signing a script

This topic contains 4 replies, has 3 voices, and was last updated by  Michael Delaney 2 years, 5 months ago.

  • Author
    Posts
  • #24880

    Michael Delaney
    Participant

    I'm trying to sign a script but not having much luck. I'm using this to get the code signing portion of my certificate:

    $sig = Get-ChildItem -path cert:/currentuser/my/ -codesigningcert
    Set-AuthenticodeSignature -path C:/scripts/myscript.ps1 -certificate $sig

    I receive an error when I run set-authenticodesignature indicating that $sig is null.

    My environment uses Entrust PKI certificates.

    Any suggestions would be appreciates.

  • #24881

    Dave Wyatt
    Moderator

    If $sig is null, then you don't have a code-signing certificate installed.

  • #24882

    Dave Wyatt
    Moderator

    Here's a quick command to verify that. An authenticode certificate would have "Code Signing" as one of its EnhancedKeyUsages:

    $props = 'Thumbprint',
             'Subject',
             @{Name = 'EnhancedKeyUsages'; Expression = { $_.Extensions | ? { $_ -is [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension] } | % EnhancedKeyUsages | % FriendlyName } }
    
    Get-ChildItem Cert:\CurrentUser\My | Select  $props | Format-List
    
  • #24883

    Don Jones
    Keymaster

    Keep in mind the certificate has to be CODE SIGNING (not another type), and needs to be installed in the My Certificates store – not in the machine store or elsewhere.

  • #24890

    Michael Delaney
    Participant

    Much appreciated for the snippet Dave.

    The results returned from the snippet confirm that my cert is not a code signing cert, even though the certificate definition indicates that it can be used for code signing.

You must be logged in to reply to this topic.