< Back
Set-AuthenticodeSignature
Post
NAME Set-AuthenticodeSignature
SYNOPSIS
Adds an Authenticode signature to a Windows PowerShell script or other file.
SYNTAX
Set-AuthenticodeSignature [-Certificate] <X509Certificate2> [-Confirm] -Content <Byte[]> [-Force] [-HashAlgorithm <String>] [-IncludeChain {signer
| notroot | all}] -SourcePathOrExtension <String[]> [-TimestampServer <String>] [-WhatIf] [<CommonParameters>]
Set-AuthenticodeSignature [-FilePath] <String[]> [-Certificate] <X509Certificate2> [-Confirm] [-Force] [-HashAlgorithm <String>] [-IncludeChain
{signer | notroot | all}] [-TimestampServer <String>] [-WhatIf] [<CommonParameters>]
Set-AuthenticodeSignature [-Certificate] <X509Certificate2> [-Confirm] [-Force] [-HashAlgorithm <String>] [-IncludeChain {signer | notroot | all}]
-LiteralPath <String[]> [-TimestampServer <String>] [-WhatIf] [<CommonParameters>]
DESCRIPTION
The Set-AuthenticodeSignature cmdlet adds an Authenticode signature to any file that supports Subject Interface Package (SIP).
In a Windows PowerShell script file, the signature takes the form of a block of text that indicates the end of the instructions that are executed
in the script. If there is a signature in the file when this cmdlet runs, that signature is removed.
PARAMETERS
-Certificate <X509Certificate2>
Specifies the certificate that will be used to sign the script or file. Enter a variable that stores an object representing the certificate or
an expression that gets the certificate.
To find a certificate, use Get-PfxCertificate or use the Get-ChildItem cmdlet in the Certificate (Cert:) drive. If the certificate is not
valid or does not have code-signing authority, the command fails.
Required? true
Position? 1
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-Content <Byte[]>
To find a certificate, use Get-PfxCertificate or use the Get-ChildItem cmdlet in the Certificate (Cert:) drive. If the certificate is not
valid or does not have code-signing authority, the command fails.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-FilePath <String[]>
Specifies the path to a file that is being signed.
Required? true
Position? 0
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-Force [<SwitchParameter>]
Allows the cmdlet to append a signature to a read-only file. Even using the Force parameter, the cmdlet cannot override security restrictions.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-HashAlgorithm <String>
Specifies the hashing algorithm that Windows uses to compute the digital signature for the file.
For Windows PowerShell 3.0, the default is SHA-256, which is the Windows default hashing algorithm. For Windows PowerShell 2.0, the default is
SHA-1. Files that are signed with a different hashing algorithm might not be recognized on other systems.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-IncludeChain <String>
Determines which certificates in the certificate trust chain are included in the digital signature. NotRoot is the default. The acceptable
values for this parameter are:
- Signer. Includes only the signer's certificate. - NotRoot. Includes all of the certificates in the certificate chain, except for the root
authority. - All. Includes all the certificates in the certificate chain.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-LiteralPath <String[]>
Specifies the path to a file that is being signed. Unlike FilePath , the value of the LiteralPath parameter is used exactly as it is typed. No
characters are interpreted as wildcards. If the path includes escape characters, enclose it in single quotation marks. Single quotation marks
tell Windows PowerShell not to interpret any characters as escape sequences.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SourcePathOrExtension <String[]>
To find a certificate, use Get-PfxCertificate or use the Get-ChildItem cmdlet in the Certificate (Cert:) drive. If the certificate is not
valid or does not have code-signing authority, the command fails.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-TimestampServer <String>
Uses the specified time stamp server to add a time stamp to the signature. Type the URL of the time stamp server as a string.
The time stamp represents the exact time that the certificate was added to the file. A time stamp prevents the script from failing if the
certificate expires because users and programs can verify that the certificate was valid at the time of signing.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.String
You can pipe a string that contains the file path to Set-AuthenticodeSignature .
OUTPUTS
System.Management.Automation.Signature
NOTES
Example 1: Get a code-signing certificate and sign a script
PS C:\\>$Cert = Get-ChildItem -Path "Cert:\\CurrentUser\\My" -CodeSigningCert
PS C:\\> Set-AuthenticodeSignature -FilePath "PsTestInternet2.ps1" -Certificate $Cert
These commands get a code-signing certificate from the Windows PowerShell certificate provider and use it to sign a Windows PowerShell script.
