Signing Powershell script fails

Posted on 2014-08-18
Medium Priority
Last Modified: 2014-08-19
I am trying to sign a PS1-script, but I just can't get it to work. I am doing it on a Windows Server 2012 machine.

I have created a new selfsigned certificate using
New-SelfSignedCertificate -DnsName www.fabrikam.com, www.contoso.com -CertStoreLocation cert:\LocalMachine\My

Open in new window

It seems to do as supposed.

But when I try to asign the certificate to the script, it fails. Below you can see the steps I take to accomplish the task
PS Cert:\localmachine\my> dir

    Directory: Microsoft.PowerShell.Security\Certificate::localmachine\my

Thumbprint                                Subject
----------                                -------
D99F78E793244A016BBF27A35F907F5C51E4A536  CN=www.fabrikam.com
CEDD25D7FE1AAFA54A7010DD20E15381D0591CB5  CN=www.fabrikam.com

PS Cert:\localmachine\my> $cert = @(gci cert:\localmachine\my -codesigning)[0]
PS Cert:\localmachine\my> Set-AuthenticodeSignature c:\tools\test.ps1 $cert
Set-AuthenticodeSignature : Cannot bind argument to parameter 'Certificate' because it is null.
At line:1 char:45
+ Set-AuthenticodeSignature c:\tools\test.ps1 $cert
+                                             ~~~~~
    + CategoryInfo          : InvalidData: (:) [Set-AuthenticodeSignature], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAuthenti

Open in new window

Can anyone tell me what I'm doing wrong?

Question by:Kasper Katzmann
  • 2
  • 2
  • 2
  • +1
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40267650
Does it work when you leave out "-codesigning" which I thought should be -codesigningcert ... But anyway, leave it out and see what that tells you ...
LVL 40

Accepted Solution

Subsun earned 2000 total points
ID: 40268237
If GCI cert:\CurrentUser\my -codesigning returns nothing then you don't have a certificate in store which can be used for code signing..

Use makecert, step by step instructions given in the following help article and it will work! (worked well for me)
LVL 41

Expert Comment

ID: 40268545
Yes, I would say the cert you created doesn't have the right EKU (Enhanced Key Usage) to be used for Code Signing.  So although gci cert:\localmachine\my may show you a certificate, gci cert:\localmachine\my -codesigningcert probably doesn't.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.


Author Comment

by:Kasper Katzmann
ID: 40269661
I think you are right, the certificate isn't proper configured.
I have installed SDK for Windows 8, but for some reason neither Powershell or Cmd rekognize makecert
makecert : The term 'makecert' is not recognized as the name of a cmdlet, function, script file, or operable program. C
heck the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ makecert
+ ~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (makecert:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Open in new window

LVL 25

Expert Comment

by:Zephyr ICT
ID: 40269672
Did you try using the SDK Command Prompt window?
LVL 40

Assisted Solution

Subsun earned 2000 total points
ID: 40269866
You need to specify the full path of makecert.exe. Or go to the path where the command exist and run it from there.

Author Closing Comment

by:Kasper Katzmann
ID: 40269873
It helped using makecert, and when I specified the full path of makecert all problems where solved.

Thank you very much.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is intended as a guide to using PowerShell as a more versatile and reliable form of application detection in SCCM.
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Loops Section Overview

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question