en-US/OpenAuthenticode.Module.dll-Help.xml
|
<?xml version="1.0" encoding="utf-8"?> <helpItems schema="maml" xmlns="http://msh"> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Add-OpenAuthenticodeSignature</command:name> <command:verb>Add</command:verb> <command:noun>OpenAuthenticodeSignature</command:noun> <maml:description> <maml:para>Adds an authenticode signature to a file.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>This cmdlet can add a signature to a file that contains no signature or to an existing signature set without removing the old one. This signature can be validated using Get-OpenAuthenticodeSignature (./Get-OpenAuthenticodeSignature.md)or any of the Authenticode APIs, including the ones of a Windows host. Use Set-OpenAuthenticodeSignature (./Set-OpenAuthenticodeSignature.md)to replace the existing signature with the newly generated one instead of appending a signature.</maml:para> <maml:para>It is possible to sign a file using a certificate object with an associated key. The simplest way to get a certificate is to use the Get-PfxCertificate cmdlet (https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-pfxcertificate?view=powershell-7.3)which works on both Windows and non-Windows hosts. It is also possible to get a code signing certificate through the `Cert:` provider alongside the `-CodeSigningCert` parameter on Windows. The certificate must have the Key Usage of `Digital Signature (80)` and Enhanced Key Usage `Code Signing (1.3.6.1.5.5.7.3.3)` for it to be used with Authenticode. The certificate must also use the RSA or ECDSA key algorithm for it to be used, other algorithms are not implemented. While it should be signed by a trusted CA authority for it to be validated normally, it is not a requirement to sign the file.</maml:para> <maml:para>See about_AuthenticodeProviders (./about_AuthenticodeProviders.md)for more information about what providers are currently supported. When using a file path that has no extension, an explicit `-Provider` must be specified to indicate what Authenticode provider needs to be used to sign and embed the signature in the file specified.</maml:para> <maml:para>Adding a signature will edit the file provided, use `-WhatIf` to test whether a signature can be added without actually changing the file.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Add-OpenAuthenticodeSignature</maml:name> <command:parameter required="true" variableLength="true" globbing="true" pipelineInput="True (ByPropertyName, ByValue)" position="0" aliases="FilePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path to the files to sign with an Authenticode signature. Wildcards are permitted and a signature will be outputted for every file that matches the wildcard. This is only supported for paths in the FileSystem provider.</maml:para> <maml:para>If the path does not have a file extension, the `-Provider` parameter must be set to tell the cmdlet how it should be signed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>The certificate used to sign the files specified. Use the `Get-PfxCertificate` or `Get-ChildItem Cert:\... -CodeSigningCert` (Windows only) to get a certificate to use for signing. A valid certificate must meet the following requirements:</maml:para> <maml:para>+ Must have access to its associated private key for it to be able to sign the file.</maml:para> <maml:para>+ Has the Key Usage of `Digital Signature (80)` and Enhanced Key Usage `Code Signing (1.3.6.1.5.5.7.3.3)`.</maml:para> <maml:para>+ Uses the RSA or ECDSA signature algorithm</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509Certificate2</command:parameterValue> <dev:type> <maml:name>X509Certificate2</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>HashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm to use when generating the Authenticode signature. If a `-Key` was specified and had a set default hash algorithm, that algorithm will be used as the default. If no `-Key` was specified, or the key had no default hash algorithm, `SHA256` will be used.</maml:para> <maml:para>Known algorithms are:</maml:para> <maml:para>* `SHA1`</maml:para> <maml:para>* `SHA256`</maml:para> <maml:para>* `SHA384`</maml:para> <maml:para>* `SHA512`</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>IncludeOption</maml:name> <maml:description> <maml:para>Determines which certificates in the certificate trust chain are included in the digital signature. Existing options are:</maml:para> <maml:para>* `None` - No chain information is included</maml:para> <maml:para>* `ExcludeRoot` - The entire chain is included except for the root certificate</maml:para> <maml:para>* `EndCertOnly` - Only the end certificate is included</maml:para> <maml:para>* `WholeChain` - The whole chain is included</maml:para> <maml:para></maml:para> <maml:para>The default is `ExcludeRoot` which will include all the certs and their intermediaries in the Authenticode signature, except the root CA certificate.