FME Version
Introduction
If the user’s Group Policy settings have been changed to restrict Powershell scripts to only allow the running of AllSigned scripts, then FME Flow installation will fail when running the installer as that user. This setting is displayed as the “AllSigned” execution policy in the PowerShell UI or as “Allow only signed scripts” in Group Policy Management Console (GPMC). The following solution can be used to add Safe Software Inc. as a Trusted Publisher so FME Flow can execute the required Powershell scripts and allow FME Flow to be installed and run successfully. A common script that is affected by this setting is the <FMEFlowInstallDirectory>\Utilities\setupPostGreSQL.ps1.
Note: This solution is for a user’s Group Policy settings that have been changed to only allow AllSigned Powershell scripts. To change enterprise-wide settings, the process may be different.
Step-by-Step Instructions
Part 1: Generate the Certificate File (.cer) using an FME installer Powershell script
- Install FME Flow and take note of the install location path that you have selected. Installation will fail due to your Group Policy settings and this is expected. But we must install FME Flow in order to access the setupPostGreSQL.ps1 script [as an example here] and generate the .cer file for the script.
- Run Powershell as administrator.
- Run the following Powershell command (use your specified FME install location path for the script in the -FilePath option):
$signature = Get-AuthenticodeSignature -FilePath “C:\Program Files\FMEFlow\Utilities\setupPostGreSQL.ps1”
This command is used to get the Authenticode signature of a file, in this case, the PowerShell script located at C:\Program Files\FMEFlow\Utilities\setupPostGreSQL.ps1. Authenticode is a Microsoft technology that uses digital signatures to ensure the authenticity and integrity of a file.
- Run the following Powershell command with the location you want the .cer file to be saved to:
$certPath = "C:\Users\YOURNAME\Desktop\SafeSoftwareCertificate.cer"
The $certPath variable is assigned the path to a certificate file. You can use this certificate for signing Powershell scripts.
- Run the following Powershell command to generate the .cer file:
[System.IO.File]::WriteAllBytes($certPath, $signature.SignerCertificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert))
This command will export the signer's certificate from a file signature and write it to the specified path $certPath defined in the previous command.
Part 2: Add the Certificate File to the Microsoft Management Console
-
Open the Microsoft Management Console (MMC). Press Win + R to open the Run dialog, type "mmc" and press Enter. This operation has to be elevated to the Administrator mode.
-
In MMC, go to "File" > "Add/Remove Snap-in".
-
In the “Add or Remove Snap-ins” dialog box, select “Certificates” and then click Add.
- In the “Certificates snap-in” dialog box, select “Computer account” and then click Next.
- In the “Select Computer” dialog box, select “Local computer” and then click Finish.
- In the “Add or Remove Snap-ins” dialog box, click OK.
- In the console tree, navigate to “Certificates (Local Computer)” > “Trusted Publishers”.
- Right-click the Certificates folder, right-click to All Tasks, and then click Import. If the Certificates folder is missing, right-click "Trusted Publishers" instead and click "Import".
- Follow the instructions in the “Certificate Import Wizard” to find and import the certificate. When asked for the file to import, browse to the SafeSoftwareCertificate.cer file created earlier.
- After the certificate import is complete, the certificate should appear under the “Trusted Publishers” store.
- You may now close the MMC. You will encounter an optional prompt to save the console settings.
- Uninstall FME and re-install FME. You should now be able to run signed scripts by Safe Software Inc. and FME should run successfully.
Comments
0 comments
Please sign in to leave a comment.