Author Posts

November 4, 2015 at 9:42 am

I have obtained a code signing cert from our trusted CA. I am trying to sign a script in PowerShell ISE but getting "UnknownError." I have tried encoding the script as UTF-8, but I'm still getting the same error. I have verified the script is UTF-8 as well.

$cert=(dir cert:currentuser\my\ -CodeSigningCert)
Set-AuthenticodeSignature C:\Scripts\Certtestnew.ps1 $cert

Even though I'm getting "UnknownError", it still appears to sign the script. Although, when I run the script, I receive "The contents of file C:\Scripts\Certtestnew.ps1 may have been tampered because the hash of the file does not match the hash stored in the digital signature."

November 4, 2015 at 10:52 am

Can you post the complete error message? Also, what do you get when you run "$cert | Format-List *"?

November 4, 2015 at 11:06 am

Error was:
File C:\Scripts\Certtestnew.ps1 cannot be loaded. The contents of file C:\Scripts\Certtestnew2.ps1 may have been tampered because the hash of the file does not match the hash stored in the digital signature. The script will not
execute on the system. Please see "get-help about_signing" for more details..
+ CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnauthorizedAccess

$cert info:
PSPath : Microsoft.PowerShell.Security\Certificate::currentuser\my\FDCD31216C3491C2809441344EE6EF5E01EB0550
PSParentPath : Microsoft.PowerShell.Security\Certificate::currentuser\my
PSChildName : FDCD31216C3491C2809441344EE6EF5E01EB0550
PSDrive : Cert
PSProvider : Microsoft.PowerShell.Security\Certificate
PSIsContainer : False
EnhancedKeyUsageList : {}
DnsNameList : {}
SendAsTrustedIssuer : False
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 10/29/2016 4:05:37 PM
NotBefore : 10/29/2015 3:45:37 PM
HasPrivateKey : True
PrivateKey :
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 5, 225...}
SerialNumber : 60A14A915A0FAFA12311B0998F5892C9
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : FDCD31216C3491C2809441344EE6EF5E01EB0550
Version : 3
Handle : 578311520
Issuer : CN=USER OU=Admin, OU=Admin and Service Accounts, DC=domoain
Subject : CN=USER, OU=Admin, OU=Admin and Service Accounts, DC=domain

November 4, 2015 at 12:16 pm

That's odd... I would have expected to see Code Signing in your EnhancedKeyUsageList, but it's empty. You're also using a Crypto Next Generation certificate, which may be the cause of the problem. (I can tell this because your HasPrivateKey property is set to True, but PrivateKey is null. This happens right now in .NET when you've got a CNG cert, because there's no built-in support for loading up private keys from CNG providers. Set-AuthenticodeSignature _may_ not be compatible with this type of cert, but I'd have to try it to know for sure.)