</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">None</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ExcludeRoot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndCertOnly</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WholeChain</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">X509IncludeOption</command:parameterValue> <dev:type> <maml:name>X509IncludeOption</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>PassThru</maml:name> <maml:description> <maml:para>Output the signature information that was added to the file. If not set, the cmdlet will not output anything.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to sign the file. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NotSpecified</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShell</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShellXml</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PEBinary</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Silent</maml:name> <maml:description> <maml:para>Do not show any PIN prompts when attempting to open the key for signing. If a key requires a PIN prompt and `-Silent` is specified, the signing operation will fail. This is only valid for keys retrieved by Windows and is ignored by custom keys provided with `-Key`.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampHashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm used in the counter signature timestamp if `-TimestampServer` was specified. This defaults to the value of `-HashAlgorithm` if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampServer</maml:name> <maml:description> <maml:para>The timestamp server used to counter sign the Authenticode signature. The time stamp represents the exact time the certificate was added to the file. A time stamp prevents the signature from being invalidated once the certificate has expired.</maml:para> <maml:para>The value specified here is the URL to an RFC 3161 compliant time stamping server. It is possible to specify the hashing algorithm the timestamp server uses with the `-TimeStampHashAlgorithm`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Add-OpenAuthenticodeSignature</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>The certificate used to sign the files specified. Use the `Get-PfxCertificate` or `Get-ChildItem Cert:\... -CodeSigningCert` (Windows only) to get a certificate to use for signing. A valid certificate must meet the following requirements:</maml:para> <maml:para>+ Must have access to its associated private key for it to be able to sign the file.</maml:para> <maml:para>+ Has the Key Usage of `Digital Signature (80)` and Enhanced Key Usage `Code Signing (1.3.6.1.5.5.7.3.3)`.</maml:para> <maml:para>+ Uses the RSA or ECDSA signature algorithm</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509Certificate2</command:parameterValue> <dev:type> <maml:name>X509Certificate2</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>HashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm to use when generating the Authenticode signature. If a `-Key` was specified and had a set default hash algorithm, that algorithm will be used as the default. If no `-Key` was specified, or the key had no default hash algorithm, `SHA256` will be used.</maml:para> <maml:para>Known algorithms are:</maml:para> <maml:para>* `SHA1`</maml:para> <maml:para>* `SHA256`</maml:para> <maml:para>* `SHA384`</maml:para> <maml:para>* `SHA512`</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>IncludeOption</maml:name> <maml:description> <maml:para>Determines which certificates in the certificate trust chain are included in the digital signature. Existing options are:</maml:para> <maml:para>* `None` - No chain information is included</maml:para> <maml:para>* `ExcludeRoot` - The entire chain is included except for the root certificate</maml:para> <maml:para>* `EndCertOnly` - Only the end certificate is included</maml:para> <maml:para>* `WholeChain` - The whole chain is included</maml:para> <maml:para></maml:para> <maml:para>The default is `ExcludeRoot` which will include all the certs and their intermediaries in the Authenticode signature, except the root CA certificate.</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">None</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ExcludeRoot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndCertOnly</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WholeChain</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">X509IncludeOption</command:parameterValue> <dev:type> <maml:name>X509IncludeOption</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Specifies the path to the files to sign with an Authenticode signature. Unlike `-Path`, the path is used exactly as it is typed, no wildcard matching will occur.</maml:para> <maml:para>If the path does not have a file extension, the `-Provider` parameter must be set to tell the cmdlet how it should be signed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>PassThru</maml:name> <maml:description> <maml:para>Output the signature information that was added to the file. If not set, the cmdlet will not output anything.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to sign the file. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NotSpecified</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShell</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShellXml</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PEBinary</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Silent</maml:name> <maml:description> <maml:para>Do not show any PIN prompts when attempting to open the key for signing. If a key requires a PIN prompt and `-Silent` is specified, the signing operation will fail. This is only valid for keys retrieved by Windows and is ignored by custom keys provided with `-Key`.