signing a script

This topic contains 4 replies, has 3 voices, and was last updated by Profile photo of Michael Delaney Michael Delaney 2 years, 2 months ago.

  • Author
    Posts
  • #24880
    Profile photo of Michael Delaney
    Michael Delaney
    Participant

    I'm trying to sign a script but not having much luck. I'm using this to get the code signing portion of my certificate:

    $sig = Get-ChildItem -path cert:/currentuser/my/ -codesigningcert
    Set-AuthenticodeSignature -path C:/scripts/myscript.ps1 -certificate $sig

    I receive an error when I run set-authenticodesignature indicating that $sig is null.

    My environment uses Entrust PKI certificates.

    Any suggestions would be appreciates.

  • #24881
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    If $sig is null, then you don't have a code-signing certificate installed.

  • #24882
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    Here's a quick command to verify that. An authenticode certificate would have "Code Signing" as one of its EnhancedKeyUsages:

    $props = 'Thumbprint',
             'Subject',
             @{Name = 'EnhancedKeyUsages'; Expression = { $_.Extensions | ? { $_ -is [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension] } | % EnhancedKeyUsages | % FriendlyName } }
    
    Get-ChildItem Cert:\CurrentUser\My | Select  $props | Format-List
    
  • #24883
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Keep in mind the certificate has to be CODE SIGNING (not another type), and needs to be installed in the My Certificates store – not in the machine store or elsewhere.

  • #24890
    Profile photo of Michael Delaney
    Michael Delaney
    Participant

    Much appreciated for the snippet Dave.

    The results returned from the snippet confirm that my cert is not a code signing cert, even though the certificate definition indicates that it can be used for code signing.

You must be logged in to reply to this topic.