Inject Software Signing Certificate into ISO?

[exelanz]

Hi all,

I have made some packages for unattended install in .MSIX format. I have signed them with a self signed certificate (don't want to buy a 300$ certificate). I there a way in NTLite to put the software signing certificate in the ISO. Otherwise I will get pop-ups during installation about "un trusted signer".

Many thanks in advance.
A

 

[garlin]

I haven't tested it myself, but the steps are essentially:

1. Export your signing cert to a PFX file.
2. Add the PFX file to Post-Setup (Machine).
3. Add new command to import the cert:

powershell -nop "Import-PfxCertificate -FilePath 'C:\Windows\Setup\Files\my_cert.pfx' -CertStoreLocation 'Cert:\LocalMachine\Root'"

4. Run your self-signed MISX installers.

You could check the steps without installing Windows, by backing up & removing your local cert. And running the PS command.

 

[Clanger]

If the driver/s are already installed somewhere the certificate will be in the Registry. Open certmgr.exe, expand all in the left hand pane, look for the company you used, Properties - Thumbprint, search the registry for that thumbprint id, export and import onto your image.

See garlin s post here.

 

[garlin]

This isn't for drivers, but MSIX installer packages. Same idea, but different certificates.

 

[Clanger]

But it should work with the reg file yes?

 

[garlin]

Driver certificates need to be inserted into the image, because most drivers load at boot time. In this case, it's an application package so you can wait and install the PFX files right before calling them.

 

[exelanz]

Many thanks for the guidance so far. Will post my feedback here.

 

[exelanz]

Mod note: Merging question back to original thread.

Hi all,

I read some reports of similar issues on the forum, but did not find my issues. I have the following command in "post setup" section:

"powershell"

with arguments:

-nop "Import-PfxCertificate –FilePath signcert.pfx -CertStoreLocation 'Cert:\LocalMachine\Root' -Password (ConvertTo-SecureString -String "FAKEPW" -Force –AsPlainText)"

But every time I build the iso, in the SetupComplete.cmd file the command is cut and this remains:

@echo off
powershell -nop "Import-PfxCertificate
del /q /f "%0"

Should I make my own script and just call the script or is there another solution?

Thanks in advance.

 

[garlin]

There's two problems in your command line:
1. Copying (off a website) long dashes instead of a normal dash: –FilePath –AsPlainText
2. Not escaping a double-quoted "FAKEPW" inside the outer quotes. A single-quote will do, because you don't need variable substitution.

Corrected line:

-nop "Import-PfxCertificate -FilePath signcert.pfx -CertStoreLocation 'Cert:\LocalMachine\Root' -Password (ConvertTo-SecureString -String 'FAKEPW' -Force -AsPlainText)"

@echo off
powershell -nop "Import-PfxCertificate -FilePath signcert.pfx -CertStoreLocation 'Cert:\LocalMachine\Root' -Password (ConvertTo-SecureString -String 'FAKEPW' -F
orce -AsPlainText)"
del /q /f "%0"

 

[exelanz]

Auch...I corrected the errors and indeed now the SetupComplete.cmd is correctly build into the ISO.

However, the installation of Windows succeeds but the certificate is not imported and some other software is not installed.

I tested commands on an installed Windows machine and the commands succeed.

Is there some kind of installation log file where I can see what happened? Or is there another way to deal with this issue?

Many thanks in advance.

Note: I ran both commands from the SetupComplete.cmd manually on the newly installed Windows machine and that did work. So definitely an installation issue. I am using "%WINDIR%\Setup\Files\signcert.pfx" as the path in the SetupComplete.cmd file, I have a feeling that this is not correct?

 

[garlin]

Your PFX path is wrong, look in my first example:

powershell -nop "Import-PfxCertificate -FilePath 'C:\Windows\Setup\Files\signcert.pfx' -CertStoreLocation 'Cert:\LocalMachine\Root' -Password (ConvertTo-SecureString -String 'FAKEPW' -Force -AsPlainText)"

If you don't use absolute path, then SYSTEM defaults to home path "C:\Windows\System32".
When you add files to Post-Setup, NTLite copies it to the staging folder" C:\Windows\Setup\Files".

 

[exelanz]

Hi all,

Still trying to solve my (new) issues. First let me show my SetupComplete.cmd as generated by NTLite:

I am now struggling to get the following post-setup command working:

Add-AppPackage -Path "$Env:WinDir\Setup\Files\Evernote_1.0.0.0_x64__faaj7ggaz54tc.msix"

The command is running during installation but fails. I was able to get a screenshot:



Could not find additional information in windows event log.

The command runs perfectly when I run it manually. The post-setup runs as administrator, I don´t understand why this is flagged as the reason.

Any ideas?

Note: also I don´t know why it is complaining about a batch file?


Many thanks in advance.

 

[garlin]

When you want to install Appx packages as SYSTEM, it must be done using Add-AppxProvisionedPackage.

Add-AppxProvisionedPackage installs (provisions) packages to the system.
Add-AppxPackage adds the package to the user's profile.

SYSTEM is never allowed to run Add-AppxPackage since it's not a normal user account with AppData environment. Provisioned packages will be available for all interactive user accounts.

 

[exelanz]

Basically I am trying to install my software based on .MSIX package format. The above mentioned Add-AppxProvisionedPackage need .appx format right?

So how can I install my .MSIX packages during post-setup phase.

Many thanks in advance.

 

[garlin]

Move the Add-AppxPackage to Post-Setup (User), so it has a normal user context to run against. I haven't done any MSIX installs, but believe it's the same PS commands for both Appx & MSIX files.

 

[exelanz]

Will try! And report back here.

 

[exelanz]

Question: do I need to add the installation file as well to the post-setup user? Because I guess the machine part is cleaned up?

 

[garlin]

SetupComplete does clean up the Setup folder on exit. What you can do is create \sources\$OEM$\$1\Path\Folder in the ISO directory.
$1 maps to C:\ on the target disk, anything you put in here is copied out by Setup.

Adjust your commands and path to match where on C:\ you want to stage the files.

 

[exelanz]

Quick Update. After reading the small notes in NTLite:

I just had to change:

Add-AppPackage -Path "C:\Windows\Setup\Files\Evernote_1.0.0.0_x64__faaj7ggaz54tc.msix"

to:

Add-AppPackage -Path "C:\Windows\Setup\FilesU\Evernote_1.0.0.0_x64__faaj7ggaz54tc.msix"

And now it perfectly installs my apps!!!!