PowerShell: Why can’t I sign scripts

This was an entertaining problem and I have to share.  First off, most people just disable script signing in PowerShell.  It’s just the way of the world.  Since I’m the one “in charge” for this project, I decided that I don’t want to disable script signing.  The first question I had for our AD folks was whether or not we were running a CA and if I could get permission for a code-signing certificate.  After a few back and forths it was determined that we do not have a CA (at least not one in the domain), so I decided I’d just sign them locally.  There are many resources out there for doing this, so I won’t reiterate here.  Suffice to say, you need to install the .NET Framework SDK and run makecert to first create a CA on your machine and then to issue yourself a certificate.

So, I’d gotten to that point, I had a certificate, I had a script, I was ready to go.  So I ran:

Set-AuthenticodeSignature test.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]

…and received an unknown error.  I poked around and found that a lot of people had this problem.  It turns out that when you save a script file using the new PowerShell 2.0 ISE, it saves it encoded as UCS-2 Big Endian.  The code-signing engine only recognizes UTF-8.  In order to get around this, you must open your script file in notepad and re-save it so that it’s encoded in UTF-8.  (Or in my case, I opened it in NotePad++ and changed the encoding.)  Good job, Microsoft.






Leave a Reply

Your email address will not be published. Required fields are marked *