Skip to content

3/7/2025 PM Publish #11878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 7, 2025
Merged

3/7/2025 PM Publish #11878

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 30 additions & 29 deletions reference/5.1/Microsoft.PowerShell.Security/Set-AuthenticodeSignature.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,7 @@ title: Set-AuthenticodeSignature
# Set-AuthenticodeSignature

## SYNOPSIS
Adds an [Authenticode](/windows-hardware/drivers/install/authenticode) signature to a PowerShell
script or other file.
Adds an Authenticode signature to a PowerShell script or other file.

## SYNTAX

Expand All @@ -36,8 +35,8 @@ Set-AuthenticodeSignature [-Certificate] <X509Certificate2> [-IncludeChain <Stri

```
Set-AuthenticodeSignature [-Certificate] <X509Certificate2> [-IncludeChain <String>]
[-TimestampServer <String>] [-HashAlgorithm <String>] [-Force] -SourcePathOrExtension <String[]>
-Content <Byte[]> [-WhatIf] [-Confirm] [<CommonParameters>]
[-TimestampServer <String>] [-HashAlgorithm <String>] [-Force] -SourcePathOrExtension
<String[]> -Content <Byte[]> [-WhatIf] [-Confirm] [<CommonParameters>]
```

## DESCRIPTION
Expand Down Expand Up @@ -83,7 +82,7 @@ The third command signs the script by splatting the parameters defined in `$sign
> [!NOTE]
> Using the **CodeSigningCert** parameter with `Get-ChildItem` only returns certificates that have
> code-signing authority and contain a private key. If there is no private key, the certificates
> cannot be used for signing.
> can't be used for signing.

### Example 2 - Sign a script using a certificate from a PFX file

Expand Down Expand Up @@ -115,7 +114,7 @@ If the certificate file is password protected, PowerShell prompts you for the pa

### Example 3 - Add a signature that includes the root authority

This command adds a digital signature that includes the root authority in the trust chain, and it is
This command adds a digital signature that includes the root authority in the trust chain, and it's
signed by a third-party timestamp server.

```powershell
Expand All @@ -129,13 +128,11 @@ $signingParameters = @{
Set-AuthenticodeSignature @signingParameters
```

The first command defines the `$signingParameters` variable as a **HashTable** with the parameters
for the `Set-AuthenticodeSignature` cmdlet to sign the script. It uses the **FilePath** parameter to
specify the path to the script, the **Certificate** parameter to specify that the certificate is
stored in the `$cert` variable, and the **HashAlgorithm** parameter to set the hashing algorithm to
SHA256. It uses the **IncludeChain** parameter to include all of the signatures in the trust chain,
including the root authority. It also uses the **TimeStampServer** parameter to add a timestamp to
the signature. This prevents the script from failing when the certificate expires.
The command uses the **FilePath** parameter to specify the script being signed and the
**Certificate** parameter to specify the certificate that's saved in the `$cert` variable. It uses
the **IncludeChain** parameter to include all of the signatures in the trust chain, including the
root authority. It also uses the **TimeStampServer** parameter to add a timestamp to the signature.
This prevents the script from failing when the certificate expires.

The second command signs the script by splatting the parameters defined in `$signingParameters`.

Expand All @@ -147,8 +144,8 @@ Specifies the certificate that will be used to sign the script or file. Enter a
an object representing the certificate or an expression that gets the certificate.

To find a certificate, use `Get-PfxCertificate` or use the `Get-ChildItem` cmdlet in the Certificate
`Cert:` drive. If the certificate is not valid or does not have `code-signing` authority, the
command fails.
`Cert:` drive. If the certificate isn't valid or doesn't have `code-signing` authority, the command
fails.

```yaml
Type: System.Security.Cryptography.X509Certificates.X509Certificate2
Expand All @@ -164,8 +161,8 @@ Accept wildcard characters: False

### -Content

This parameter appears in the syntax listing because it is defined in the base class that
`Set-AuthenticodeSignature` is derived from. However, support for this parameter is not implemented
This parameter appears in the syntax listing because it's defined in the base class that
`Set-AuthenticodeSignature` is derived from. However, support for this parameter isn't implemented
in `Set-AuthenticodeSignature`.

