UnknownError when signing powershell script via Set-AuthenticodeSignature

This topic contains 3 replies, has 2 voices, and was last updated by  Dave Wyatt 2 years, 5 months ago.

  • Author
  • #31670


    I have obtained a code signing cert from our trusted CA. I am trying to sign a script in PowerShell ISE but getting "UnknownError." I have tried encoding the script as UTF-8, but I'm still getting the same error. I have verified the script is UTF-8 as well.

    $cert=(dir cert:currentuser\my\ -CodeSigningCert)
    Set-AuthenticodeSignature C:\Scripts\Certtestnew.ps1 $cert

    Even though I'm getting "UnknownError", it still appears to sign the script. Although, when I run the script, I receive "The contents of file C:\Scripts\Certtestnew.ps1 may have been tampered because the hash of the file does not match the hash stored in the digital signature."

  • #31678

    Dave Wyatt

    Can you post the complete error message? Also, what do you get when you run "$cert | Format-List *"?

  • #31680


    Error was:
    File C:\Scripts\Certtestnew.ps1 cannot be loaded. The contents of file C:\Scripts\Certtestnew2.ps1 may have been tampered because the hash of the file does not match the hash stored in the digital signature. The script will not
    execute on the system. Please see "get-help about_signing" for more details..
    + CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnauthorizedAccess

    $cert info:
    PSPath : Microsoft.PowerShell.Security\Certificate::currentuser\my\FDCD31216C3491C2809441344EE6EF5E01EB0550
    PSParentPath : Microsoft.PowerShell.Security\Certificate::currentuser\my
    PSChildName : FDCD31216C3491C2809441344EE6EF5E01EB0550
    PSDrive : Cert
    PSProvider : Microsoft.PowerShell.Security\Certificate
    PSIsContainer : False
    EnhancedKeyUsageList : {}
    DnsNameList : {}
    SendAsTrustedIssuer : False
    Archived : False
    Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
    FriendlyName :
    IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter : 10/29/2016 4:05:37 PM
    NotBefore : 10/29/2015 3:45:37 PM
    HasPrivateKey : True
    PrivateKey :
    PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
    RawData : {48, 130, 5, 225...}
    SerialNumber : 60A14A915A0FAFA12311B0998F5892C9
    SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm : System.Security.Cryptography.Oid
    Thumbprint : FDCD31216C3491C2809441344EE6EF5E01EB0550
    Version : 3
    Handle : 578311520
    Issuer : CN=USER OU=Admin, OU=Admin and Service Accounts, DC=domoain
    Subject : CN=USER, OU=Admin, OU=Admin and Service Accounts, DC=domain

  • #31684

    Dave Wyatt

    That's odd... I would have expected to see Code Signing in your EnhancedKeyUsageList, but it's empty. You're also using a Crypto Next Generation certificate, which may be the cause of the problem. (I can tell this because your HasPrivateKey property is set to True, but PrivateKey is null. This happens right now in .NET when you've got a CNG cert, because there's no built-in support for loading up private keys from CNG providers. Set-AuthenticodeSignature _may_ not be compatible with this type of cert, but I'd have to try it to know for sure.)

You must be logged in to reply to this topic.