Geek Answers Handbook

Signtool allows me to sign the code, but Set-AuthenticodeSignature says that "the certificate is not suitable for signing the code"

I have a self-signed code signing certificate (made with the directions of this answer ) and it works fine when I use signtool.exe . But if I try to sign it using Powershell, this will not work.

Signing with an icon

 C:\>signtool sign /v /n "VetWeb" SetupRDPPermissions.ps1 The following certificate was selected: Issued to: VetWeb Issued by: VetWeb CA Expires: Sat Dec 31 18:59:59 2039 SHA1 hash: 84136EBF8D2603C2CD6668C955F920C6C6482EE4 Done Adding Additional Store Successfully signed: SetupRDPPermissions.ps1 Number of files successfully Signed: 1 Number of warnings: 0

Powershell Signing

 PS C:\> $cert = @(Get-Childitem cert:\CurrentUser\My | Where-Object -FilterScript {$_.Subject -eq 'CN=VetWeb'})[0] PS C:\> Set-AuthenticodeSignature SetupRDPPermissions.ps1 $cert Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not suitable for code signing. At line:1 char:26 + Set-AuthenticodeSignature <<<< SetupRDPPermissions.ps1 $cert + CategoryInfo : InvalidArgument: (:) [Set-AuthenticodeSignature], PSArgumentException + FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.SetAuthenticodeSignatureCommand PS C:\> $cert | format-list * PSPath : Microsoft.PowerShell.Security\Certificate::CurrentUser\My\84136EBF8D2603C2CD6668C955F920C6C6482EE4 PSParentPath : Microsoft.PowerShell.Security\Certificate::CurrentUser\My PSChildName : 84136EBF8D2603C2CD6668C955F920C6C6482EE4 PSDrive : cert PSProvider : Microsoft.PowerShell.Security\Certificate PSIsContainer : False Archived : False Extensions : {System.Security.Cryptography.Oid} FriendlyName : IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName NotAfter : 12/31/2039 5:59:59 PM NotBefore : 6/1/2012 1:49:31 PM HasPrivateKey : True PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider PublicKey : System.Security.Cryptography.X509Certificates.PublicKey RawData : {48, 130, 1, 235...} SerialNumber : CF330347F35AC0B4427AFFA82DB51238 SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName SignatureAlgorithm : System.Security.Cryptography.Oid Thumbprint : 84136EBF8D2603C2CD6668C955F920C6C6482EE4 Version : 3 Handle : 479608336 Issuer : CN=VetWeb CA Subject : CN=VetWeb

Why can I sign using signtool.exe but not Powershell?

PS running Get-Childitem cert:\CurrentUser\My -CodeSigningCert does not return results.

+10
powershell code-signing signtool
source share
3 answers

I had the same problem and realized that I had to create two certificates . First, a trusted root certification authority using

 makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine

And then a personal certificate from the above certification authority using

 makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer

After creating, use

 $cert = @(Get-ChildItem cert:\CurrentUser\My -CodeSigning)[0]

for signing (provided that you have only one certificate for codes). For example, if the script name is xyz.ps1, use this command in PowerShell

 Set-AuthenticodeSignature path/to/xyz.ps1 $cert
+9
source share

According to get the certificate certificate -CodeSigningCert dynamic parameter from the certificate provider receives only those certificates with authority to sign the code.

Now, why signtool can sign rather than Set-AuthenticodeSignature , the explanation may be in Introduction to Code Signing Microsoft Document.

Here is my version of certification authority generation:

 # Gen-CACert.ps1 clear-host $scriptBlock = {.\Makecert -n `"CN=PowerShell Authorite de certification`" <# Sujet du certificat (conforme à la norme X50 #>` -a sha1 <# Algorithme utilisé #>` -eku 1.3.6.1.5.5.7.3.3 <# Option du certificat (signature de code) #>` -r <# Certificat auto signé #>` <# -ss `"$($args[0])`" Dossier de stockage du certificat #>` -ss `"root`" <# Dossier de stockage du certificat #>` -sr localMachine <# Magasin de stockage localmachine ou currentuser (defaut) #>` -sv `"$($args[0]).pvk`" <# Nom du fichier contenant la clef privée #>` `"$($args[0]).cer`"} <# Nom du fichier certificat #> $PoshCARoot = "PoshCARoot" Invoke-Command -ScriptBlock $scriptBlock -ArgumentList $PoshCARoot

Here is my version of dev certificate generation:

 # Gen-DevCert.ps1 clear-host $scriptBlock = {.\Makecert -pe <# La clef privée est exportable #>` -n `"CN=PowerShell Dev Team`" <# Sujet du certificat (conforme à la norme X509 #>` -a sha1 <# Algorithme utilisé #>` -eku 1.3.6.1.5.5.7.3.3 <# Option du certificat (signature de code) #>` -ss `"My`" <# Dossier de stockage du certificat #>` -sr currentuser <# Magasin de stockage localmachine ou currentuser (defaut) #>` -iv `"$($args[0]).pvk`" <# Clef privée de l'autorité #>` -ic `"$($args[0]).cer`" <# Certificat de l'autorité #>` `"$($args[1]).cer`"} <# Nom du fichier certificat #> $PoshCARoot = "PoshCARoot" $PoshDevTeam = "PoshDevTeam" Invoke-Command -ScriptBlock $scriptBlock -ArgumentList $PoshCARoot,$PoshDevTeam
+3
source share

The problem is that the signature certificate is distorted and the correct KU & EKUs are missing. I recommend using OpenSSL through openssl.cnf to generate certificates.

