Cannot add digital signature to my script

Hi everyone. I have a problem with adding digital signature to my script. I cannot figure what am I doing wrong.

This are the steps that I did:

  • First I have created self-signed certificate:
    PS New-SelfSignedCertificate -DnsName test -CertStoreLocation Cert:\CurrentUser\My

  • Second I added certificate to variable:
    PS $cert = Get-Item Cert:\CurrentUser\My\7EEEB8FD2421BA55E0F0D6BEE6EF5FB03A3CF2E1

  • Third I try to add certificate to the script
    PS Set-AuthenticodeSignature -FilePath C:\test.ps1 -Certificate $cert

And I get following error:

Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not suitable for code signing.
At line:1 char:1

  • Set-AuthenticodeSignature -FilePath C:\test.ps1 -Certificate …
  •   + CategoryInfo          : InvalidArgument: (:) [Set-AuthenticodeSignature], PSArgumentException
      + FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.SetAuthenticodeSignatureCommand
    
    
    

Can someone help?

if you try this

ls Cert:\CurrentUser\My -CodeSigningCert

you won’t see any result expect

Which means that New-SelfSignedCertificate doesn’t appear to create a cert you can use to sign code. Which is odd as the documentation in the help file leads you to belive yo can

I’ll dig a bit more

Unfortunately New-SelfSignedCertificate is a very watered down cmdlet that does not support creating code signing certificates.

You have three options:

  1. Buy a proper code signing certificate
  2. Use the makecert.exe tool - https://msdn.microsoft.com/en-us/library/windows/desktop/jj835832(v=vs.85).aspx (this guide is more indepth than just creating the certificate, but you should be able to extract the necessary information)
  3. Install the Active Directory Certificate Services role on a Windows Server VM and issue yourself a code signing certificate

There are instructions on using makecert to generate a self signed code signing cert in the about_signing help file

You can get the makecert utility for Windows 8.1 from Windows SDK and emulator archive | Microsoft Developer

You’ll find it in
C:\Program Files (x86)\Windows Kits\8.1\bin\x64
or

C:\Program Files (x86)\Windows Kits\8.1\bin\x86

Thanks everyone for the help.

I’m brand new at this stuff, so creating a code signing certificate for experimentation was one of the first things I had to do; I just figured this out today. Here is the command I gave, except I have faked my email address:

First, in PowerShell, navigate to cert:\Currentuser\My

Then give this command:

CurrentUser\my> New-SelfSignedCertificate -Subject “E=ga@nowhere.invalid,CN=Gerard Ashton” -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.3”)

In the TextExtension property, 2.5.29.37 means Enhanced Key Usage, and 1.3.6.1.5.5.7.3.3 means code signing.

One area I will need to explore is how hard it would be for just anyone to use this certificate; I have a feeling I should be doing more to secure it. Use this technique with due caution.

Followup: once you create the certificate, you need to trust it. Navigate to Control Panel and type “certificate” in the search window. Then choose Manage User Certificates. Then go into the “Trusted Root Certification Authorities” and import the certificate you just created. You will find it in

C:\Users\YourUserName\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates

When you are trying to import it, be sure the file extension is set to . all files, because this file doesn’t have any extension.