This was an entertaining problem and I have to share. Â First off, most people just disable script signing in PowerShell. Â It’s just the way of the world. Â Since I’m the one “in charge” for this project, I decided that I don’t want to disable script signing. Â The first question I had for our AD folks was whether or not we were running a CA and if I could get permission for a code-signing certificate. Â After a few back and forths it was determined that we do not have a CA (at least not one in the domain), so I decided I’d just sign them locally. Â There are many resources out there for doing this, so I won’t reiterate here. Â Suffice to say, you need to install the .NET Framework SDK and run makecert to first create a CA on your machine and then to issue yourself a certificate.
So, I’d gotten to that point, I had a certificate, I had a script, I was ready to go. Â So I ran:
Set-AuthenticodeSignature test.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
…and received an unknown error. Â I poked around and found that a lot of people had this problem. Â It turns out that when you save a script file using the new PowerShell 2.0 ISE, it saves it encoded as UCS-2 Big Endian. Â The code-signing engine only recognizes UTF-8. Â In order to get around this, you must open your script file in notepad and re-save it so that it’s encoded in UTF-8. Â (Or in my case, I opened it in NotePad++ and changed the encoding.) Â Good job, Microsoft.
Leave a Reply