UnknownError when signing powershell script via Set-AuthenticodeSignature

Question

I have obtained a code signing cert from our trusted CA. I am trying to sign a script in PowerShell ISE but getting "UnknownError." I have tried encoding the script as UTF-8, but I'm still getting the same error. I have verified the script is UTF-8 as well.

$cert=(dir cert:currentuser\my\ -CodeSigningCert)
Set-AuthenticodeSignature C:\Scripts\Certtestnew.ps1 $cert

Even though I'm getting "UnknownError", it still appears to sign the script. Although, when I run the script, I receive "The contents of file C:\Scripts\Certtestnew.ps1 may have been tampered because the hash of the file does not match the hash stored in the digital signature."

UPDATE $cert info:

PSPath : Microsoft.PowerShell.Security\Certificate::currentuser\my\FDCD31216C3491C2809441344EE6EF5E01EB0550
PSParentPath : Microsoft.PowerShell.Security\Certificate::currentuser\my
PSChildName : FDCD31216C3491C2809441344EE6EF5E01EB0550
PSDrive : Cert
PSProvider : Microsoft.PowerShell.Security\Certificate
PSIsContainer : False
EnhancedKeyUsageList : {}
DnsNameList : {}
SendAsTrustedIssuer : False
Archived : False
Extensions : {System.Security.Cryptography.Oid,System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...;}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
 NotAfter : 10/29/2016 4:05:37 PM
NotBefore : 10/29/2015 3:45:37 PM
HasPrivateKey : True
PrivateKey :
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 5, 225...;}
SerialNumber : 60A14A915A0FAFA12311B0998F5892C9
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : FDCD31216C3491C2809441344EE6EF5E01EB0550
Version : 3
Handle : 578311520
Issuer : CN=USER OU=Admin, OU=Admin and Service Accounts, DC=domoain
Subject : CN=USER, OU=Admin, OU=Admin and Service Accounts, DC=domain

@bentek Yes. However, when I type $cert.privatekey, nothing shows up. — user3711442, Nov 04 '15 at 17:52
Tried: "C:\Scripts\Certtestnew.ps1" | out-file "C:\SCripts\Certtestnew2.ps1" -encoding utf8 and also tried: $psISE.CurrentFile.Save([Text.Encoding]::UTF8). Verified the file was UTF-8 by opening in Notepad++. — user3711442, Nov 04 '15 at 19:49
yes, it's a typo. I just changed the DN for the issuer and subject. — user3711442, Nov 04 '15 at 20:41
Thought so but had to ask. Does this work without error in a regular PowerShell console (non-ISE)? — bentek, Nov 04 '15 at 20:47

score 2 · Answer 1 · answered Apr 06 '22 at 17:24

For my PowerShell script this error "UnknownError" after running Set-AuthenticodeSignature ended up being I forgot to start the PowerShell in Windows 10 Home Administrator mode. As a "normal" user the script couldn't apply the digital signature. I am adding check for user name / type to my script. June Castillote does a great job explaining how to set up Digital Signatures for Windows PowerShell scripts *.ps1

score 1 · Answer 2 · answered Nov 05 '15 at 10:36

I've just had a look at my domain code-signing cert and it has the PrivateKey property as well as Code Signing listed under its EnhancedKeyUsageList property:

PSPath                   : Microsoft.PowerShell.Security\Certificate::CurrentUser\My\XXX
PSParentPath             : Microsoft.PowerShell.Security\Certificate::CurrentUser\My
PSChildName              : XXX
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.Security\Certificate
PSIsContainer            : False
EnhancedKeyUsageList     : {Code Signing (1.3.6.1.5.5.7.3.3)}
DnsNameList              : {XXX}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 :
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid...}
FriendlyName             : XXX
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : XXX
NotBefore                : XXX
HasPrivateKey            : True
PrivateKey               : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : XXX
SerialNumber             : XXX
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm       : System.Security.Cryptography.Oid
Thumbprint               : XXX
Version                  : 3
Handle                   : XXX
Issuer                   : XXX
Subject                  : XXX

That leads me to query if your cert is valid for code-signing. You might want to revisit your cert request and make sure.

What does $error contain after it falls over?

Old question I know but I am currently encountering the same problem and $error says nothing about it — Scott Anderson, Jan 09 '19 at 22:45

UnknownError when signing powershell script via Set-AuthenticodeSignature

2 Answers2

Linked