Set-AuthenticodeSignature
Adds an Authenticode signature to a PowerShell script or other file.
구문
ByPath (기본값)
Set-AuthenticodeSignature
[-Certificate] <X509Certificate2>
[-FilePath] <String[]>
[-IncludeChain <String>]
[-TimestampServer <String>]
[-HashAlgorithm <String>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
ByLiteralPath
Set-AuthenticodeSignature
[-Certificate] <X509Certificate2>
-LiteralPath <String[]>
[-IncludeChain <String>]
[-TimestampServer <String>]
[-HashAlgorithm <String>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
ByContent
Set-AuthenticodeSignature
[-Certificate] <X509Certificate2>
-SourcePathOrExtension <String[]>
-Content <Byte[]>
[-IncludeChain <String>]
[-TimestampServer <String>]
[-HashAlgorithm <String>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
The Set-AuthenticodeSignature cmdlet adds an Authenticode signature to any file that supports
Subject Interface Package (SIP).
In a PowerShell script file, the signature takes the form of a block of text that indicates the end of the instructions that are executed in the script. If there is a signature in the file when this cmdlet runs, that signature is removed.
예제
Example 1 - Sign a script using a certificate from the local certificate store
These commands retrieve a code-signing certificate from the PowerShell Certificate provider and use it to sign a PowerShell script.
$cert=Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert
$signingParameters = @{
FilePath = 'PsTestInternet2.ps1'
Certificate = $cert
HashAlgorithm = 'SHA256'
}
Set-AuthenticodeSignature @signingParameters
The first command uses the Get-ChildItem cmdlet and the PowerShell Certificate provider to get the
certificates in the Cert:\CurrentUser\My subdirectory of the certificate store. The Cert: drive
is the drive exposed by the Certificate provider. The CodeSigningCert parameter, which is
supported only by the Certificate provider, limits the certificates retrieved to those with
code-signing authority. The command stores the result in the $cert variable.
The second command defines the $signingParameters variable as a HashTable with the parameters
for the Set-AuthenticodeSignature cmdlet to sign the PSTestInternet2.ps1 script. It uses the
FilePath parameter to specify the name of the script, the Certificate parameter to specify
that the certificate is stored in the $cert variable, and the HashAlgorithm parameter to set
the hashing algorithm to SHA256.
The third command signs the script by splatting the parameters defined in $signingParameters.
Note
Using the CodeSigningCert parameter with Get-ChildItem only returns certificates that have
code-signing authority and contain a private key. If there is no private key, the certificates
can't be used for signing.
Example 2 - Sign a script using a certificate from a PFX file
These commands use the Get-PfxCertificate cmdlet to load a code signing certificate. Then, use it
to sign a PowerShell script.
$cert = Get-PfxCertificate -FilePath C:\Test\Mysign.pfx
$signingParameters = @{
FilePath = 'ServerProps.ps1'
Certificate = $cert
HashAlgorithm = 'SHA256'
}
Set-AuthenticodeSignature @signingParameters
The first command uses the Get-PfxCertificate cmdlet to load the C:\Test\MySign.pfx certificate
into the $cert variable.
The second command defines the $signingParameters variable as a HashTable with the parameters
for the Set-AuthenticodeSignature cmdlet to sign the ServerProps.ps1 script. It uses the
FilePath parameter to specify the name of the script, the Certificate parameter to specify
that the certificate is stored in the $cert variable, and the HashAlgorithm parameter to set
the hashing algorithm to SHA256.
The third command signs the script by splatting the parameters defined in $signingParameters.
If the certificate file is password protected, PowerShell prompts you for the password.
Example 3 - Add a signature that includes the root authority
This command adds a digital signature that includes the root authority in the trust chain, and it's signed by a third-party timestamp server.
$signingParameters = @{
FilePath = 'C:\scripts\Remodel.ps1'
Certificate = $cert
HashAlgorithm = 'SHA256'
IncludeChain = 'All'
TimestampServer = 'http://timestamp.fabrikam.com/scripts/timstamper.dll'
}
Set-AuthenticodeSignature @signingParameters
The command uses the FilePath parameter to specify the script being signed and the
Certificate parameter to specify the certificate that's saved in the $cert variable. It uses
the IncludeChain parameter to include all of the signatures in the trust chain, including the
root authority. It also uses the TimeStampServer parameter to add a timestamp to the signature.
This prevents the script from failing when the certificate expires.
The second command signs the script by splatting the parameters defined in $signingParameters.
매개 변수
-Certificate
Specifies the certificate that will be used to sign the script or file. Enter a variable that stores an object representing the certificate or an expression that gets the certificate.
To find a certificate, use Get-PfxCertificate or use the Get-ChildItem cmdlet in the Certificate
Cert: drive. If the certificate isn't valid or doesn't have code-signing authority, the command
fails.
매개 변수 속성
| 형식: | X509Certificate2 |
| Default value: | None |
| 와일드카드 지원: | False |
| DontShow: | False |
매개 변수 집합
(All)
| Position: | 1 |
| 필수: | True |
| 파이프라인의 값: | False |
| 속성 이름별 파이프라인의 값: | False |
| 나머지 인수의 값: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
매개 변수 속성
| 형식: | SwitchParameter |
| Default value: | False |
| 와일드카드 지원: | False |
| DontShow: | False |
| 별칭: | cf |
매개 변수 집합
(All)
| Position: | Named |
| 필수: | False |
| 파이프라인의 값: | False |
| 속성 이름별 파이프라인의 값: | False |
| 나머지 인수의 값: | False |
-Content
This parameter appears in the syntax listing because it's defined in the base class that
Set-AuthenticodeSignature is derived from. However, support for this parameter isn't implemented
in Set-AuthenticodeSignature.
