Author Posts

July 24, 2015 at 6:59 am

Hi everyone. I have a problem with adding digital signature to my script. I cannot figure what am I doing wrong.

This are the steps that I did:

– First I have created self-signed certificate:
PS New-SelfSignedCertificate -DnsName test -CertStoreLocation Cert:\CurrentUser\My

– Second I added certificate to variable:
PS $cert = Get-Item Cert:\CurrentUser\My\7EEEB8FD2421BA55E0F0D6BEE6EF5FB03A3CF2E1

– Third I try to add certificate to the script
PS Set-AuthenticodeSignature -FilePath C:\test.ps1 -Certificate $cert

And I get following error:

Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not suitable for code signing.
At line:1 char:1
+ Set-AuthenticodeSignature -FilePath C:\test.ps1 -Certificate ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-AuthenticodeSignature], PSArgumentException
+ FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.SetAuthenticodeSignatureCommand

Can someone help?

July 24, 2015 at 7:23 am

if you try this

ls Cert:\CurrentUser\My -CodeSigningCert

you won't see any result expect

Which means that New-SelfSignedCertificate doesn't appear to create a cert you can use to sign code. Which is odd as the documentation in the help file leads you to belive yo can

I'll dig a bit more

July 24, 2015 at 11:13 am

Unfortunately New-SelfSignedCertificate is a very watered down cmdlet that does not support creating code signing certificates.

You have three options:

1) Buy a proper code signing certificate
2) Use the makecert.exe tool – https://msdn.microsoft.com/en-us/library/windows/desktop/jj835832(v=vs.85).aspx (this guide is more indepth than just creating the certificate, but you should be able to extract the necessary information)
3) Install the Active Directory Certificate Services role on a Windows Server VM and issue yourself a code signing certificate

July 25, 2015 at 3:49 am

There are instructions on using makecert to generate a self signed code signing cert in the about_signing help file

July 25, 2015 at 5:36 am

You can get the makecert utility for Windows 8.1 from https://msdn.microsoft.com/en-gb/windows/desktop/bg162891.aspx

You'll find it in
C:\Program Files (x86)\Windows Kits\8.1\bin\x64
or

C:\Program Files (x86)\Windows Kits\8.1\bin\x86

July 27, 2015 at 12:39 am

Thanks everyone for the help.

January 15, 2016 at 1:54 pm

I'm brand new at this stuff, so creating a code signing certificate for experimentation was one of the first things I had to do; I just figured this out today. Here is the command I gave, except I have faked my email address:

First, in PowerShell, navigate to cert:\Currentuser\My

Then give this command:

CurrentUser\my> New-SelfSignedCertificate -Subject "E=ga@nowhere.invalid,CN=Gerard Ashton" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3")

In the TextExtension property, 2.5.29.37 means Enhanced Key Usage, and 1.3.6.1.5.5.7.3.3 means code signing.

One area I will need to explore is how hard it would be for just anyone to use this certificate; I have a feeling I should be doing more to secure it. Use this technique with due caution.

Followup: once you create the certificate, you need to trust it. Navigate to Control Panel and type "certificate" in the search window. Then choose Manage User Certificates. Then go into the "Trusted Root Certification Authorities" and import the certificate you just created. You will find it in

C:\Users\YourUserName\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates

When you are trying to import it, be sure the file extension is set to *.* all files, because this file doesn't have any extension.