Zsolt Kollarits
Posts: 340
Joined: Fri May 29, 2015 10:36 am

How to sign digitally the scripts created by an inline powershell custom action?

Tue Jul 24, 2018 1:21 pm

Dear Advanced Installer Support Team,

We have a rather urgent issue coming from one of our customers: recently they changed the execution policy of their powershell scripts to prevent unsigned scripts from being executed, since then our installer´s are not working any longer on their side due to errors like this:

(SERVER) MSI (s) (B0:34) [11:47:07:404]: Doing action: Searches_Fix_Reg_Values
(UNKNOWN) Action 11:47:07: Searches_Fix_Reg_Values.
(UNKNOWN) Action start 11:47:07: Searches_Fix_Reg_Values.
(SERVER) MSI (s) (B0:90) [11:47:07:420]: Invoking remote custom action. DLL: C:\Windows\Installer\MSID943.tmp, Entrypoint: RunPowerShellScript
(UNKNOWN) Dumping PowerShell invoke log ...
(UNKNOWN) --> Found PowerShell path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
(UNKNOWN) --> PowerShell Script Execution Result Code: 1
(UNKNOWN) --> PowerShell Script Execution log:
(UNKNOWN) File C:\Users\<username>\AppData\Local\Temp\pssD947.ps1 cannot be loaded. The file
(UNKNOWN) C:\Users\<username>\AppData\Local\Temp\pssD947.ps1 is not digitally signed. You cannot run this script on the
(UNKNOWN) current system. For more information about running scripts and setting execution policy, see about_Execution_Policies
(UNKNOWN) at http://go.microsoft.com/fwlink/?LinkID=135170.
(UNKNOWN) + CategoryInfo : SecurityError: (:) , ParentContainsErrorRecordException
(UNKNOWN) + FullyQualifiedErrorId : UnauthorizedAccess
(SERVER) MSI (s) (B0!40) [11:47:08:390]: PROPERTY CHANGE: Adding POWERSHELL_EXECUTION_LOG property. Its value is 'File C:\Users\<username>\AppData\Local\Temp\pssD947.ps1 cannot be loaded. The file
(UNKNOWN) C:\Users\<username>\AppData\Local\Temp\pssD947.ps1 is not digitally signed. You cannot run this script on the
(UNKNOWN) current system. For more information about running scripts and setting execution policy, see about_Execution_Policies
(UNKNOWN) at http://go.microsoft.com/fwlink/?LinkID=135170.
(UNKNOWN) + CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException
(UNKNOWN) + FullyQualifiedErrorId : UnauthorizedAccess'.
(UNKNOWN) CustomAction Searches_Fix_Reg_Values returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

We have quite a few inline powershell script custom actions in our .aip project, e.g. Searches_Fix_Reg_Values is one out of them. Please help us in fixing our custom actions.

Best regards,
Zsolt

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: How to sign digitally the scripts created by an inline powershell custom action?

Tue Jul 24, 2018 4:22 pm

Hello Zsolt,

Unfortunately, it is not possible to sign an inline script custom action.

The only workaround for this issue is described in the following thread.

Hope this helps!

Regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

damien
Posts: 1
Joined: Thu Dec 03, 2020 9:15 pm

Re: How to sign digitally the scripts created by an inline powershell custom action?

Thu Dec 03, 2020 9:25 pm

Is it still the case the you can not sign inline powershell custom action. We are running 17.7 and it shows a sign script checkbox on inline powershell custom actions, but checking doesn't seem to work when GPO requiring all scripts to be signed is enabled.

I also tried the above instructions with signed scripts, but am getting the below error.

CustomAction CustomFileActionPS returned actual error code -196608 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (c) (B8:A8) [15:55:21:445]: Note: 1: 1722 2: CustomFileActionPS3: D:\Temp\MSI65AB.tmp 4: /HideWindow "C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -file "D:\Temp\CustomFileActionPS.ps1"
MSI (c) (B8:A8) [15:55:27:129]: Product: ProductName -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action CustomFileActionPS, location: D:\Temp\MSI65AB.tmp, command: /HideWindow "C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -file "D:\Temp\CustomFileActionPS.ps1"

Dan
Posts: 4513
Joined: Wed Apr 24, 2013 3:51 pm

Re: How to sign digitally the scripts created by an inline powershell custom action?

Wed Dec 09, 2020 6:12 am

Hi Damien and welcome to Advanced Installer forums,

Starting with Advanced Installer 17.1 Release, Advanced Installer offers Digital Signature support for PowerShell scripts. Just enable the Sign script option from the Run Inline PowerShell Script custom action properties.

PowerShell CA Props.PNG
PowerShell CA Props.PNG (33.96KiB)Viewed 12941 times

I've retested this option in the 17.7 version of Advanced Installer and everything is working as expected.
MSI (c) (B8:A8) [15:55:27:129]: Product: ProductName -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected.
As I can see, you got a generic error message, the return code of PowerShell is different than 0, thus the installer interpret it as a failure. Custom actions that are executable files must return a value of 0 for success. The installer interprets any other return value as failure. In your case, the EXE executable is the PowerShell.exe.

Please make sure that the script can run successfully outside the installer. After that, test the installer locally and if everything works as expected you can simulate the installation under the GPO by testing the installation under the System account, as described in the How to: become the LOCAL SYSTEM account with PsExec article.

If you look above, you will see that Zsolt received a clear message why the powershell script execution failed:
(UNKNOWN) --> PowerShell Script Execution log:
(UNKNOWN) File C:\Users\<username>\AppData\Local\Temp\pssD947.ps1 cannot be loaded. The file
(UNKNOWN) C:\Users\<username>\AppData\Local\Temp\pssD947.ps1 is not digitally signed. You cannot run this script on the
(UNKNOWN) current system. For more information about running scripts and setting execution policy, see about_Execution_Policies

Let us know if you have any other questions.

Best regards,
Dan
Dan Ghiorghita - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”