I’m trying to sign a script but not having much luck. I’m using this to get the code signing portion of my certificate:
$sig = Get-ChildItem -path cert:/currentuser/my/ -codesigningcert
Set-AuthenticodeSignature -path C:/scripts/myscript.ps1 -certificate $sig
I receive an error when I run set-authenticodesignature indicating that $sig is null.
My environment uses Entrust PKI certificates.
Any suggestions would be appreciates.
If $sig is null, then you don’t have a code-signing certificate installed.
Here’s a quick command to verify that. An authenticode certificate would have “Code Signing” as one of its EnhancedKeyUsages:
$props = 'Thumbprint',
'Subject',
@{Name = 'EnhancedKeyUsages'; Expression = { $_.Extensions | ? { $_ -is [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension] } | % EnhancedKeyUsages | % FriendlyName } }
Get-ChildItem Cert:\CurrentUser\My | Select $props | Format-List
Keep in mind the certificate has to be CODE SIGNING (not another type), and needs to be installed in the My Certificates store - not in the machine store or elsewhere.
Much appreciated for the snippet Dave.
The results returned from the snippet confirm that my cert is not a code signing cert, even though the certificate definition indicates that it can be used for code signing.