Link to home
Start Free TrialLog in
Avatar of Kasper Katzmann
Kasper KatzmannFlag for Denmark

asked on

Signing Powershell script fails

Hi
I am trying to sign a PS1-script, but I just can't get it to work. I am doing it on a Windows Server 2012 machine.

I have created a new selfsigned certificate using 
New-SelfSignedCertificate -DnsName www.fabrikam.com, www.contoso.com -CertStoreLocation cert:\LocalMachine\My

Open in new window

It seems to do as supposed.

But when I try to asign the certificate to the script, it fails. Below you can see the steps I take to accomplish the task 
PS Cert:\localmachine\my> dir


    Directory: Microsoft.PowerShell.Security\Certificate::localmachine\my


Thumbprint                                Subject
----------                                -------
D99F78E793244A016BBF27A35F907F5C51E4A536  CN=www.fabrikam.com
CEDD25D7FE1AAFA54A7010DD20E15381D0591CB5  CN=www.fabrikam.com


PS Cert:\localmachine\my> $cert = @(gci cert:\localmachine\my -codesigning)[0]
PS Cert:\localmachine\my> Set-AuthenticodeSignature c:\tools\test.ps1 $cert
Set-AuthenticodeSignature : Cannot bind argument to parameter 'Certificate' because it is null.
At line:1 char:45
+ Set-AuthenticodeSignature c:\tools\test.ps1 $cert
+                                             ~~~~~
    + CategoryInfo          : InvalidData: (:) [Set-AuthenticodeSignature], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAuthenti
   codeSignatureCommand

Open in new window

Can anyone tell me what I'm doing wrong?

Regards
Kasper
Avatar of Zephyr ICT
Zephyr ICT
Flag of Belgium image
Does it work when you leave out "-codesigning" which I thought should be -codesigningcert ... But anyway, leave it out and see what that tells you ...
ASKER CERTIFIED SOLUTION
Avatar of SubSun
SubSun
Flag of India image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of footech
footech
Flag of United States of America image
Yes, I would say the cert you created doesn't have the right EKU (Enhanced Key Usage) to be used for Code Signing.  So although gci cert:\localmachine\my may show you a certificate, gci cert:\localmachine\my -codesigningcert probably doesn't.
Avatar of Kasper Katzmann
Kasper Katzmann
Flag of Denmark image

ASKER

I think you are right, the certificate isn't proper configured.
I have installed SDK for Windows 8, but for some reason neither Powershell or Cmd rekognize makecert 
makecert : The term 'makecert' is not recognized as the name of a cmdlet, function, script file, or operable program. C
heck the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ makecert
+ ~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (makecert:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Open in new window

Avatar of Zephyr ICT
Zephyr ICT
Flag of Belgium image
Did you try using the SDK Command Prompt window?
SOLUTION
Avatar of SubSun
SubSun
Flag of India image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Kasper Katzmann
Kasper Katzmann
Flag of Denmark image

ASKER

It helped using makecert, and when I specified the full path of makecert all problems where solved.

Thank you very much.