none
Digitally Signing Vbscript with timestamp RRS feed

  • Question

  • strComputer = "." Set objWMIService = GetObject("winmgmts:" &_ "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set objSigner=CreateObject("Scripting.Signer") Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFolder = objFSO.GetFolder("F:\\Code\\signedscripts") Set colListOfFiles = objFolder.Files Cert = "Example" Store = "ROOT" For each objFile in colListOfFiles objSigner.SignFile objFile, Cert, Store Next

    I am using the above script to digitally sign vbscripts and now I need to timestamp the signed scripts. How to use timestamp in this script ?

    • Moved by Bill_Stewart Sunday, December 29, 2013 2:00 PM Abandoned
    Thursday, August 8, 2013 5:26 AM

All replies

  • What is it that you are calling a timestamp?  The Last Modified time will be set automatically on the file.

    Once you have signed a file it cannot be modified or the signature will become invalid and the file will cease to work.  That is the purpose of signing.  It is to prevent changes.


    ¯\_(ツ)_/¯

    Thursday, August 8, 2013 10:31 AM
  • I am looking to add time of signing from time stamp server (example: http://timestamp.verisign.com/scripts/timstamp.dll) when I sign the script files. Is it possible to add time certificate for scripts ?
    Thursday, August 8, 2013 11:58 AM
  • The PowerShell Set-AuthenticodeSignature cmdlet does support using a timestamp server, and the help file says it supports signing "any file that supports Subject Interface Package (SIP)."

    I haven't tried signing VBScripts with the cmdlet, but it might be worth a shot.


    • Edited by David Wyatt Thursday, August 8, 2013 1:30 PM edit
    Thursday, August 8, 2013 12:07 PM
  • Seems to work.  I tried it this way:

    # Note - sign is a function in my profile to call
    # Set-AuthenticodeSignature with a certain code-signing
    # certificate on my machine, with timestamping from
    # Comodo.  Code listed below.
    
    sign 'c:\source\test\TestScript.vbs'
    
    # Output signature details to show that it was timestamped.
    Get-AuthenticodeSignature 'c:\source\test\TestScript.vbs' | Format-List * -Force
    
    # Verify that the Scripting.Signer object sees the signature as valid.
    $signer = New-Object -ComObject 'Scripting.Signer'
    
    $signer.VerifyFile('c:\source\test\TestScript.vbs')
    # True
    
    
    # sign function from my profile (certificate details removed)
    
    function sign {
        [CmdletBinding()]
        param (
            [Parameter(Mandatory=$true,Position=0)]
            [String]
            $File
        )
    
        $CertThumbprint = '<Certificate Thumbprint>'
        $TimestampURL = 'http://timestamp.comodoca.com/authenticode'
    
        $cert = $(Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq $CertThumbprint } )
    
        if ($cert -eq $null) {
            throw "Code signing certificate was not found."
        }
    
        Set-AuthenticodeSignature -FilePath $File -Certificate $cert -TimestampServer $TimestampURL -IncludeChain All
    }
    

    Thursday, August 8, 2013 1:39 PM
  • Thank you for the solution. However I am seeing the below error when I try to sign a vbscript

    Code signing certificate was not found.
    At D:\CodeSigning\Signer.ps1:34 char:14
    +         throw <<<<  "Code signing certificate was not found."
        + CategoryInfo          : OperationStopped: (Code signing certificate was not found.:String) [], RuntimeException
        + FullyQualifiedErrorId : Code signing certificate was not found.

     

    I used a thumbprint available in root store. 

    $CertThumbprint = 'ABCDEFGHJIK55464748944040406353545445'
    $TimestampURL = 'http://timestamp.comodoca.com/authenticode'
     $cert = $(Get-ChildItem -Path Cert:\CurrentUser\Root | Where-Object { $_.Thumbprint -eq $CertThumbprint } )

    What could be wrong ?

    Friday, August 9, 2013 4:05 AM
  • Is the certificate a code signing certificate?

    EDIT: Never mind, that's coming from the code David posted. Try switching over to the cert provider and verify the path and thumbprint.


    Don't retire TechNet!



    Friday, August 9, 2013 4:07 AM
  • Yes. It is a code signing certificate. It works fine with signtool. The certificate path and thumbprint are fine.
    Friday, August 9, 2013 4:16 AM
  • If you run the following two lines, do you have a result in $cert?

    $CertThumbprint = 'ABCDEFGHJIK55464748944040406353545445'
    $cert = $(Get-ChildItem -Path Cert:\CurrentUser\Root | Where-Object { $_.Thumbprint -eq $CertThumbprint } )

    EDIT: Use your thumbprint, I'm assuming you changed it before posting.


    Don't retire TechNet!


    Friday, August 9, 2013 4:27 AM
  • Yes I do see results on console. FYI I have not made private key exportable when installing the pfx certificate. 
    • Edited by SagarMC Friday, August 9, 2013 4:44 AM
    Friday, August 9, 2013 4:42 AM
  • Hmm, that's odd then, since David's code should only hit that throw command if $cert is null.

    Don't retire TechNet!

    Friday, August 9, 2013 5:00 AM