Customer requires signed Powershell scripts

[mcseforsale]

We have a customer who requires all Powershell scripts to be signed when executed via installer (or otherwise). Can you install the certificate using a custom action, run the Powershell custom action, then uninstall the certificate? So far, I cannot get this to work and have to revert to Windows batch script. The documentation for signing Powershell in the custom action documentation isn't clear on the requirements.

Thanks!
Andy

[Liviu]

Hello Andy,

Do you use the "Digitally sign the script" option from the "PowerShell Script Options" option of your custom action script?

If so, you need to sign your installer in the Digital Signature page with a certificate from a trusted vendor. If using a self-generated signing certificate, you have to make sure the certificate is placed in Trusted Root Certification or Trusted Publishers stores on the machine. If the certificate is missing from the above stores, the digital signature is not recognized and the execution of a signed script on a machine with restricted policy will fail.

Also, we have predefined custom actions to install/uninstall a certificate. More details on the Install certificate article.

These custom actions can only install certificates that have the CER extension.

Hope this helps!

Best regards,
Liviu