I am working on trying out code signing on my test environment and have now created a certificate template on my CA that I can request with my user.
The certificate expires after one year, but in my Powershell script I give a timestamp server when signing. So the signed script should work even after one year.
But I noticed that when I start the script, I always get the message that it was not signed by a trusted publisher.
So I have exported the certificate on the client and created a GPO, which imports the certificate on all clients as Trusted Publisher.
Now the script works without any message.
But now the problem is that when 1 year has passed, the certificate on my client expires and I have to request a new one from the CA so that I can sign more scripts.
This means that the new certificate is no longer from a trusted publisher and I have to import one more certificate via GPO under Trusted Publisher. This means that more and more certificates are added and I can't delete the old ones, because otherwise the old signed scripts won't work anymore.
Can I stop the trusted publisher message without having to re-import all code signing certificates every year?