Forum Discussion
Solved
The PowerShell script that's worked for 2 years to find a signing certificate, stopped working
This is an on-prem TFS question. Yesterday I put a certificate in place to handle signing ClickOnce deployments. However, it fails to apply the certificate. The guy who wrote these release scripts be...
I also meant to add: is there some reason Set-AuthenticodeSignature won't work for you?
The only gap I see between it and signtool.exe is the ability to control the timestamping algorithm, but I wouldn't have thought this would have mattered.
It would be a little easier/more readable to use Set-AuthenticodeSignature but if you need that finer-grain control from signtool.exe then that's fair enough.
Cheers,
Lain
My apologies, Rod.
I'd made a copy-and-paste fail since I forgot to remove the .Verify() section from line 1.
I've updated line 1 now, so perhaps try it again.
From what you described about not getting anything at all though, I expect the result will indeed be False.
Cheers,
Lain
I've been making several changes to the PS script to make it work. It still isn't. Here's what I've currently got for trying to sign the .exe and .dll files produced during the build:
Get-AuthenticodeSignature *.exe,*.dll | ? Status -eq NotSigned | % Path | %{&$signtool sign /debug /tr $timestamp /td sha384 /fd /sha1 $hash $_ }
And here's the error that I'm now getting:
##[error]SignTool Error: The specified algorithm cannot be used or is invalid
I do not know what algorithm should be used with the /td and /fd switches. And I'm still unsure if I should include /sha1 or not. Working with a colleague we looked at the properties of the new certificate and saw this:
- Signature algorithm: SHA384RSA
- Signature hash algorithm: SHA384
- Thumbprint algorithm: SHA1
Using those what does it tell you I should be using for /td and /fd. And do I still need to use /SHA1?
- The only reason why Set-AuthenticodeSignature wasn't working for me is because I've never heard of it. I only learned of it yesterday. I switched out using SignTool with Set-AuthenticodeSignature. Set-AuthenticodeSignature works!!!!
Thank you very much for all of your help with this!! I also meant to add: is there some reason Set-AuthenticodeSignature won't work for you?
The only gap I see between it and signtool.exe is the ability to control the timestamping algorithm, but I wouldn't have thought this would have mattered.
It would be a little easier/more readable to use Set-AuthenticodeSignature but if you need that finer-grain control from signtool.exe then that's fair enough.
Cheers,
Lain
I'm having to make an educated guess here - given all I can see is a variable named $signtool, but I'm assuming the tool being used is signtool.exe. That puts this outside the realm of being a PowerShell discussion but I'll try to help as best I can.
I'm going off the reference for signtool.exe:
I'd try the following for the final part of your statement:
%{&$signtool sign /debug /tr $timestamp /td sha256 /fd sha256 /sha1 $hash $_ }The basis for going with SHA256 as the lowest common denominator comes from point 8 in the following article - which I'm only using as a clue:
If I was going to bump anything up to SHA384, it'd be the /fd switch. That's solely because the timestamping server is more of an unknown to me than the Windows operating system, which has supported SHA384 for some time now. But this is just a big assumption since I know nothing about your environment, or that of the timestamping server. Again, this is well outside of the PowerShell remit.
The /sha1 switch is fine. You can think of this as "/thumbprint" instead, if you prefer, as a certificate thumbprint is simply a dynamically-generated (i.e. it's not part of the certificate at all) SHA1-based hash of the certificate.
In the context of signtool.exe, /sha1 thumbprint is simply used to instruct signtool.exe which certificate is should select when more than one certificate is eligible for selection.
Cheers,
Lain