The first command uses the Get-ChildItem cmdlet and the Windows PowerShell certificate provider to get the certificates in the
Cert:\\CurrentUser\\My subdirectory of the certificate store. (The Cert: drive is the drive exposed by the certificate provider.) The
CodeSigningCert parameter, which is supported only by the certificate provider, limits the certificates retrieved to those with code-signing
authority. The command stores the result in the $Cert variable.
The second command uses the Set-AuthenticodeSignature cmdlet to sign the PSTestInternet2.ps1 script. It uses the FilePath parameter to specify the
name of the script and the Certificate parameter to specify that the certificate is stored in the $Cert variable.
Example 2: Get a code-signing certificate and sign a script
PS C:\\>$Cert = Get-PfxCertificate -FilePath "C:\\Test\\Mysign.pfx"
PS C:\\>Set-AuthenticodeSignature -FilePath "ServerProps.ps1" -Certificate $Cert
These commands use the Get-PfxCertificate cmdlet to find a code signing certificate. Then, they use it to sign a Windows PowerShell script.
The first command uses the Get-PfxCertificate cmdlet to find the C:\\Test\\MySign.pfx certificate and store it in the $Cert variable.
The second command uses Set-AuthenticodeSignature to sign the script. The FilePath parameter of Set-AuthenticodeSignature specifies the path to
the script file being signed and the Certificate parameter passes the $Cert variable containing the certificate to Set-AuthenticodeSignature .
If the certificate file is password protected, Windows PowerShell prompts you for the password.
Example 3: Add a digital signature with the root authority
PS C:\\>Set-AuthenticodeSignature -FilePath "C:\\scripts\\Remodel.ps1" -Certificate $Cert -IncludeChain "All" -TimeStampServer
"http://timestamp.fabrikam.com/scripts/timstamper.dll"
This command adds a digital signature that includes the root authority in the trust chain, and it is signed by a third-party timestamp server.
The command uses the FilePath parameter to specify the script being signed and the Certificate parameter to specify the certificate that is saved
in the $Cert variable. It uses the IncludeChain parameter to include all of the signatures in the trust chain (including the root authority). It
also uses the TimeStampServer parameter to add a timestamp to the signature. This prevents the script from failing when the certificate expires.
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?LinkId=821718
Get-AuthenticodeSignature
Get-ExecutionPolicy
Get-PfxCertificate
Set-ExecutionPolicy
SYNOPSIS
Adds an Authenticode signature to a Windows PowerShell script or other file.
SYNTAX
Set-AuthenticodeSignature [-Certificate] <X509Certificate2> [-Confirm] -Content <Byte[]> [-Force] [-HashAlgorithm <String>] [-IncludeChain {signer
| notroot | all}] -SourcePathOrExtension <String[]> [-TimestampServer <String>] [-WhatIf] [<CommonParameters>]
Set-AuthenticodeSignature [-FilePath] <String[]> [-Certificate] <X509Certificate2> [-Confirm] [-Force] [-HashAlgorithm <String>] [-IncludeChain
{signer | notroot | all}] [-TimestampServer <String>] [-WhatIf] [<CommonParameters>]
Set-AuthenticodeSignature [-Certificate] <X509Certificate2> [-Confirm] [-Force] [-HashAlgorithm <String>] [-IncludeChain {signer | notroot | all}]
-LiteralPath <String[]> [-TimestampServer <String>] [-WhatIf] [<CommonParameters>]
DESCRIPTION
The Set-AuthenticodeSignature cmdlet adds an Authenticode signature to any file that supports Subject Interface Package (SIP).
In a Windows PowerShell script file, the signature takes the form of a block of text that indicates the end of the instructions that are executed
in the script. If there is a signature in the file when this cmdlet runs, that signature is removed.
PARAMETERS
-Certificate <X509Certificate2>
Specifies the certificate that will be used to sign the script or file. Enter a variable that stores an object representing the certificate or
an expression that gets the certificate.
To find a certificate, use Get-PfxCertificate or use the Get-ChildItem cmdlet in the Certificate (Cert:) drive. If the certificate is not
valid or does not have code-signing authority, the command fails.
Required? true
Position? 1
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-Content <Byte[]>
To find a certificate, use Get-PfxCertificate or use the Get-ChildItem cmdlet in the Certificate (Cert:) drive. If the certificate is not
valid or does not have code-signing authority, the command fails.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-FilePath <String[]>
Specifies the path to a file that is being signed.