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampHashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm used in the counter signature timestamp if `-TimestampServer` was specified. This defaults to the value of `-HashAlgorithm` if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampServer</maml:name> <maml:description> <maml:para>The timestamp server used to counter sign the Authenticode signature. The time stamp represents the exact time the certificate was added to the file. A time stamp prevents the signature from being invalidated once the certificate has expired.</maml:para> <maml:para>The value specified here is the URL to an RFC 3161 compliant time stamping server. It is possible to specify the hashing algorithm the timestamp server uses with the `-TimeStampHashAlgorithm`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Add-OpenAuthenticodeSignature</maml:name> <command:parameter required="true" variableLength="true" globbing="true" pipelineInput="True (ByPropertyName, ByValue)" position="0" aliases="FilePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path to the files to sign with an Authenticode signature. Wildcards are permitted and a signature will be outputted for every file that matches the wildcard. This is only supported for paths in the FileSystem provider.</maml:para> <maml:para>If the path does not have a file extension, the `-Provider` parameter must be set to tell the cmdlet how it should be signed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>HashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm to use when generating the Authenticode signature. If a `-Key` was specified and had a set default hash algorithm, that algorithm will be used as the default. If no `-Key` was specified, or the key had no default hash algorithm, `SHA256` will be used.</maml:para> <maml:para>Known algorithms are:</maml:para> <maml:para>* `SHA1`</maml:para> <maml:para>* `SHA256`</maml:para> <maml:para>* `SHA384`</maml:para> <maml:para>* `SHA512`</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>IncludeOption</maml:name> <maml:description> <maml:para>Determines which certificates in the certificate trust chain are included in the digital signature. Existing options are:</maml:para> <maml:para>* `None` - No chain information is included</maml:para> <maml:para>* `ExcludeRoot` - The entire chain is included except for the root certificate</maml:para> <maml:para>* `EndCertOnly` - Only the end certificate is included</maml:para> <maml:para>* `WholeChain` - The whole chain is included</maml:para> <maml:para></maml:para> <maml:para>The default is `ExcludeRoot` which will include all the certs and their intermediaries in the Authenticode signature, except the root CA certificate.</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">None</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ExcludeRoot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndCertOnly</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WholeChain</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">X509IncludeOption</command:parameterValue> <dev:type> <maml:name>X509IncludeOption</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Key</maml:name> <maml:description> <maml:para>A custom key object that can be used to signed the file. Currently this is only supported by Azure KeyVault keys and this value can be retrieved from Get-OpenAuthenticodeAzKey (./Get-OpenAuthenticodeAzKey.md).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">KeyProvider</command:parameterValue> <dev:type> <maml:name>KeyProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>PassThru</maml:name> <maml:description> <maml:para>Output the signature information that was added to the file. If not set, the cmdlet will not output anything.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to sign the file. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NotSpecified</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShell</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShellXml</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PEBinary</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Silent</maml:name> <maml:description> <maml:para>Do not show any PIN prompts when attempting to open the key for signing. If a key requires a PIN prompt and `-Silent` is specified, the signing operation will fail. This is only valid for keys retrieved by Windows and is ignored by custom keys provided with `-Key`.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampHashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm used in the counter signature timestamp if `-TimestampServer` was specified. This defaults to the value of `-HashAlgorithm` if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampServer</maml:name> <maml:description> <maml:para>The timestamp server used to counter sign the Authenticode signature. The time stamp represents the exact time the certificate was added to the file. A time stamp prevents the signature from being invalidated once the certificate has expired.