Forum Discussion

Rod Falanga's avatar
Rod Falanga
Brass Contributor
Jun 30, 2022
Solved

The PowerShell script that's worked for 2 years to find a signing certificate, stopped working

This is an on-prem TFS question. Yesterday I put a certificate in place to handle signing ClickOnce deployments. However, it fails to apply the certificate. The guy who wrote these release scripts be...
Team Foundation Server
  • LainRobertson's avatar
    LainRobertson
    Jul 08, 2022

    Rod Falanga 

     

    I also meant to add: is there some reason Set-AuthenticodeSignature won't work for you?

     

    The only gap I see between it and signtool.exe is the ability to control the timestamping algorithm, but I wouldn't have thought this would have mattered.

     

    It would be a little easier/more readable to use Set-AuthenticodeSignature but if you need that finer-grain control from signtool.exe then that's fair enough.

     

    Cheers,

    Lain

Rod Falanga's avatar
Rod Falanga
Brass Contributor
Jul 07, 2022

LainRobertson 

 

I've been making several changes to the PS script to make it work. It still isn't. Here's what I've currently got for trying to sign the .exe and .dll files produced during the build:

 

 

Get-AuthenticodeSignature *.exe,*.dll | ? Status -eq NotSigned | % Path | %{&$signtool sign /debug /tr $timestamp /td sha384 /fd /sha1 $hash $_ }

 

 

And here's the error that I'm now getting:

 

 

##[error]SignTool Error: The specified algorithm cannot be used or is invalid 

 I do not know what algorithm should be used with the /td and /fd switches. And I'm still unsure if I should include /sha1 or not. Working with a colleague we looked at the properties of the new certificate and saw this:

 

  • Signature algorithm: SHA384RSA
  • Signature hash algorithm: SHA384
  • Thumbprint algorithm: SHA1

Using those what does it tell you I should be using for /td and /fd. And do I still need to use /SHA1?

LainRobertson's avatar
LainRobertson
Silver Contributor
Jul 08, 2022

Rod Falanga 

 

I also meant to add: is there some reason Set-AuthenticodeSignature won't work for you?

 

The only gap I see between it and signtool.exe is the ability to control the timestamping algorithm, but I wouldn't have thought this would have mattered.

 

It would be a little easier/more readable to use Set-AuthenticodeSignature but if you need that finer-grain control from signtool.exe then that's fair enough.

 

Cheers,

Lain

  • Rod Falanga's avatar
    Rod Falanga
    Brass Contributor
    Jul 08, 2022
    The only reason why Set-AuthenticodeSignature wasn't working for me is because I've never heard of it. I only learned of it yesterday. I switched out using SignTool with Set-AuthenticodeSignature. Set-AuthenticodeSignature works!!!!

    Thank you very much for all of your help with this!!

Resources