I am trying to sign .ps1using self-signed certificates (the use case is for scripts that I write on my own private dev station, so I don’t need to use or pay - this is a real CA). However, no matter how many instructions on the topic of creating certificates and digital signatures I read, I can not get it to work.
Here is what I have done so far:
$root = New-SelfSignedCertificate `
-Subject "CN=PowerShell Trusted Authority" `
-FriendlyName "PowerShell Trusted Authority" `
-KeyUsageProperty Sign `
-KeyUsage CertSign, CRLSign, DigitalSignature `
-CertStoreLocation Cert:\LocalMachine\My\ `
-NotAfter (Get-Date).AddYears(10)
New-SelfSignedCertificate `
-Signer $root `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
Move-Item "Cert:\LocalMachine\My\$($root.Thumbprint)" Cert:\LocalMachine\Root
All of the above is done from an administrative powershell instance. After that, I can see both certificates in the expected places in the management console, and the path of the certificate of the signing certificate is verified as valid.
Then I open the regular PS prompt and try to sign the script:
PS> $cert = Get-ChildItem Cert:\LocalMachine\My\ -CodeSigningCert
PS> Set-AuthenticodeSignature .\Microsoft.PowerShell_profile.ps1 $cert
Directory: C:\Users\tomas\Documents\WindowsPowerShell
SignerCertificate Status Path
----------------- ------ ----
UnknownError Microsoft.PowerShell_profile.ps1
, . powershell, , script .
, , , ; - script, Set-AuthenticodeSignature, UnknownError, AllSigned - .
PS> $cert | Format-List
Subject : CN=PowerShell Code Signing
Issuer : CN=PowerShell Trusted Authority
Thumbprint : <omitted>
FriendlyName :
NotBefore : 9/20/2017 10:48:59 PM
NotAfter : 9/20/2018 11:08:59 PM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
New-SelfSignedCertificate, , (UnknownError).
, Set-ExecutionPolicy AllSigned , . , ?