  • Anyone who needs a signing certificate probably has a router with a web administrator, maybe a NAS with a web administrator, VPN server, etc., each of which must have SSL certificates for TLS encryption.
    • The best policy is to create a central self-signed CA using openssl through openssl.cnf , then ICA to sign the code (signed by the self-signed CA), which is then used to sign the code signing certificate.
      • Windows: install OpenVPN (including openssl-utils )
        • Add to PATH: C:\Program Files\OpenVPN\bin
      • BSD / Linux: Install openssl || openssl-utils
  • The finished openssl.cnf file contains all the information & requires commands starting at line 430
    • Creating a CA requires 2 commands (creating and exporting to PKCS12)
    • To create an ICA, 3 teams are required (create, sign and export to PKCS12)
    • Signing Cert requires 3 commands (create, sign and export to PKCS12)
      • The Client Certificates section is what is used to sign certificates.

OpenSSL KUs & EKUs

Code signing certificates must have the following set:

  •  keyUsage = critical, nonRepudiation, digitalSignature
    • nonRepudiation
      • The certificate can be used to sign data, as described above, but the public key of the certificate can be used to provide services that are not in doubt.
        • This prevents the signatory from denying any action.
    • digitalSignature
      • Certificate can be used to apply digital signature.
      • Digital signatures are often used for object authentication and data source authentication with integrity

  •  extendedKeyUsage = critical, codeSigning, msCodeInd, msCodeCom, mcCTLSign, timeStamping
    • codeSigning
      • Code signing
    • msCodeInd
      • Custom Microsoft Code Signature (authenticode)
    • msCodeCom
      • Microsoft commercial code signing (authenticode)
    • mcCTLSign
      • Microsoft Trust List Signing
    • timeStamping
      • Trusted Timestamp

Signature Tool

PreReqs:

  1. Install Windows SDK
  2. WinKey + R > sysdm.cpl > OK
    • Advanced> Environment Variables ...> Path> Edit ...
  3. Add to PATH: C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64
    • Make sure that \10\bin\10.0.15063.0\x64 reflects the correct path for your PC and amplifier; OS

Teams:

  1.  set TS=http://sha256timestamp.ws.symantec.com/sha256/timestamp
    • Sets the %TS% variable for the next command
  2.  signtool sign /s my /fd SHA256 /ph /td SHA256 /tr %TS1% "Path\to\File"
    • sign
      • Sign files using the built-in signature
    • /s <name>
      • Specify the Store to open when searching for a certificate. By default, this is the store "MY".
    • /fd
      • Defines a file digest algorithm that will be used to create file signatures. (Default SHA1)
    • /ph
      • Create page hashes for executable files, if supported.
    • /td <alg>
      • Used with the /tr or / tseal switch to request the digest algorithm used by the RFC 3161 timestamp server.
    • /tr <URL>
      • Specifies the URL of the RFC 3161 timestamp server. If this parameter (or /t ) is not specified, the signed file will not have a timestamp. If the timestamp fails, a warning is issued. This switch cannot be used with the /t switch.

Powerhell

  1.  $Cert = Get-PfxCertificate -FilePath "Path\to\Signing\Cert"
    • Sets the $Cert variable for the following command
  2.  Set-Variable -Name TS -Value "http://sha256timestamp.ws.symantec.com/sha256/timestamp" -Scope "Global"
    • Sets the $TS variable for the next command
  3.  Set-AuthenticodeSignature -HashAlgorithm "sha256" -IncludeChain "all" -FilePath "File" -Certificate $Cert -TimestampServer $TS
    • Set-AuthenticodeSignature
      • Adds an Authenticode signature to a PowerShell script or other files.
    • -HashAlgorithm
      • Defines the hash algorithm used to compute the digital signature.
        • PS 2.0: the default hashing algorithm is SHA1
        • PS 3. 0+: the default hashing algorithm is SHA256
    • -IncludeChain <String>
      • Determines which certificates in the certificate trust chain are included in the digital signature. NotRoot is the default. Valid values ​​for this parameter are:
        • Signer : Includes only the signer certificate.
        • NotRoot : Includes all certificates in the certificate chain, with the exception of the root center.
        • All : Includes all certificates in the certificate chain.
    • <X509Certificate>
      • Specifies the certificate that will be used to sign the script or file. Enter the variable that stores the object representing the certificate, or the expression that receives the certificate.
      • To find the certificate, use Get-PfxCertificate or the Get-ChildItem cmdlet on the Certificate (Cert :) drive. If the certificate is invalid or does not have authority to sign the code, the command is not executed.
+1
source share

More articles:


All Articles