1

After scripting around in Powershell with low restrictions (or for brief periods none) I decided to get my act together and start doing everything Set-ExecutionPolicy AllSigned. After walking through Hanselman's old post, I was unable to even sign my profile.ps1.

A quick test revealed that: Get-ChildItem cert:\CurrentUser\My –codesign always returns null. I opened up certmgr and I can see all of the certificates, but I am uncertain why I can't sign anything local. Running this:

Set-AuthenticodeSignature "C:\users\[MY USER ACCOUNT]\Documents\WindowsPowerShell\profile.ps1" @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]

Will always return:

Set-AuthenticodeSignature : Cannot bind argument to parameter 'Certificate' because it is null

I am on Windows 7 Ultimate in an administrator account, and I have executed everything in PS or CMD as an admin. I have been pretty much just kind of hacking my way around PowerShell for a while now, but I hope I am not missing something super simple here.

Ian Patrick Hughes
  • 10,386
  • 3
  • 31
  • 37

1 Answers1

1

I think I have figured it out, actually. I am not sure if this best practice or not in this case, but I am tired of beating my head against my desk.

1.) So, I looked at this MS Support Article and I noticed that the SYSTEM user is supposed to have full control over the ...\Crypto\RSA\MachineKeys dir and mine did not have SYSTEM listed at all. So, I changed the permissions there (this would also jive with SO Question #11887).

2.) Deleted the certs I created earlier and re-created them.

3.) Opened up certmgr, found the cert, went to props, and set the specific purpose.

Now Get-ChildItem cert:\CurrentUser\My -codesigning returns the thumbprint and I can sign scripts.

I am not sure why my installation was like this or how unusual this is, but I have never touched the MachineKey directory there previously. But it seems to work now.

Community
  • 1
  • 1
Ian Patrick Hughes
  • 10,386
  • 3
  • 31
  • 37