```yaml
Expand All @@ -182,7 +179,7 @@ Accept wildcard characters: False

### -FilePath

Specifies the path to a file that is being signed.
Specifies the path to a file that's being signed.

```yaml
Type: System.String[]
Expand All @@ -199,7 +196,7 @@ Accept wildcard characters: False
### -Force

Allows the cmdlet to append a signature to a read-only file. Even using the **Force** parameter, the
cmdlet cannot override security restrictions.
cmdlet can't override security restrictions.

```yaml
Type: System.Management.Automation.SwitchParameter
Expand All @@ -221,7 +218,8 @@ The default is SHA1. Files that are signed with a different hashing algorithm mi
recognized on other systems. Which algorithms are supported depends on the version of the operating
system.

For a list of possible values, see [HashAlgorithmName Struct](/dotnet/api/system.security.cryptography.hashalgorithmname?view=netframework-4.7.2#properties).
For a list of possible values, see
[HashAlgorithmName](xref:System.Security.Cryptography.HashAlgorithmName#properties) struct.

```yaml
Type: System.String
Expand All @@ -242,9 +240,10 @@ Determines which certificates in the certificate trust chain are included in the

Valid values are:

- Signer: Includes only the signer's certificate.
- NotRoot: Includes all of the certificates in the certificate chain, except for the root authority.
- All: Includes all the certificates in the certificate chain.
- `Signer`: Includes only the signer's certificate.
- `NotRoot`: Includes all of the certificates in the certificate chain, except for the root
authority.
- `All`: Includes all the certificates in the certificate chain.

```yaml
Type: System.String
Expand All @@ -260,8 +259,8 @@ Accept wildcard characters: False

### -LiteralPath

Specifies the path to a file that is being signed. Unlike **FilePath**, the value of the
**LiteralPath** parameter is used exactly as it is typed. No characters are interpreted as
Specifies the path to a file that's being signed. Unlike **FilePath**, the value of the
**LiteralPath** parameter is used exactly as it's typed. No characters are interpreted as
wildcards. If the path includes escape characters, enclose it in single quotation marks. Single
quotation marks tell PowerShell not to interpret any characters as escape sequences.

Expand All @@ -279,8 +278,8 @@ Accept wildcard characters: False

### -SourcePathOrExtension

This parameter appears in the syntax listing because it is defined in the base class that
`Set-AuthenticodeSignature` is derived from. However, support for this parameter is not implemented
This parameter appears in the syntax listing because it's defined in the base class that
`Set-AuthenticodeSignature` is derived from. However, support for this parameter isn't implemented
in `Set-AuthenticodeSignature`.

```yaml
Expand All @@ -298,7 +297,7 @@ Accept wildcard characters: False
### -TimestampServer

Uses the specified time stamp server to add a time stamp to the signature. Type the URL of the time
stamp server as a string.
stamp server as a string. The URL must start with `http://`.

The time stamp represents the exact time that the certificate was added to the file. A time stamp
prevents the script from failing if the certificate expires because users and programs can verify
Expand Down Expand Up @@ -334,7 +333,7 @@ Accept wildcard characters: False

### -WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.
Shows what would happen if the cmdlet runs. The cmdlet isn't run.

```yaml
Type: System.Management.Automation.SwitchParameter
Expand Down Expand Up @@ -371,6 +370,8 @@ This cmdlet returns a **Signature** object representing the value it set.

## RELATED LINKS

[Authenticode](/windows-hardware/drivers/install/authenticode)

[Get-AuthenticodeSignature](Get-AuthenticodeSignature.md)

[Get-ExecutionPolicy](Get-ExecutionPolicy.md)
Expand Down
72 changes: 44 additions & 28 deletions reference/7.4/Microsoft.PowerShell.Security/Set-AuthenticodeSignature.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
external help file: Microsoft.PowerShell.Security.dll-Help.xml
Locale: en-US
Module Name: Microsoft.PowerShell.Security
ms.date: 12/12/2022
ms.date: 03/07/2025
online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.security/set-authenticodesignature?view=powershell-7.4&WT.mc_id=ps-gethelp
schema: 2.0.0
title: Set-AuthenticodeSignature
Expand All @@ -11,8 +11,7 @@ title: Set-AuthenticodeSignature
# Set-AuthenticodeSignature

## SYNOPSIS
Adds an [Authenticode](/windows-hardware/drivers/install/authenticode) signature to a PowerShell
script or other file.
Adds an Authenticode signature to a PowerShell script or other file.

