- Trying to sign code with no certificate available<\/li>
- How to get a code signing certificate<\/li>
- Requesting a certificate once issued from the Local CA<\/li>
- How to code sign<\/a><\/li><\/ul>\n\n\n\n
Trying to sign code with no certificate available<\/h2>\n\n\n\n
If you would like to sign your own files, and this is done on a machine where no code signing certificate is present, you will get an error.<\/p>\n\n\n\n
- If you are using SignTool<\/a> to automatically select the best signing certificate, the verbose output will say:
SignTool Error: No certificates were found that met all the given criteria.![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/01-codesign.png\")
<\/li>- If you are using the Set-AuthenticodeSignature<\/a> PowerShell cmdlet to do the signing you get the error message:
Set-AuthenticodeSignature : Cannot bind argument to parameter \u2018Certificate\u2019 because it is null.![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/02-codesign.png\")
<\/li><\/ol>\n\n\n\nHow to get a code signing certificate<\/h2>\n\n\n\n
One option would be to purchase a code signing certificate online from authorities such as DigiCert<\/a>.<\/p>\n\n\n\n
Another one would be to issue one from your internal Certificate Authority, which you can do by following these steps:<\/p>\n\n\n\n
Create and issue a signing certificate<\/strong><\/p>\n\n\n\n
- Open Certification Authority<\/strong> (certsrv.msc<\/strong>) on a machine where you have installed the certification authority.<\/li>
- Expand the name of the Certification Authority<\/strong>, then right-click on Certificate Templates<\/strong> and choose Manage<\/strong>
![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/03-codesign.png\")
<\/li>- Right-Click on Code Signing<\/strong> under the Template Display Name <\/strong>column and choose Duplicate template<\/strong>.
![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/04-codesign.png\")
<\/li>- On the properties of the new template, click on the General<\/strong> tab and give it the name you want. Also, choose the validity period. Save change with Apply<\/strong>.
![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/05-codesign.png\")
<\/li>- Go on the Request Handling<\/strong> tab, and make sure Allow private key to be exported<\/strong> is enabled.
![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/06-codesign.png\")
<\/li>- On the Subject Name<\/strong> tab, set the Subject name format<\/strong> to Common Name<\/strong>.
![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/07-codesign.png\")
<\/li>- On the Extensions <\/strong>tab, make sure that the description of Key Usage<\/strong> contains Digital Signature<\/strong>.
![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/08-codesign.png\")
<\/li>- On the Security tab, ensure that \u201cAuthenticated Users<\/strong>\u201d have Read<\/strong> and Enroll<\/strong> permissions.
![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/09-codesign.png\")
<\/li><\/ol>\n\n\n\n![\"More](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2020\/05\/more-info-icon.svg\")
<\/a><\/figure><\/div>\n\n\nNote: <\/strong>You might not want all Authenticated Users to be able to Enroll the certificate, you can add your own custom security group which should have these permissions.<\/p>\n\n\n\n
- You can now click OK and then close the Certificate Templates Console.<\/li>
- Back to Certification Authority<\/strong>, right click Certificate Templates<\/strong>, choose New <\/strong>and then select Certificate Template to Issue<\/strong>.
![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/10-codesign.png\")
<\/li>- From the Enable Certificate Templates list<\/strong>, select your certificate template and confirm with OK<\/strong>.
![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/11-codesign.png\")
<\/li><\/ol>\n\n\n\nRequesting a certificate on a machine to use it for code signing<\/h2>\n\n\n\n
- On a domain joined machine, open mmc.exe<\/strong>.<\/li>
- Click File<\/strong> and then Add\/Remove Snap-in<\/strong>.<\/li>
- Select Certificates<\/strong> and then click on Add<\/strong>.<\/li>
- In the dialog box which appears, select My user account<\/strong>, then confirm with Finish<\/strong>.<\/li>
- In the console, expand Certificates \u2013 Current User<\/strong>, then expand Personal<\/strong>.<\/li>
- Right-click Certificates<\/strong>, then go to All Tasks<\/strong> and select Request New Certificate<\/strong>.
![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/12-codesign.png\")
<\/li>- In the Certificate Enrollment<\/strong> window, click Next <\/strong>until you see a list of certificates to request. The issues certificate should appear in this list. Select it and confirm with Enroll<\/strong>.
![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/13-codesign.png\")
<\/li>- The certificate should now be enrolled on that device and can be used for code signing.<\/li><\/ol>\n\n\n\n
How to sign your code<\/h2>\n\n\n\n
In terms of signing, you can either use SignTool<\/a> or the Set-AuthenticodeSignature<\/a> PowerShell cmdlet.<\/p>\n\n\n\n
Example 1<\/strong>: SignTool<\/p>\n\n\n\n
![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/14-codesign.png\")
<\/figure>\n\n\n\nIn this example, we used the following arguments:<\/p>\n\n\n\n
- sign = Digitally signs files. Digital signatures protect files from tampering, and enable users to verify the signer based on a signing certificate.<\/li>
- \/a = Automatically selects the best signing certificate. Sign Tool will find all valid certificates that satisfy all specified conditions and select the one that is valid for the longest time. In our case, it automatically selected the code signing certificate we enrolled.<\/li>
- \/v = Displays verbose output<\/li>
- \/fd = specifies the digest algorithm. In our case, we went with SHA256.<\/li><\/ul>\n\n\n\n
Example 2<\/strong>: PowerShell cmdlet Set-AuthenticodeSignature<\/a><\/p>\n\n\n\n
![\"\"](\"https:\/\/patchmypc.com\/wp-content\/uploads\/2022\/06\/15-codesign.png\")
<\/figure>\n\n\n\nIn this example, on the server where the Patch My PC Publishing service is installed, from an elevated PowerShell ISE instance:<\/p>\n\n\n\n
- On line 1, we get the code signing certificate we enrolled.<\/li>
- On line 3, we used the Set-AuthenticodeSignature cmdlet to sign our C:\\test.ps1<\/strong> file using the WSUS code signing certificate.<\/li><\/ul>\n\n\n\n
Ref: https:\/\/patchmypc.com\/generate-signing-cert-and-sign-powershell-ps1-script<\/p>\n","protected":false},"excerpt":{"rendered":"
This guide will show you how to issue a code signing certificate from your internal Certificate Authority, and how to use it to sign your code. Topics covered in this article: Trying to sign code with no certificate available How to get a code signing certificate Requesting a certificate once issued from the Local CA How Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[10,1224],"tags":[1340,1338,1339],"class_list":["post-4377","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-powershell","tag-generate-a-code-signing-certificate-for-powershell-script","tag-sign-powershell-ps1-script","tag-sign-powershell-script"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4377","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4377"}],"version-history":[{"count":2,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4377\/revisions"}],"predecessor-version":[{"id":4379,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4377\/revisions\/4379"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Click File<\/strong> and then Add\/Remove Snap-in<\/strong>.<\/li>
- From the Enable Certificate Templates list<\/strong>, select your certificate template and confirm with OK<\/strong>.
- Expand the name of the Certification Authority<\/strong>, then right-click on Certificate Templates<\/strong> and choose Manage<\/strong>
- If you are using the Set-AuthenticodeSignature<\/a> PowerShell cmdlet to do the signing you get the error message:
- If you are using SignTool<\/a> to automatically select the best signing certificate, the verbose output will say: