如何在 powershell 中使用不可导出的证书对文件进行签名?
How to sign file with non-exportable certificate in powershell?
我尝试在 PowerShell 中使用此代码:
$path = 'cert:\currentuser\my\' + 'Thumbprint_My_Certificate'
$cert=Get-ChildItem -Path $path
$choicec=$cert | Where-Object HasPrivateKey -eq 'true' | Where-Object { $_.Subject -eq "CN=CN_Name_My_Certificate" }
Set-AuthenticodeSignature -FilePath C:\Users\myuser\Desktop\TestFilePS.txt -Certificate $choicec*
在那种情况下我有这个错误:
Set-AuthenticodeSignature : Cannot bind argument to parameter 'Certificate' because it is null.
At line:1 char:94
+ ... ath C:\Users\myuser\Desktop\TestFilePS.txt -Certificate $choicec
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Set-AuthenticodeSignature], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAuthenti
codeSignatureCommand*
当我将最后一个命令更改为
Set-AuthenticodeSignature -FilePath C:\Users\myuser\Desktop\TestFilePS.txt -Certificate $cert
我有这个错误:
Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not suitable for code signing.
At line:1 char:1
+ Set-AuthenticodeSignature -FilePath C:\Users\myuser\Desktop\Test ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-AuthenticodeSignature], PSArgumentException
+ FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.SetAuthenticodeSignatureCommand
$cert 的输出 | fl * 如下:
PSPath : Microsoft.PowerShell.Security\Certificate::currentuser\my\XXXThumbprint_My_CertificateXXX
PSParentPath : Microsoft.PowerShell.Security\Certificate::currentuser\my
PSChildName : XXXThumbprint_My_CertificateXXX
PSDrive : Cert
PSProvider : Microsoft.PowerShell.Security\Certificate
PSIsContainer : False
EnhancedKeyUsageList : {Server Authentication (1.3.6.1.5.5.7.3.1), Client Authentication (1.3.6.1.5.5.7.3.2)}
DnsNameList : {MyComputerName, MyDomain}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId :
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 09.05.2023 23:13:07
NotBefore : 09.05.2021 23:13:07
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 6, 249...}
SerialNumber : XXXSerial_Number_My_CertificateXX
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : XXXThumbprint_My_CertificateXXX
Version : 3
Handle : 2049462886560
Issuer : CN=CN_Name_My_Certificate, O=CompanyName
Subject : CN=CN_Name_My_Certificate, OU=OU_Name, O=CompanyName, L=L_Name
我做错了什么?
假设您已请求证书并且已将其正确添加到域组策略“受信任的发布者”部分,则签名过程本身相当简单。 PowerShell 命令遵循以下语法 –
Set-AuthenticodeSignature -FilePath LOCATIONOFSCRIPT -Certificate LOCATIONOFCERT –TimestampServer TSASERVER
哪里-
LOCATIONOFSCRIPT = 待签名脚本的路径
LOCATIONOFCERT = 您的用户证书的路径
TSASERVER = 一个外部时间戳机构,允许脚本在用于签名的证书过期后继续受信任
因此,如下所示,假设证书正确位于您的个人存储中:
$cert=(dir cert:currentuser\my\ -CodeSigningCert)
$script = 'C:\Users\myuser\Desktop\TestFilePS.txt'
# Alternative timestamp sources:
#http://timestamp.comodoca.com/authenticode
#http://timestamp.globalsign.com/scripts/timestamp.dll
#http://tsa.starfieldtech.com
#
Try {
Set-AuthenticodeSignature -FilePath $($script) -Certificate $cert -TimestampServer http://timestamp.digicert.com -Verbose -ErrorAction Stop
}
Catch {
$_
}
我尝试在 PowerShell 中使用此代码:
$path = 'cert:\currentuser\my\' + 'Thumbprint_My_Certificate'
$cert=Get-ChildItem -Path $path
$choicec=$cert | Where-Object HasPrivateKey -eq 'true' | Where-Object { $_.Subject -eq "CN=CN_Name_My_Certificate" }
Set-AuthenticodeSignature -FilePath C:\Users\myuser\Desktop\TestFilePS.txt -Certificate $choicec*
在那种情况下我有这个错误:
Set-AuthenticodeSignature : Cannot bind argument to parameter 'Certificate' because it is null.
At line:1 char:94
+ ... ath C:\Users\myuser\Desktop\TestFilePS.txt -Certificate $choicec
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Set-AuthenticodeSignature], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAuthenti
codeSignatureCommand*
当我将最后一个命令更改为
Set-AuthenticodeSignature -FilePath C:\Users\myuser\Desktop\TestFilePS.txt -Certificate $cert
我有这个错误:
Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not suitable for code signing.
At line:1 char:1
+ Set-AuthenticodeSignature -FilePath C:\Users\myuser\Desktop\Test ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-AuthenticodeSignature], PSArgumentException
+ FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.SetAuthenticodeSignatureCommand
$cert 的输出 | fl * 如下:
PSPath : Microsoft.PowerShell.Security\Certificate::currentuser\my\XXXThumbprint_My_CertificateXXX
PSParentPath : Microsoft.PowerShell.Security\Certificate::currentuser\my
PSChildName : XXXThumbprint_My_CertificateXXX
PSDrive : Cert
PSProvider : Microsoft.PowerShell.Security\Certificate
PSIsContainer : False
EnhancedKeyUsageList : {Server Authentication (1.3.6.1.5.5.7.3.1), Client Authentication (1.3.6.1.5.5.7.3.2)}
DnsNameList : {MyComputerName, MyDomain}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId :
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 09.05.2023 23:13:07
NotBefore : 09.05.2021 23:13:07
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 6, 249...}
SerialNumber : XXXSerial_Number_My_CertificateXX
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : XXXThumbprint_My_CertificateXXX
Version : 3
Handle : 2049462886560
Issuer : CN=CN_Name_My_Certificate, O=CompanyName
Subject : CN=CN_Name_My_Certificate, OU=OU_Name, O=CompanyName, L=L_Name
我做错了什么?
假设您已请求证书并且已将其正确添加到域组策略“受信任的发布者”部分,则签名过程本身相当简单。 PowerShell 命令遵循以下语法 –
Set-AuthenticodeSignature -FilePath LOCATIONOFSCRIPT -Certificate LOCATIONOFCERT –TimestampServer TSASERVER
哪里-
LOCATIONOFSCRIPT = 待签名脚本的路径
LOCATIONOFCERT = 您的用户证书的路径
TSASERVER = 一个外部时间戳机构,允许脚本在用于签名的证书过期后继续受信任
因此,如下所示,假设证书正确位于您的个人存储中:
$cert=(dir cert:currentuser\my\ -CodeSigningCert)
$script = 'C:\Users\myuser\Desktop\TestFilePS.txt'
# Alternative timestamp sources:
#http://timestamp.comodoca.com/authenticode
#http://timestamp.globalsign.com/scripts/timestamp.dll
#http://tsa.starfieldtech.com
#
Try {
Set-AuthenticodeSignature -FilePath $($script) -Certificate $cert -TimestampServer http://timestamp.digicert.com -Verbose -ErrorAction Stop
}
Catch {
$_
}