Digitally Signing Vbscript with timestamp RRS feed

  • Question

  • strComputer = "." Set objWMIService = GetObject("winmgmts:" &_ "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set objSigner=CreateObject("Scripting.Signer") Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFolder = objFSO.GetFolder("F:\\Code\\signedscripts") Set colListOfFiles = objFolder.Files Cert = "Example" Store = "ROOT" For each objFile in colListOfFiles objSigner.SignFile objFile, Cert, Store Next

    I am using the above script to digitally sign vbscripts and now I need to timestamp the signed scripts. How to use timestamp in this script ?

    • Moved by Bill_Stewart Sunday, December 29, 2013 2:00 PM Abandoned
    Thursday, August 8, 2013 5:26 AM

All replies

  • What is it that you are calling a timestamp?  The Last Modified time will be set automatically on the file.

    Once you have signed a file it cannot be modified or the signature will become invalid and the file will cease to work.  That is the purpose of signing.  It is to prevent changes.


    Thursday, August 8, 2013 10:31 AM
  • I am looking to add time of signing from time stamp server (example: when I sign the script files. Is it possible to add time certificate for scripts ?
    Thursday, August 8, 2013 11:58 AM
  • The PowerShell Set-AuthenticodeSignature cmdlet does support using a timestamp server, and the help file says it supports signing "any file that supports Subject Interface Package (SIP)."

    I haven't tried signing VBScripts with the cmdlet, but it might be worth a shot.

    • Edited by David Wyatt Thursday, August 8, 2013 1:30 PM edit
    Thursday, August 8, 2013 12:07 PM
  • Seems to work.  I tried it this way:

    # Note - sign is a function in my profile to call
    # Set-AuthenticodeSignature with a certain code-signing
    # certificate on my machine, with timestamping from
    # Comodo.  Code listed below.
    sign 'c:\source\test\TestScript.vbs'
    # Output signature details to show that it was timestamped.
    Get-AuthenticodeSignature 'c:\source\test\TestScript.vbs' | Format-List * -Force
    # Verify that the Scripting.Signer object sees the signature as valid.
    $signer = New-Object -ComObject 'Scripting.Signer'
    # True
    # sign function from my profile (certificate details removed)
    function sign {
        param (
        $CertThumbprint = '<Certificate Thumbprint>'
        $TimestampURL = ''
        $cert = $(Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq $CertThumbprint } )
        if ($cert -eq $null) {
            throw "Code signing certificate was not found."
        Set-AuthenticodeSignature -FilePath $File -Certificate $cert -TimestampServer $TimestampURL -IncludeChain All

    Thursday, August 8, 2013 1:39 PM
  • Thank you for the solution. However I am seeing the below error when I try to sign a vbscript

    Code signing certificate was not found.
    At D:\CodeSigning\Signer.ps1:34 char:14
    +         throw <<<<  "Code signing certificate was not found."
        + CategoryInfo          : OperationStopped: (Code signing certificate was not found.:String) [], RuntimeException
        + FullyQualifiedErrorId : Code signing certificate was not found.


    I used a thumbprint available in root store. 

    $CertThumbprint = 'ABCDEFGHJIK55464748944040406353545445'
    $TimestampURL = ''
     $cert = $(Get-ChildItem -Path Cert:\CurrentUser\Root | Where-Object { $_.Thumbprint -eq $CertThumbprint } )

    What could be wrong ?

    Friday, August 9, 2013 4:05 AM
  • Is the certificate a code signing certificate?

    EDIT: Never mind, that's coming from the code David posted. Try switching over to the cert provider and verify the path and thumbprint.

    Don't retire TechNet!

    Friday, August 9, 2013 4:07 AM
  • Yes. It is a code signing certificate. It works fine with signtool. The certificate path and thumbprint are fine.
    Friday, August 9, 2013 4:16 AM
  • If you run the following two lines, do you have a result in $cert?

    $CertThumbprint = 'ABCDEFGHJIK55464748944040406353545445'
    $cert = $(Get-ChildItem -Path Cert:\CurrentUser\Root | Where-Object { $_.Thumbprint -eq $CertThumbprint } )

    EDIT: Use your thumbprint, I'm assuming you changed it before posting.

    Don't retire TechNet!

    Friday, August 9, 2013 4:27 AM
  • Yes I do see results on console. FYI I have not made private key exportable when installing the pfx certificate. 
    • Edited by SagarMC Friday, August 9, 2013 4:44 AM
    Friday, August 9, 2013 4:42 AM
  • Hmm, that's odd then, since David's code should only hit that throw command if $cert is null.

    Don't retire TechNet!

    Friday, August 9, 2013 5:00 AM