I'm fairly new to PowerShell and generally having few problems getting things to work. But I have spent a number of hours trying to sign a PowerShell script and need to ask for suggestions about what I could be doing wrong.
To start with, I created a certificate myself like so:
makecert -r -pe -n "CN=TestCodeSigning" -b 04/25/2015 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.3 -ss My
Verified that the certificate was visible in certmgs.msc with Code Signing enabled as a purpose.
Dropped a .ps1 script into a directory for signing practice.
Executed these commands:
$cert=Get-ChildItem -Path cert:\CurrentUser\my -CodeSigningCert
Set-AuthenticodeSignature -FilePath c:\tempt\LoginMessage.ps1 -certificate $cert -HashAlgorithm SHA1
# Also tried variations
$cert2=Get-PfxCertificate "C:\Don\AzureAndWorkStuff\TestCert\mytest.pfx"
Set-AuthenticodeSignature -FilePath c:\tempt\LoginMessage.ps1 -certificate $cert2 -HashAlgorithm SHA1
Also tried
-Force
-Confirm
-IncludeChain all
And versions not specifying hash algorithm
What I get every time is this UnknownError message:
SignerCertificate Status Path
----------------- ------ ----
7562901B62BD80E8A8C822A55C453419F46FEB96 UnknownError Test2.ps1
I've been searching online and ran across a comment that saving from the PowerShell ISE produces bad (non-UTF8) encoding. While the first script I tried this on COULD have been saved by the ISE, I have tried saving new scripts from notepad with correct encoding. Yet I get the same error.
Saw another note saying that very small files cannot be signed but my file is a good solid 22 KB.
I noted with surprise that I cannot sign a file without the .ps1 filetype. I figure that's one of the things I'll experiment with when I reach the minimal step of successfully signing something.
Can anyone spot what I'm doing wrong?