Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - korebreach

Pages: [1]
We are in the situation where we have an "all purposes" certificate, rather than a "code signing" certificate as our WSUS cert.  This cert is placed in the appropriate stores and was specified for use by PMPC (signing the detection script, etc.).  We knew from articles on these forums that this wasn't going to work, as PMPC requires a true "code signing" certificate.  Because our SCCM environment client settings are configured for "bypass" on PowerShell scripts, this wasn't a problem.  Detection script signing would fail, but it wouldn't matter.  The only evidence of the failures was that our PMPC reports would show, "An error occurred while signing the file, but there is no error message to display."  The report would show that the application creation failed, but it was still present in SCCM.  It just didn't have the detection script signed.

We knew that we needed to get around to fixing this, especially since we are doing initial steps into Intune, and at that point, the detection script signing would be necessary.

However... on June 16th, PMPC released an update to the publishing service, which was installed automatically during a sync.  The release notes show that some functionality was added to re-sign updates, as well as an option to do a registry key related to signing with Powershell vs. .NET.  None of this seems quite applicable to our situation (using an all-purposes certificate), but for some reason, even without setting any registry key, the signing seems to now be working.  No errors in the publishing logs.  No errors in the reports. 

Looking at the publishing logs, I see:

Creating PowerShell detection script.   Worker   6 (0x0006)
Signing C:\Program Files\Patch My PC\Patch My PC Publishing Service\Detection Method Scripts\VLC Media Player 3.0.16 (EXE-x64).ps1 with the code signing certificate [Thumbprint=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX][Store=LocalMachine\WSUS]   CertManager   6 (0x0006)
Signing with Windows native method...   CertManager   6 (0x0006)

So, it appears that the detection scripts are now getting signed.  Is this just a happy undocumented extra bonus?

I just did my first test after configuring PMPC to publish applications to SCCM (Base Install).  The applications do get published to SCCM, and a test of deploying one of the applications to my PC worked fine (7-Zip .MSI version).  However, the PMPC publishing service logs show the following error for every application that gets sent to SCCM:

"An error occurred while signing the PowerShell detection script, but there is no error message to display."

I do have the option configured in the Base Install Options to "Code-sign the PowerShell detection method script using the WSUS Signing Certificate".

Since the deployment/installation was a success, should I worry about the error message?

Pages: [1]