</maml:para> <maml:para>The value specified here is the URL to an RFC 3161 compliant time stamping server. It is possible to specify the hashing algorithm the timestamp server uses with the `-TimeStampHashAlgorithm`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Add-OpenAuthenticodeSignature</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>HashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm to use when generating the Authenticode signature. If a `-Key` was specified and had a set default hash algorithm, that algorithm will be used as the default. If no `-Key` was specified, or the key had no default hash algorithm, `SHA256` will be used.</maml:para> <maml:para>Known algorithms are:</maml:para> <maml:para>* `SHA1`</maml:para> <maml:para>* `SHA256`</maml:para> <maml:para>* `SHA384`</maml:para> <maml:para>* `SHA512`</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>IncludeOption</maml:name> <maml:description> <maml:para>Determines which certificates in the certificate trust chain are included in the digital signature. Existing options are:</maml:para> <maml:para>* `None` - No chain information is included</maml:para> <maml:para>* `ExcludeRoot` - The entire chain is included except for the root certificate</maml:para> <maml:para>* `EndCertOnly` - Only the end certificate is included</maml:para> <maml:para>* `WholeChain` - The whole chain is included</maml:para> <maml:para></maml:para> <maml:para>The default is `ExcludeRoot` which will include all the certs and their intermediaries in the Authenticode signature, except the root CA certificate.</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">None</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ExcludeRoot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndCertOnly</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WholeChain</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">X509IncludeOption</command:parameterValue> <dev:type> <maml:name>X509IncludeOption</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Key</maml:name> <maml:description> <maml:para>A custom key object that can be used to signed the file. Currently this is only supported by Azure KeyVault keys and this value can be retrieved from Get-OpenAuthenticodeAzKey (./Get-OpenAuthenticodeAzKey.md).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">KeyProvider</command:parameterValue> <dev:type> <maml:name>KeyProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Specifies the path to the files to sign with an Authenticode signature. Unlike `-Path`, the path is used exactly as it is typed, no wildcard matching will occur.</maml:para> <maml:para>If the path does not have a file extension, the `-Provider` parameter must be set to tell the cmdlet how it should be signed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>PassThru</maml:name> <maml:description> <maml:para>Output the signature information that was added to the file. If not set, the cmdlet will not output anything.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to sign the file. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NotSpecified</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShell</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShellXml</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PEBinary</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Silent</maml:name> <maml:description> <maml:para>Do not show any PIN prompts when attempting to open the key for signing. If a key requires a PIN prompt and `-Silent` is specified, the signing operation will fail. This is only valid for keys retrieved by Windows and is ignored by custom keys provided with `-Key`.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampHashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm used in the counter signature timestamp if `-TimestampServer` was specified. This defaults to the value of `-HashAlgorithm` if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampServer</maml:name> <maml:description> <maml:para>The timestamp server used to counter sign the Authenticode signature. The time stamp represents the exact time the certificate was added to the file. A time stamp prevents the signature from being invalidated once the certificate has expired.</maml:para> <maml:para>The value specified here is the URL to an RFC 3161 compliant time stamping server. It is possible to specify the hashing algorithm the timestamp server uses with the `-TimeStampHashAlgorithm`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>The certificate used to sign the files specified. Use the `Get-PfxCertificate` or `Get-ChildItem Cert:\... -CodeSigningCert` (Windows only) to get a certificate to use for signing. A valid certificate must meet the following requirements:</maml:para> <maml:para>+ Must have access to its associated private key for it to be able to sign the file.</maml:para> <maml:para>+ Has the Key Usage of `Digital Signature (80)` and Enhanced Key Usage `Code Signing (1.3.6.1.5.5.7.3.3)`.