Set AuthenticodeSignature - PowerShell

Overview

The Set-AuthenticodeSignature command adds or updates the Authenticode digital signature to a specified file. This helps ensure the file’s integrity and authenticity, providing greater confidence to end-users and preventing unauthorized alterations.

Syntax

Set-AuthenticodeSignature -FilePath <string> [[-Certificate <string>] [-PrivateKey <Object>] [-TimestampServer <string>] [-HashAlgorithm <string>] [-DigestAlgorithm <string>] [-Format <string>] [-Silent] [-Force] [-Verbose]]

Options/Flags

  • -Certificate: Specifies the certificate used for signing. Default: The first certificate in the local computer certificate store that matches the subject name of the file.
  • -PrivateKey: Specifies the private key associated with the certificate.
  • -TimestampServer: Sets the timestamp server to use. Default: http://timestamp.digicert.com
  • -HashAlgorithm: Sets the hash algorithm to use for signing. Default: sha256
  • -DigestAlgorithm: Sets the digest algorithm to use for signing. Default: sha256
  • -Format: Sets the format for the signature. Default: PKCS7
  • -Silent: Suppresses console output.
  • -Force: Overwrites an existing signature without prompting.
  • -Verbose: Provides detailed progress information.

Examples

Example 1: Simple Signature

This command adds a simple Authenticode signature to the file MyFile.exe:

Set-AuthenticodeSignature -FilePath "MyFile.exe"

Example 2: Custom Certificate and Timestamp Server

This command signs the file Installer.msi using a custom certificate and timestamp server:

Set-AuthenticodeSignature -FilePath "Installer.msi" -Certificate "MyCert.pfx" -PrivateKey "MyKey.pvk" -TimestampServer "http://mytimestampserver.com"

Example 3: Advanced Options

This command signs the file Setup.exe using a specific hash and digest algorithm, in Enhanced format, and suppresses console output:

Set-AuthenticodeSignature -FilePath "Setup.exe" -HashAlgorithm "sha512" -DigestAlgorithm "sha384" -Format "Enhanced" -Silent

Common Issues

  • Couldn’t find an appropriate certificate: Ensure the certificate specified is valid and installed in the local computer certificate store.
  • Certificate doesn’t match the file’s subject: The certificate must be issued for the subject name of the file being signed.
  • Invalid timestamp response: Verify the timestamp server is reachable and accessible.

Integration

Set-AuthenticodeSignature can be combined with other commands for advanced tasks:

  • Use Get-AuthenticodeSignature to retrieve the existing signature information.
  • Pass the signed file to Invoke-WebRequest to verify the signature online.
  • Use New-SelfSignedCertificate to create a self-signed certificate for signing.