This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 91%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
Hi Folks,
Am hitting a bit of an issue when trying to sign some powershell scripts, I am following this basic articlehttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_signing?view=powershell-7.3
I am using certificates from my own PKI, the root and issuing CA certs have been imported into the machine trust stores and the code signing certificate is valid, the issue comes when I run the step to sign the powershell script, I get an unknownerror.
If I run the following I do see my code signing cert in the cert store
Any ideas?
Thanks
Mike
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Looking at the description of the Set-AuthenticodeSignature, both the scripts' path and the certificate both have a "Position" value of 1. That may be an error in the help file, but why not try using the parameter names?
Set-AuthenticodeSignature -Path add-signature.ps1 -Certificate $cert
Hi @Rich Matheisen This did not work, I get the same result
Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert
$cert = (Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert)[0]
$cert
Set-AuthenticodeSignature -FilePath C:\Users\administrator\code\Add-Signature.ps1 -Certificate $cert
Open your Add-Signature.ps1 script file in a hex editor (I use this one: https://mh-nexus.de/en/hxd/) and examine the 1st two or 3 bytes of the file.
I don't know if still true, but the PowerShell ISE used to save files in Unicode-16 BigEndian, and that used to cause this problem with code signing.
Hello Michael, Can you check the following two things:
I just tried the sequence of commands that you used and got similar results. In my case, the certificate "properties" (external to the certificate, can be modified) enabled all "purposes", but the certificate did not contain an "Enhanced Key Usage" or similar extension specifying code signing.
The .ps1 file was modified, but PowerShell also tried to verify the signature and ETW tracing showed that this failed because of "A certificate's basic constraint extension has not been observed.".
Your problem may differ in some details from mine, but the essence might be the same.
Gary