Trusted Publisher - Code Signing Certificate

Steve 1 Reputation point
2022-09-03T19:43:30.16+00:00

I am working on trying out code signing on my test environment and have now created a certificate template on my CA that I can request with my user.

The certificate expires after one year, but in my Powershell script I give a timestamp server when signing. So the signed script should work even after one year.

But I noticed that when I start the script, I always get the message that it was not signed by a trusted publisher.

So I have exported the certificate on the client and created a GPO, which imports the certificate on all clients as Trusted Publisher.

Now the script works without any message.

But now the problem is that when 1 year has passed, the certificate on my client expires and I have to request a new one from the CA so that I can sign more scripts.

This means that the new certificate is no longer from a trusted publisher and I have to import one more certificate via GPO under Trusted Publisher. This means that more and more certificates are added and I can't delete the old ones, because otherwise the old signed scripts won't work anymore.

Can I stop the trusted publisher message without having to re-import all code signing certificates every year?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,352 questions
Windows Hardware Performance
Windows Hardware Performance
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Hardware Performance: Delivering / providing hardware or hardware systems or adjusting / adapting hardware or hardware systems.
1,284 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
4,734 questions
No comments
{count} votes

6 answers

Sort by: Most helpful
  1. JimmySalian-2011 29,791 Reputation points
    2022-09-03T20:28:23.67+00:00

    Hi Steve,

    It seems that will not be the case please read more info over here for Code Signing Certificate Timestamp and background process on the way it is verified.

    code-signing

    Hope this helps.

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. JimmySalian-2011 29,791 Reputation points
    2022-09-04T12:49:03.467+00:00

    Hi Steve,

    For that you will have to design the Certificate enrollment and distribution process, you will have to consider all the options and scenarios for issuing and requesting the Certificates. Same scenario can be applied what happens when a PC is crashed that is hosting the Code Signed Certificate? Hence the design and scoping should be done to prevent such scenarios.

    Custom templates should be used if you have such requirements and you can set the options. If Security is paramount the approval process should be considered and default GPOs should always have the root and subca certificates in the trusted / enterprise CA to maintain the chain.

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
    ----
    Please don't forget to upvote and Accept as answer if the reply is helpful

  3. Vadims Podāns 8,316 Reputation points MVP
    2022-09-05T07:20:42.51+00:00

    Can I stop the trusted publisher message without having to re-import all code signing certificates every year?

    in short, no. Trusted Publisher performs trusted signer mapping to exact signing certificate. If certificate is replaced, a replacement must be added to Trusted Publishers as well. The only thing you can do to reduce the certificate renewal frequency -- extend the code signing certificate's validity, say to 2 or 3 years.

  4. Steve 1 Reputation point
    2022-09-06T19:03:07.76+00:00

    When I download a setup, it is signed by the company that created the setup.

    Can't I get such a certificate from my internal CA? Or how did they sign their stuff?

    And does anyone know how I can get my CA to always give the same signing certificate to a user? So that I don't have a problem if their machine is broken. I cannot find such an option.

  5. Vadims Podāns 8,316 Reputation points MVP
    2022-09-07T07:33:16.827+00:00

    And does anyone know how I can get my CA to always give the same signing certificate to a user?

    you can use default "Code Signing" template to get a certificate suitable for code signing.

    how I can get my CA to always give the same signing certificate to a user?

    it is impossible. CA always issue unique certificates. As I said in previous response, the only way for you is to extend the certificate's validity to reduce the renewal frequency.