## SYNTAX

Expand All @@ -36,8 +35,8 @@ Set-AuthenticodeSignature [-Certificate] <X509Certificate2> [-IncludeChain <Stri

```
Set-AuthenticodeSignature [-Certificate] <X509Certificate2> [-IncludeChain <String>]
[-TimestampServer <String>] [-HashAlgorithm <String>] [-Force] -SourcePathOrExtension <String[]>
-Content <Byte[]> [-WhatIf] [-Confirm] [<CommonParameters>]
[-TimestampServer <String>] [-HashAlgorithm <String>] [-Force] -SourcePathOrExtension
<String[]> -Content <Byte[]> [-WhatIf] [-Confirm] [<CommonParameters>]
```

## DESCRIPTION
Expand All @@ -59,7 +58,7 @@ These commands retrieve a code-signing certificate from the PowerShell certifica
it to sign a PowerShell script.

```powershell
$cert=Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert
$cert = Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert
Set-AuthenticodeSignature -FilePath PsTestInternet2.ps1 -Certificate $cert
```

Expand All @@ -76,7 +75,7 @@ parameter to specify that the certificate is stored in the `$cert` variable.
> [!NOTE]
> Using the **CodeSigningCert** parameter with `Get-ChildItem` only returns certificates that have
> code-signing authority and contain a private key. If there is no private key, the certificates
> cannot be used for signing.
> can't be used for signing.

### Example 2 - Sign a script using a certificate from a PFX file

Expand All @@ -88,7 +87,7 @@ $cert = Get-PfxCertificate -FilePath C:\Test\Mysign.pfx
Set-AuthenticodeSignature -FilePath ServerProps.ps1 -Certificate $cert
```

The first command uses the `Get-PfxCertificate` cmdlet to load the C:\Test\MySign.pfx certificate
The first command uses the `Get-PfxCertificate` cmdlet to load the `C:\Test\MySign.pfx` certificate
into the `$cert` variable.

The second command uses `Set-AuthenticodeSignature` to sign the script. The **FilePath** parameter
Expand All @@ -99,15 +98,22 @@ If the certificate file is password protected, PowerShell prompts you for the pa

### Example 3 - Add a signature that includes the root authority

This command adds a digital signature that includes the root authority in the trust chain, and it is
This command adds a digital signature that includes the root authority in the trust chain, and it's
signed by a third-party timestamp server.

```powershell
Set-AuthenticodeSignature -FilePath c:\scripts\Remodel.ps1 -Certificate $cert -IncludeChain All -TimestampServer "https://timestamp.fabrikam.com/scripts/timstamper.dll"
$signingParameters = @{
FilePath = 'C:\scripts\Remodel.ps1'
Certificate = $cert
HashAlgorithm = 'SHA256'
IncludeChain = 'All'
TimestampServer = 'http://timestamp.fabrikam.com/scripts/timstamper.dll'
}
Set-AuthenticodeSignature @signingParameters
```

The command uses the **FilePath** parameter to specify the script being signed and the
**Certificate** parameter to specify the certificate that is saved in the `$cert` variable. It uses
**Certificate** parameter to specify the certificate that's saved in the `$cert` variable. It uses
the **IncludeChain** parameter to include all of the signatures in the trust chain, including the
root authority. It also uses the **TimeStampServer** parameter to add a timestamp to the signature.
This prevents the script from failing when the certificate expires.
Expand All @@ -120,8 +126,8 @@ Specifies the certificate that will be used to sign the script or file. Enter a
an object representing the certificate or an expression that gets the certificate.

To find a certificate, use `Get-PfxCertificate` or use the `Get-ChildItem` cmdlet in the Certificate
`Cert:` drive. If the certificate is not valid or does not have `code-signing` authority, the
command fails.
`Cert:` drive. If the certificate isn't valid or doesn't have `code-signing` authority, the command
fails.

```yaml
Type: System.Security.Cryptography.X509Certificates.X509Certificate2
Expand All @@ -137,8 +143,8 @@ Accept wildcard characters: False

### -Content

This parameter appears in the syntax listing because it is defined in the base class that
`Set-AuthenticodeSignature` is derived from. However, support for this parameter is not implemented
This parameter appears in the syntax listing because it's defined in the base class that
`Set-AuthenticodeSignature` is derived from. However, support for this parameter isn't implemented
in `Set-AuthenticodeSignature`.

```yaml
Expand All @@ -155,7 +161,7 @@ Accept wildcard characters: False

### -FilePath

Specifies the path to a file that is being signed.
Specifies the path to a file that's being signed.

