Forum Discussion
Solved
The PowerShell script that's worked for 2 years to find a signing certificate, stopped working
This is an on-prem TFS question. Yesterday I put a certificate in place to handle signing ClickOnce deployments. However, it fails to apply the certificate. The guy who wrote these release scripts be...
I also meant to add: is there some reason Set-AuthenticodeSignature won't work for you?
The only gap I see between it and signtool.exe is the ability to control the timestamping algorithm, but I wouldn't have thought this would have mattered.
It would be a little easier/more readable to use Set-AuthenticodeSignature but if you need that finer-grain control from signtool.exe then that's fair enough.
Cheers,
Lain
Hey, Rod.
The key difference between those lines is that your first line doesn't contain the call to ".Verify()", which almost confirms what I expected to be true, which is that the returned result is failing the call to .Verify().
Try running the following (which is mostly the same as what I posted earlier) and see if it returns True or False.
$cert = ls cert:\ -Recurse -CodeSigningCert | Sort-Object -Property NotAfter -Descending | Select -First 1;
$cert | fl Thumbprint, NotAfter, Subject, @{n="Verified"; e={ $_.Verify() }};
You should see output like the following, with the value for Verified being what you're most interested in.
Failing verification doesn't mean the certificate is invalid (though it could be.) It just means the verification process failed, which takes me back to things like ensuring the CRL can be reached, etc.
For now, you're only interested in seeing if Verified is coming back as false. If it is, then that's why the script is failing to find a certificate to assign.
Cheers,
Lain
Edited to correct the two-line PowerShell example.
Hi Lain,
I ran the two lines of PS script you gave me. It didn't produce anything, after running the second line. After running it, PS just returned to the PS prompt.
I ran the two lines of PS script you gave me. It didn't produce anything, after running the second line. After running it, PS just returned to the PS prompt.
My apologies, Rod.
I'd made a copy-and-paste fail since I forgot to remove the .Verify() section from line 1.
I've updated line 1 now, so perhaps try it again.
From what you described about not getting anything at all though, I expect the result will indeed be False.
Cheers,
Lain
I've been making several changes to the PS script to make it work. It still isn't. Here's what I've currently got for trying to sign the .exe and .dll files produced during the build:
Get-AuthenticodeSignature *.exe,*.dll | ? Status -eq NotSigned | % Path | %{&$signtool sign /debug /tr $timestamp /td sha384 /fd /sha1 $hash $_ }And here's the error that I'm now getting:
##[error]SignTool Error: The specified algorithm cannot be used or is invalid
I do not know what algorithm should be used with the /td and /fd switches. And I'm still unsure if I should include /sha1 or not. Working with a colleague we looked at the properties of the new certificate and saw this:
- Signature algorithm: SHA384RSA
- Signature hash algorithm: SHA384
- Thumbprint algorithm: SHA1
Using those what does it tell you I should be using for /td and /fd. And do I still need to use /SHA1?
I also meant to add: is there some reason Set-AuthenticodeSignature won't work for you?
The only gap I see between it and signtool.exe is the ability to control the timestamping algorithm, but I wouldn't have thought this would have mattered.
It would be a little easier/more readable to use Set-AuthenticodeSignature but if you need that finer-grain control from signtool.exe then that's fair enough.
Cheers,
Lain
