Scripts Signed in PS2 wont work in PS3 : Executable script code found in signature block. RRS feed

  • Question

  • Hi, i upgraded my pc's powershell to 3.0. Scripts signed with my 2.0 Scriptsigner script don't work anymore.

    I get this error about executable code in the signature: Executable script code found in signature block.

    This is the PS2 code i use to sign all my scripts: 


    Add-PSSnapin Quest* -ErrorAction SilentlyContinue

    #Sign multiple or a single PS1 script with local code signing certificate 

    $fd = New-Object

    $fd.InitialDirectory = 'c:\'

    $fd.MultiSelect = $true

    $fd.Filter = "PowerShell files  (*.ps1)|*.ps1|All files (*.*)|*.*" ;

    $fd.showdialog() | Out-Null

    $cert=(dir cert:currentuser\my\ -CodeSigningCert)

    #$file= Read-host "Enter file and path to script"

    $file= $fd.filenames Foreach ($f in $file)


    Set-AuthenticodeSignature $f $cert -TimestampServer


    Since our policy requires all scripts to be signed this is an issue.  I could of course lower security but i dont want to do this. Is there a way i can sign scripts so that they will work using PS3 ? The certificate is OK and all works fine in PS2.

    Any help is appreciated! 

    Edit: I fire this script in powergui , i did not get the filedialog to work outside it . fyi.

    Another way i sign the scripts is with an event handler.  If a script is dropped in a folder (with strict security) it is signed Automatically 

    Unregister-Event -SourceIdentifier ScriptSigner -ErrorAction SilentlyContinue
    $folder = '\\Server\folder$\'
    $filter = '*.*'                           
    $destination = '\\server\folder$\Processed\'
    $log = '\\server\folder$\log\ScriptsignerLog.txt'
    $fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{
    IncludeSubdirectories = $false            
    NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'
    $onCreated = Register-ObjectEvent $fsw Created -SourceIdentifier ScriptSigner -Action {
    $path = $Event.SourceEventArgs.FullPath
    $name = $Event.SourceEventArgs.Name
    $changeType = $Event.SourceEventArgs.ChangeType
    $timeStamp = $Event.TimeGenerated
    $cert=(dir cert:currentuser\my\ -CodeSigningCert)
    Write-Host "About to sign $path and move to processed folder" | out-File -FilePath $log -Append
    Set-AuthenticodeSignature $path $cert -TimestampServer | out-File -FilePath $log -Append
    Move-Item $path -Destination $destination -Force -Verbose  | out-File -FilePath $log -Append

    • Edited by Kristof DM Wednesday, October 23, 2013 4:03 AM formating of scriptblock 1
    Tuesday, October 22, 2013 7:47 AM


  • I started looking in the ps profile and the enterprise PS profile uses a invoke-expression to load default scripts.
    I adapted the profile and the issues are gone... 

    $lib_home = "\\server\PSFunctions$"
    Get-ChildItem "${lib_home}\*.ps1" | %{
    Write-Host loading $_
    .$_  } 
    Write-Host "Company PowerShell Environment Loaded" -foreground yellow

    Any clue why invoke expression was 'ok' in ps2 but not in ps3 ?

    • Marked as answer by Kristof DM Friday, October 25, 2013 6:11 AM
    Thursday, October 24, 2013 9:48 AM

All replies