Script temp files invalidating digital signature

[kgranados]

Hello,

We are attempting to create an MSI package installer that installs two prerequisites (both are executables). We have included PowerShell scripts as custom actions ("Run PowerShell script file" actions and attaching the scripts) that are meant to run during uninstall, which uninstall the prerequisites upon uninstalling the entire package. The scripts work as expected when testing them in the Sandbox environment without enabling digital signing, but when the package is actually deployed all scripts will need to be signed. The problem we are facing is very similar to the problem discussed here: viewtopic.php?t=34363

When testing the package on our machine, temp files of the scripts are being created which are not being signed, therefore the scripts won't run. We have enabled signing and included a code signing certificate from the certificate store through the digital signature tab. By the way, this certificate is also included in the Trusted Publishers list. Here is the part of the log that shows the problem:

Dumping PowerShell invoke log ...
--> Found PowerShell path: C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
--> PowerShell Script Execution Result Code: 1
--> PowerShell Script Execution log:
File C:\windows\SystemTemp\pss6EFF.ps1 cannot be loaded. The file C:\windows\SystemTemp\pss6EFF.ps1 is not digitally
signed. You cannot run this script on the current system. For more information about running scripts and setting
execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.
+ CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnauthorizedAccess
CustomAction ur returned actual error code 1603 but will be translated to success due to continue marking

(We have also tried the workaround that was explained in the post mentioned above by Sorin, but the scripts still do not run.)
When attaching the scripts, we have also checked the "digitally sign the script" option under the "PowerShell script options" link.

What can we do so that the scripts actually get signed and run? I sent an email to support at advanced installer dot com with more details about how to reproduce the issue

Thanks,
Kattie

[kgranados]

Now it works and the scripts are signed and run, but we have no idea what happened. I guess if I can figure out what exactly changed I'll update here, but we are still confused. The only setting we changed was the attached script execution time being "immediately" instead of "during the system is being modified", but even after reverting back to the old setting, it still works?

[kgranados]

We have made some progress with our package in regards to this issue!

We compared a brand new project to our old project that wasn't working.

In the brand new project, we created a custom action "run PowerShell script file" and set the Execution Time to "Immediately" instead of "When the system is being modified (deferred)". After building and running the new package with this setting, the script worked as it should and was digitally signed.
In this new package, we noticed that in the table editor, the custom action type was 1 for the PowerShell script file.

In our old package that did not digitally sign the scripts, we had initially set the Execution Time for the custom action as "When the system is being modified (deferred)", which showed custom action type 65 in the table editor, and even after changing it to "Immediately", it still didn't work. However, we noticed that the custom action type was still 65. We deleted this custom action and made a new one setting the Execution Time to "Immediately" to begin with, and that's when the script on our old package finally also worked and was digitally signed. The custom action type for this new action was now 1 in the table editor.

So it seems like our issue was to do with the fact that we initially set the Execution Time to deferred, but how come the type in the table editor did not change even after changing it from deferred to immediately? The same thing happened when we tried to reproduce the issue we were having on the new package now that it was working, and we changed the Execution Time from immediately to deferred, but it continued working. In hindsight, it only continued working because the custom action type never changed from 1. This caused a lot of confusion, and it seems pointless to make it possible to change the Execution Time within the same script if it does not actually change anything? Unless I am not correctly understanding how this works.

Also, I can not find a clear answer online about what Custom Action Type 1 and Custom Action type 65 are exactly and what they mean. I see that this page has been linked https://learn.microsoft.com/en-us/windo ... tion-types in Advanced Installer forums before, but I do not see type 65, nor do I really understand what the description for type 1 has to do with our issue. Can anyone help me understand what the custom action types are and how they work?

Also, I would like to understand why the digital signature was not happening during deferred execution time?

[kgranados]

??

[Dan]

Hello,

I apologize for the late reply, we were quite busy these days.

This issue is currently under investigation and we'll get back to you once we have all the details. Thank you for your understanding.

Best regards,
Dan