Signing Powershell scripts with a Thawte code signing certificate

calendarSep 10, 2008 · 2 min read · Uncategorised  ·
Share on: linkedincopy

I hit a problem today when trying to sign a powershell script as detailed on Scott Hanselman's blog with a Thawte code signing certificate.

The basic issue was that the certificate could be seen in the Personal section of the Certificates MMC snap-in. Also it was listed if I issued the Powershell command

Get-ChildItem cert:CurrentUserMy

but if I added the flag to only show usable codesigning (Class III) certificates it was not listed.

Get-ChildItem cert:CurrentUserMy -codesigning

Turns out the issue was the same as you see when trying to sign Office 2000 VBA scripts. You have to have imported the certificate with it's key as detailed on the Thawte site, using the PVKIMPRT.EXE tool. This means you need the MYCERT.P7B and the MYKEY.PVK for the import.

This is made a bit more complex if using the Thawte web site and a Vista client PC as your purchased certificate is installed into you local registry automatically (you don't get a separate key file). So it would work on the PC used to purchase the certificate but you could not export it. Hence the tip here is to purchase the certificate on an XP client PC so you get both the certificate and key files; Ok you have to manually install the certificate and the key but is is easier in the long term.

Once this is done you can sign the powershell script using the command

Set-AuthenticodeSignature file.ps1 @(Get-ChildItem cert:CurrentUserMy -codesigning)[0]