매개 변수 속성
| 형식: | Byte[] |
| Default value: | None |
| 와일드카드 지원: | False |
| DontShow: | False |
매개 변수 집합
ByContent
| Position: | Named |
| 필수: | True |
| 파이프라인의 값: | False |
| 속성 이름별 파이프라인의 값: | True |
| 나머지 인수의 값: | False |
-FilePath
Specifies the path to a file that's being signed.
매개 변수 속성
| 형식: | String[] |
| Default value: | None |
| 와일드카드 지원: | False |
| DontShow: | False |
매개 변수 집합
ByPath
| Position: | 1 |
| 필수: | True |
| 파이프라인의 값: | True |
| 속성 이름별 파이프라인의 값: | True |
| 나머지 인수의 값: | False |
-Force
Allows the cmdlet to append a signature to a read-only file. Even using the Force parameter, the cmdlet can't override security restrictions.
매개 변수 속성
| 형식: | SwitchParameter |
| Default value: | False |
| 와일드카드 지원: | False |
| DontShow: | False |
매개 변수 집합
(All)
| Position: | Named |
| 필수: | False |
| 파이프라인의 값: | False |
| 속성 이름별 파이프라인의 값: | False |
| 나머지 인수의 값: | False |
-HashAlgorithm
Specifies the hashing algorithm that Windows uses to compute the digital signature for the file.
The default is SHA1. Files that are signed with a different hashing algorithm might not be recognized on other systems. Which algorithms are supported depends on the version of the operating system.
For a list of possible values, see HashAlgorithmName struct.
매개 변수 속성
| 형식: | String |
| 와일드카드 지원: | False |
| DontShow: | False |
매개 변수 집합
(All)
| Position: | Named |
| 필수: | False |
| 파이프라인의 값: | False |
| 속성 이름별 파이프라인의 값: | False |
| 나머지 인수의 값: | False |
-IncludeChain
Determines which certificates in the certificate trust chain are included in the digital signature. NotRoot is the default.
Valid values are:
Signer: Includes only the signer's certificate.NotRoot: Includes all of the certificates in the certificate chain, except for the root authority.All: Includes all the certificates in the certificate chain.
매개 변수 속성
| 형식: | String |
| Default value: | NotRoot |
| 와일드카드 지원: | False |
| DontShow: | False |
매개 변수 집합
(All)
| Position: | Named |
| 필수: | False |
| 파이프라인의 값: | False |
| 속성 이름별 파이프라인의 값: | False |
| 나머지 인수의 값: | False |
-LiteralPath
Specifies the path to a file that's being signed. Unlike FilePath, the value of the LiteralPath parameter is used exactly as it's typed. No characters are interpreted as wildcards. If the path includes escape characters, enclose it in single quotation marks. Single quotation marks tell PowerShell not to interpret any characters as escape sequences.
매개 변수 속성
| 형식: | String[] |
| Default value: | None |
| 와일드카드 지원: | False |
| DontShow: | False |
| 별칭: | PSPath |
매개 변수 집합
ByLiteralPath
| Position: | Named |
| 필수: | True |
| 파이프라인의 값: | False |
| 속성 이름별 파이프라인의 값: | True |
| 나머지 인수의 값: | False |
-SourcePathOrExtension
This parameter appears in the syntax listing because it's defined in the base class that
Set-AuthenticodeSignature is derived from. However, support for this parameter isn't implemented
in Set-AuthenticodeSignature.
매개 변수 속성
| 형식: | String[] |
| Default value: | None |
| 와일드카드 지원: | False |
| DontShow: | False |
매개 변수 집합
ByContent
| Position: | Named |
| 필수: | True |
| 파이프라인의 값: | True |
| 속성 이름별 파이프라인의 값: | True |
| 나머지 인수의 값: | False |
-TimestampServer
Uses the specified time stamp server to add a time stamp to the signature. Type the URL of the time
stamp server as a string. The URL must start with http://.
The time stamp represents the exact time that the certificate was added to the file. A time stamp prevents the script from failing if the certificate expires because users and programs can verify that the certificate was valid at the time of signing.
매개 변수 속성
| 형식: | String |
| Default value: | None |
| 와일드카드 지원: | False |
| DontShow: | False |
매개 변수 집합
(All)
| Position: | Named |
| 필수: | False |
| 파이프라인의 값: | False |
| 속성 이름별 파이프라인의 값: | False |
| 나머지 인수의 값: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet isn't run.
매개 변수 속성
| 형식: | SwitchParameter |
| Default value: | False |
| 와일드카드 지원: | False |
| DontShow: | False |
| 별칭: | wi |
매개 변수 집합
(All)
| Position: | Named |
| 필수: | False |
| 파이프라인의 값: | False |
| 속성 이름별 파이프라인의 값: | False |
| 나머지 인수의 값: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
입력
String
You can pipe a string that contains the file path to this cmdlet.
출력
Signature
This cmdlet returns a Signature object representing the value it set.
