Author Posts

April 30, 2015 at 5:11 pm

I'm trying to sign a script but not having much luck. I'm using this to get the code signing portion of my certificate:

$sig = Get-ChildItem -path cert:/currentuser/my/ -codesigningcert
Set-AuthenticodeSignature -path C:/scripts/myscript.ps1 -certificate $sig

I receive an error when I run set-authenticodesignature indicating that $sig is null.

My environment uses Entrust PKI certificates.

Any suggestions would be appreciates.

April 30, 2015 at 5:21 pm

If $sig is null, then you don't have a code-signing certificate installed.

April 30, 2015 at 5:25 pm

Here's a quick command to verify that. An authenticode certificate would have "Code Signing" as one of its EnhancedKeyUsages:

$props = 'Thumbprint',
         'Subject',
         @{Name = 'EnhancedKeyUsages'; Expression = { $_.Extensions | ? { $_ -is [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension] } | % EnhancedKeyUsages | % FriendlyName } }

Get-ChildItem Cert:\CurrentUser\My | Select  $props | Format-List

April 30, 2015 at 5:52 pm

Keep in mind the certificate has to be CODE SIGNING (not another type), and needs to be installed in the My Certificates store – not in the machine store or elsewhere.

May 1, 2015 at 5:07 am

Much appreciated for the snippet Dave.

The results returned from the snippet confirm that my cert is not a code signing cert, even though the certificate definition indicates that it can be used for code signing.