Required? true
Position? 0
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-Force [<SwitchParameter>]
Allows the cmdlet to append a signature to a read-only file. Even using the Force parameter, the cmdlet cannot override security restrictions.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-HashAlgorithm <String>
Specifies the hashing algorithm that Windows uses to compute the digital signature for the file.
For Windows PowerShell 3.0, the default is SHA-256, which is the Windows default hashing algorithm. For Windows PowerShell 2.0, the default is
SHA-1. Files that are signed with a different hashing algorithm might not be recognized on other systems.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-IncludeChain <String>
Determines which certificates in the certificate trust chain are included in the digital signature. NotRoot is the default. The acceptable
values for this parameter are:
- Signer. Includes only the signer's certificate. - NotRoot. Includes all of the certificates in the certificate chain, except for the root
authority. - All. Includes all the certificates in the certificate chain.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-LiteralPath <String[]>
Specifies the path to a file that is being signed. Unlike FilePath , the value of the LiteralPath parameter is used exactly as it is typed. No
characters are interpreted as wildcards. If the path includes escape characters, enclose it in single quotation marks. Single quotation marks
tell Windows PowerShell not to interpret any characters as escape sequences.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SourcePathOrExtension <String[]>
To find a certificate, use Get-PfxCertificate or use the Get-ChildItem cmdlet in the Certificate (Cert:) drive. If the certificate is not
valid or does not have code-signing authority, the command fails.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-TimestampServer <String>
Uses the specified time stamp server to add a time stamp to the signature. Type the URL of the time stamp server as a string.
The time stamp represents the exact time that the certificate was added to the file. A time stamp prevents the script from failing if the
certificate expires because users and programs can verify that the certificate was valid at the time of signing.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.String
You can pipe a string that contains the file path to Set-AuthenticodeSignature .
OUTPUTS
System.Management.Automation.Signature
NOTES
Example 1: Get a code-signing certificate and sign a script
PS C:\\>$Cert = Get-ChildItem -Path "Cert:\\CurrentUser\\My" -CodeSigningCert
PS C:\\> Set-AuthenticodeSignature -FilePath "PsTestInternet2.ps1" -Certificate $Cert
These commands get a code-signing certificate from the Windows PowerShell certificate provider and use it to sign a Windows PowerShell script.
The first command uses the Get-ChildItem cmdlet and the Windows PowerShell certificate provider to get the certificates in the
Cert:\\CurrentUser\\My subdirectory of the certificate store. (The Cert: drive is the drive exposed by the certificate provider.) The
CodeSigningCert parameter, which is supported only by the certificate provider, limits the certificates retrieved to those with code-signing
authority. The command stores the result in the $Cert variable.
The second command uses the Set-AuthenticodeSignature cmdlet to sign the PSTestInternet2.ps1 script. It uses the FilePath parameter to specify the
name of the script and the Certificate parameter to specify that the certificate is stored in the $Cert variable.
Example 2: Get a code-signing certificate and sign a script
PS C:\\>$Cert = Get-PfxCertificate -FilePath "C:\\Test\\Mysign.pfx"
PS C:\\>Set-AuthenticodeSignature -FilePath "ServerProps.ps1" -Certificate $Cert
These commands use the Get-PfxCertificate cmdlet to find a code signing certificate. Then, they use it to sign a Windows PowerShell script.
The first command uses the Get-PfxCertificate cmdlet to find the C:\\Test\\MySign.pfx certificate and store it in the $Cert variable.
The second command uses Set-AuthenticodeSignature to sign the script. The FilePath parameter of Set-AuthenticodeSignature specifies the path to
the script file being signed and the Certificate parameter passes the $Cert variable containing the certificate to Set-AuthenticodeSignature .
If the certificate file is password protected, Windows PowerShell prompts you for the password.
Example 3: Add a digital signature with the root authority
PS C:\\>Set-AuthenticodeSignature -FilePath "C:\\scripts\\Remodel.ps1" -Certificate $Cert -IncludeChain "All" -TimeStampServer
"http://timestamp.fabrikam.com/scripts/timstamper.dll"
This command adds a digital signature that includes the root authority in the trust chain, and it is signed by a third-party timestamp server.
The command uses the FilePath parameter to specify the script being signed and the Certificate parameter to specify the certificate that is saved
in the $Cert variable. It uses the IncludeChain parameter to include all of the signatures in the trust chain (including the root authority). It
also uses the TimeStampServer parameter to add a timestamp to the signature. This prevents the script from failing when the certificate expires.
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?LinkId=821718
Get-AuthenticodeSignature
Get-ExecutionPolicy
Get-PfxCertificate
Set-ExecutionPolicy