIQ6k4XJepngoFPl/yI
# L95tkzAJBgUrDgMCHQUAA4GBALGnM4LTHzi9IGH8NwMlliaICqyrFbtzJCa44t/9
# li2ijU9DReuA/stqiBmpFQX1/m4IQcc8Lbt9xcQg6kOakRXjiNFp2jWPPyXLmz7h
# XbSZvfTDq8Py69LNjYIwKRZIK9Gj37o+5D4l/sj6+c96+qw31DCbrvr6Bsm9mr3r
# OTX/MYIBYDCCAVwCAQEwQDAsMSowKAYDVQQDEyFQb3dlclNoZWxsIExvY2FsIENl
# cnRpZmljYXRlIFJvb3QCEJnYmvpO6Ju9R6XybyOOiAAwCQYFKw4DAhoFAKB4MBgG
# CisGAQQBgjcCAQwxCjAIoAKAAKECgAAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcC
# AQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYE
# FEYNyIl6IAawtsGKa0qU0J/+GxclMA0GCSqGSIb3DQEBAQUABIGAxrkRaHLev7G1
# QKU+0s/EH+xLr6BAR9UVl/pCxPiw5xuSc6pHBrwtFLXUN45pOCE0TP/ENEUdOYBM
# FgoOT5PrihJgGRaBFKhBK6bhhg/sRSduXvY/jz23WsCVDWXM2OI2iOU+CUrDRv3v
# cQw3tIT6qVv6qy11obITjKz2BCnblBY=
# SIG # End signature block

=== script ===============================================

It works correctly on my lap-top, but we receive "internal certificate chain error" when
we try to run it on his computer.

I did an export of my ".cer" file and we ran certmgr.msc on his computer and imported that certificate into his personal store. The certificate has the "all" properties.

Maybe my signing process did not use my certificate to sign it. I don't know.
Is this possible? How do I tell the sign script which certificate to use?

Here is the script I use to sign my scripts:

=== script ==============================================
## sign-file.ps1
## Sign a file
param([string] $file=$(throw "Please specify a filename."))
$cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
Set-AuthenticodeSignature $file $cert

# SIG # Begin signature block
....
=== script =======================================

Internal Certificate Chain Error

Fri, 03 Jul 2009 07:48:31 Z

Hi,

All certificate chain has to be trusted. You need a trusted root certification Authority which generate certificate to all users executing your script.

Check that the certification autority root certificate is stored in the Trusted Root Store.

Grégory Schiro - PowerShell MVP - PowerShell & MOF

Internal Certificate Chain Error

Wed, 07 Oct 2009 13:58:07 Z

Hm, but what about this (my) case?

# my script folder:
$dir   = "C:\Users\cas\Documents\sysTools\Windows PowerShell\prg"
$cert = @(Get-ChildItem cert:\CurrentUser\My -CodeSigning)[0]

foreach ($scr in Dir -path $dir -filter *.ps1) {
    $scr = $dir+"\"+$scr
    echo $scr
    Set-AuthenticodeSignature $scr $cert
}
### done ###
this causes one script is valid, tow others have an unkonwn error ?

SignerCertificate                         Status                            Path
-----------------                         ------                            ----
                                          UnknownError                      get-Gmail.ps1
C:\Users\cas\Documents\sysTools\Windows PowerShell\prg\readDAXmail.ps1
                                          UnknownError                      readDAXmail.ps1
C:\Users\cas\Documents\sysTools\Windows PowerShell\prg\send-TcpRequest.ps1
B305..B53D20 Valid                             send-TcpRequest.ps1

and a : get-childitem cert:\. -recurse -codesigningcert

prints to me:
    Verzeichnis: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
B305..B53D20 CN=PowerShell User
The sig has been created by

So I think my local certificat was found, but why the ____ my scripts aren't sigend?