PrimalScript 2021 code signing not *really* working

This forum can be browsed by the general public. Posting is limited to current SAPIEN license holders with active maintenance and does not offer a response time guarantee.
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 2 years and 3 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
User avatar
cobrien
Posts: 1
Last visit: Mon Nov 28, 2022 9:27 am

PrimalScript 2021 code signing not *really* working

Post by cobrien »

To help you better we need some information from you.

*** Please fill in the fields below. If you leave fields empty or specify 'latest' rather than the actual version your answer will be delayed as we will be forced to ask you for this information. ***

Product, version and build: PrimalScript, ver 8.0.157, build 110421, x64
Operating system: Win10 20H2 build 19042.1415
PowerShell version(s): 5.1.19041.1320

*** Please add details and screenshots as needed below. ***

Trying to use PrimalScript to sign a powershell script. PrimalScript goes thru the motions of signing my script, adding a signature block and saving the file. But results in absence of 'Digital Signatures' tab in file properties.

If I use the same code signing cert to sign the script manually using Set-AuthenticodeSignature, file properties does show 'Digital Signatures' tab. I am also using the same timestamp server for both methods, h_t_t_p:// timestamp(dot)globalsign(dot)com/scripts/timstamp.dll/?signature=sha2 (underscores & (dot)s added to get past "less than 5 post/external link" forum rule). I have a single code signing cert in my personal store. I have tried to define the cert within options in PrimalScript. I have uninstalled, cleared registry values for PrimalScript in Current User and Local Machine, rebooted, and installed ver 8.0.157 build 110421 (same version I uninstalled, but it was upgraded from 8.0.152 in troubleshooting previously. 8.0.152 was doing the same thing).

Comparing the signature blocks from the two methods, the PrimalScript block is about 150 lines and the manually signed block is 187 lines.

Get-AuthenticodeSignature on manually signed script Status=Valid. Get-AuthenticodeSignature on PrimalScript signed script Status=NotSigned.

CertificateThumbPrint value at HKEY_CURRENT_USER\SOFTWARE\SAPIEN Technologies, Inc.\PrimalScript 2021\WSH displays correct thumbprint for my current cert.

Previous versions of PrimalScript on my last PC worked without issue and as expected. I do not recall the PrimalScript version I was running at that time, only that it worked for years, thru upgrades and a new code signing cert every year for 4+ years.

DO NOT POST LICENSES, KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM
User avatar
Alexander Riedel
Posts: 8478
Last visit: Tue Mar 26, 2024 8:52 am
Answers: 19
Been upvoted: 37 times

Re: PrimalScript 2021 code signing not *really* working

Post by Alexander Riedel »

I did a quick test with our signature and it signed it fine, using the same time stamp server.
2021-12-23_9-07-04.png
2021-12-23_9-07-04.png (555.41 KiB) Viewed 4247 times
Saying PrimalScript's signing isn't working is really saying Windows's singing isn't working.
As PrimalScript uses a Windows API function to sign files, its is not really having any options of messing with it.

A lot of times, if signing fails, it is because the signature is not compatible with the time stamp server.
Do the following tests:

- Sign an exe created with the script packager. Does that have a valid signature?
- Sign without a time stamp. does that make it valid?
- Sign using a few different time stamp servers. Does that change anything?

If none of this changes, please indicate the vendor of the signature and its validity dates.
Alexander Riedel
SAPIEN Technologies, Inc.
This topic is 2 years and 3 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.