After scripting around in Powershell with low restrictions (or for brief periods none) I decided to get my act together and start doing everything Set-ExecutionPolicy AllSigned. After walking through Hanselman’s old post, I was unable to even sign my profile.ps1.
A quick test revealed that: Get-ChildItem cert:\CurrentUser\My –codesign always returns null. I opened up certmgr and I can see all of the certificates, but I am uncertain why I can’t sign anything local. Running this:
Set-AuthenticodeSignature "C:\users\[MY USER ACCOUNT]\Documents\WindowsPowerShell\profile.ps1" @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
Will always return:
Set-AuthenticodeSignature : Cannot bind argument to parameter
‘Certificate’ because it is null
I am on Windows 7 Ultimate in an administrator account, and I have executed everything in PS or CMD as an admin. I have been pretty much just kind of hacking my way around PowerShell for a while now, but I hope I am not missing something super simple here.
I think I have figured it out, actually. I am not sure if this best practice or not in this case, but I am tired of beating my head against my desk.
1.) So, I looked at this MS Support Article and I noticed that the SYSTEM user is supposed to have full control over the …\Crypto\RSA\MachineKeys dir and mine did not have SYSTEM listed at all. So, I changed the permissions there (this would also jive with SO Question #11887).
2.) Deleted the certs I created earlier and re-created them.
3.) Opened up certmgr, found the cert, went to props, and set the specific purpose.
Now
Get-ChildItem cert:\CurrentUser\My -codesigningreturns the thumbprint and I can sign scripts.I am not sure why my installation was like this or how unusual this is, but I have never touched the MachineKey directory there previously. But it seems to work now.