Signature Verification Policy

  • Article

 

The recommended way to set up signature verification is by using AppLocker. For more information, see AppLocker. AppLocker is enabled by default in Windows, and it overrides the sign verification mechanism.

Using Sign Verification

You can still use sign verification using signtool.exe (which is available in the Windows SDK). You must use the SHA1 or the SHA256 hash function.

Important

The signtool executable cannot sign scripts using the SHA256 hash function in Windows 7. This issue is fixed in Windows 8 Release Preview.

In order to use sign verification, do the following: first you must

  1. Disable AppLocker, using the following registry setting:

    \HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\{UseWINSAFER:0}

  2. Enable the VerifyTrust path by adding the following registry setting, where TrustPolicy is a DWORD value:

    HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\{TrustPolicy:2}

At this point you should be able to run the script.

See Also

Security and Windows Script Host
Signing a Script (Windows Script Host)
Verifying a Script
CryptoAPI Tools