```yaml
Type: System.String[]
Expand All @@ -172,7 +178,7 @@ Accept wildcard characters: False
### -Force

Allows the cmdlet to append a signature to a read-only file. Even using the **Force** parameter, the
cmdlet cannot override security restrictions.
cmdlet can't override security restrictions.

```yaml
Type: System.Management.Automation.SwitchParameter
Expand All @@ -195,7 +201,8 @@ earlier versions, the default is SHA1. Files that are signed with a different ha
might not be recognized on other systems. Which algorithms are supported depends on the version of
the operating system.

For a list of possible values, see [HashAlgorithmName Struct](/dotnet/api/system.security.cryptography.hashalgorithmname?view=netframework-4.7.2#properties).
For a list of possible values, see
[HashAlgorithmName](xref:System.Security.Cryptography.HashAlgorithmName#properties) struct.

```yaml
Type: System.String
Expand All @@ -216,9 +223,10 @@ Determines which certificates in the certificate trust chain are included in the

Valid values are:

- Signer: Includes only the signer's certificate.
- NotRoot: Includes all of the certificates in the certificate chain, except for the root authority.
- All: Includes all the certificates in the certificate chain.
- `Signer`: Includes only the signer's certificate.
- `NotRoot`: Includes all of the certificates in the certificate chain, except for the root
authority.
- `All`: Includes all the certificates in the certificate chain.

```yaml
Type: System.String
Expand All @@ -234,15 +242,15 @@ Accept wildcard characters: False

### -LiteralPath

Specifies the path to a file that is being signed. Unlike **FilePath**, the value of the
**LiteralPath** parameter is used exactly as it is typed. No characters are interpreted as
Specifies the path to a file that's being signed. Unlike **FilePath**, the value of the
**LiteralPath** parameter is used exactly as it's typed. No characters are interpreted as
wildcards. If the path includes escape characters, enclose it in single quotation marks. Single
quotation marks tell PowerShell not to interpret any characters as escape sequences.

```yaml
Type: System.String[]
Parameter Sets: ByLiteralPath
Aliases: PSPath
Aliases: PSPath, LP

Required: True
Position: Named
Expand All @@ -253,8 +261,8 @@ Accept wildcard characters: False

### -SourcePathOrExtension

This parameter appears in the syntax listing because it is defined in the base class that
`Set-AuthenticodeSignature` is derived from. However, support for this parameter is not implemented
This parameter appears in the syntax listing because it's defined in the base class that
`Set-AuthenticodeSignature` is derived from. However, support for this parameter isn't implemented
in `Set-AuthenticodeSignature`.

```yaml
Expand All @@ -272,12 +280,18 @@ Accept wildcard characters: False
### -TimestampServer

Uses the specified time stamp server to add a time stamp to the signature. Type the URL of the time
stamp server as a string. The URL must start with `https://` or `http://`.
stamp server as a string. The URL must start with `http://`.

The time stamp represents the exact time that the certificate was added to the file. A time stamp
prevents the script from failing if the certificate expires because users and programs can verify
that the certificate was valid at the time of signing.

> [!NOTE]
> PowerShell 7.3 added support for `https://` URLs with this parameter. However, the underlying API
> doesn't support HTTPS. If you use HTTPS, the command returns an error, but the file is signed
> without a time stamp. For more information, see
> [Issue #25130](https://github.com/PowerShell/PowerShell/issues/25130).

```yaml
Type: System.String
Parameter Sets: (All)
Expand Down Expand Up @@ -308,7 +322,7 @@ Accept wildcard characters: False

### -WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.
Shows what would happen if the cmdlet runs. The cmdlet isn't run.

```yaml
Type: System.Management.Automation.SwitchParameter
Expand Down Expand Up @@ -347,6 +361,8 @@ This cmdlet is only available on Windows platforms.

## RELATED LINKS

[Authenticode](/windows-hardware/drivers/install/authenticode)

[Get-AuthenticodeSignature](Get-AuthenticodeSignature.md)

[Get-ExecutionPolicy](Get-ExecutionPolicy.md)
Expand Down
Loading
Loading