我尝试在PowerShell中使用以下代码:
$path = 'cert:currentusermy' + 'Thumbprint_My_Certificate'
$cert=Get-ChildItem -Path $path
$choicec=$cert | Where-Object HasPrivateKey -eq 'true' | Where-Object { $_.Subject -eq "CN=CN_Name_My_Certificate" }
Set-AuthenticodeSignature -FilePath C:UsersmyuserDesktopTestFilePS.txt -Certificate $choicec*
在这种情况下,我有这个错误:
Set-AuthenticodeSignature : Cannot bind argument to parameter 'Certificate' because it is null.
At line:1 char:94
+ ... ath C:UsersmyuserDesktopTestFilePS.txt -Certificate $choicec
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Set-AuthenticodeSignature], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAuthenti
codeSignatureCommand*
当我将最后一个命令更改为时
设置AuthenticodeSignature-文件路径C:\Users\myuser\Desktop\TestFilePS.txt-Certificate$cert
我有这个错误:
Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not suitable for code signing.
At line:1 char:1
+ Set-AuthenticodeSignature -FilePath C:UsersmyuserDesktopTest ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-AuthenticodeSignature], PSArgumentException
+ FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.SetAuthenticodeSignatureCommand
$cert|fl*的输出如下:
PSPath : Microsoft.PowerShell.SecurityCertificate::currentusermyXXXThumbprint_My_CertificateXXX
PSParentPath : Microsoft.PowerShell.SecurityCertificate::currentusermy
PSChildName : XXXThumbprint_My_CertificateXXX
PSDrive : Cert
PSProvider : Microsoft.PowerShell.SecurityCertificate
PSIsContainer : False
EnhancedKeyUsageList : {Server Authentication (1.3.6.1.5.5.7.3.1), Client Authentication (1.3.6.1.5.5.7.3.2)}
DnsNameList : {MyComputerName, MyDomain}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId :
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 09.05.2023 23:13:07
NotBefore : 09.05.2021 23:13:07
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 6, 249...}
SerialNumber : XXXSerial_Number_My_CertificateXX
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : XXXThumbprint_My_CertificateXXX
Version : 3
Handle : 2049462886560
Issuer : CN=CN_Name_My_Certificate, O=CompanyName
Subject : CN=CN_Name_My_Certificate, OU=OU_Name, O=CompanyName, L=L_Name
我做错了什么?
假设您已经请求了证书,并且它已经添加到域组策略中"Trusted Publishers";正确的部分签名过程本身相当容易。PowerShell命令遵循以下语法–
Set-AuthenticodeSignature -FilePath LOCATIONOFSCRIPT -Certificate LOCATIONOFCERT –TimestampServer TSASERVER
其中——
LOCATIONOFSCRIPT=要签名的脚本的路径
LOCATIONOFCERT=用户证书的路径
TSASERVER=一个外部时间戳授权机构,允许在用于签名的证书过期后继续信任脚本
因此,如下所示,假设证书正确地位于您的个人存储中:
$cert=(dir cert:currentusermy -CodeSigningCert)
$script = 'C:UsersmyuserDesktopTestFilePS.txt'
# Alternative timestamp sources:
#http://timestamp.comodoca.com/authenticode
#http://timestamp.globalsign.com/scripts/timestamp.dll
#http://tsa.starfieldtech.com
#
Try {
Set-AuthenticodeSignature -FilePath $($script) -Certificate $cert -TimestampServer http://timestamp.digicert.com -Verbose -ErrorAction Stop
}
Catch {
$_
}