</maml:para> <maml:para>+ Uses the RSA or ECDSA signature algorithm</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509Certificate2</command:parameterValue> <dev:type> <maml:name>X509Certificate2</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>HashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm to use when generating the Authenticode signature. If a `-Key` was specified and had a set default hash algorithm, that algorithm will be used as the default. If no `-Key` was specified, or the key had no default hash algorithm, `SHA256` will be used.</maml:para> <maml:para>Known algorithms are:</maml:para> <maml:para>* `SHA1`</maml:para> <maml:para>* `SHA256`</maml:para> <maml:para>* `SHA384`</maml:para> <maml:para>* `SHA512`</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>IncludeOption</maml:name> <maml:description> <maml:para>Determines which certificates in the certificate trust chain are included in the digital signature. Existing options are:</maml:para> <maml:para>* `None` - No chain information is included</maml:para> <maml:para>* `ExcludeRoot` - The entire chain is included except for the root certificate</maml:para> <maml:para>* `EndCertOnly` - Only the end certificate is included</maml:para> <maml:para>* `WholeChain` - The whole chain is included</maml:para> <maml:para></maml:para> <maml:para>The default is `ExcludeRoot` which will include all the certs and their intermediaries in the Authenticode signature, except the root CA certificate.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509IncludeOption</command:parameterValue> <dev:type> <maml:name>X509IncludeOption</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Key</maml:name> <maml:description> <maml:para>A custom key object that can be used to signed the file. Currently this is only supported by Azure KeyVault keys and this value can be retrieved from Get-OpenAuthenticodeAzKey (./Get-OpenAuthenticodeAzKey.md).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">KeyProvider</command:parameterValue> <dev:type> <maml:name>KeyProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Specifies the path to the files to sign with an Authenticode signature. Unlike `-Path`, the path is used exactly as it is typed, no wildcard matching will occur.</maml:para> <maml:para>If the path does not have a file extension, the `-Provider` parameter must be set to tell the cmdlet how it should be signed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>PassThru</maml:name> <maml:description> <maml:para>Output the signature information that was added to the file. If not set, the cmdlet will not output anything.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="true" pipelineInput="True (ByPropertyName, ByValue)" position="0" aliases="FilePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path to the files to sign with an Authenticode signature. Wildcards are permitted and a signature will be outputted for every file that matches the wildcard. This is only supported for paths in the FileSystem provider.</maml:para> <maml:para>If the path does not have a file extension, the `-Provider` parameter must be set to tell the cmdlet how it should be signed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to sign the file. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Silent</maml:name> <maml:description> <maml:para>Do not show any PIN prompts when attempting to open the key for signing. If a key requires a PIN prompt and `-Silent` is specified, the signing operation will fail. This is only valid for keys retrieved by Windows and is ignored by custom keys provided with `-Key`.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampHashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm used in the counter signature timestamp if `-TimestampServer` was specified. This defaults to the value of `-HashAlgorithm` if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampServer</maml:name> <maml:description> <maml:para>The timestamp server used to counter sign the Authenticode signature. The time stamp represents the exact time the certificate was added to the file. A time stamp prevents the signature from being invalidated once the certificate has expired.</maml:para> <maml:para>The value specified here is the URL to an RFC 3161 compliant time stamping server. It is possible to specify the hashing algorithm the timestamp server uses with the `-TimeStampHashAlgorithm`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para>Accepts a list of paths for the `-Path` parameter.</maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>None</maml:name> </dev:type> <maml:description> <maml:para>No output is present if `-PassThru` is not specified.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>System.Security.Cryptography.Pkcs.SignedCms / OpenAuthenticode.AuthenticodeSignature</maml:name> </dev:type> <maml:description> <maml:para>If `-PassThru` is specified, this will output the Authenticode signature details that was added to the path specified. This object has the following extra properties added as part of the extended type data of `OpenAuthenticode.AuthenticodeSignature`:</maml:para> <maml:para>+ `Path`: The file path that this signature is for</maml:para> <maml:para>+ `Certificate`: The X.509 certificate that signed the file</maml:para> <maml:para>+ `HashAlgorithm`: The hash algorithm that was used in the Authenticode signature</maml:para> <maml:para>+ `TimeStampInfo`: Information about the counter signature timestamp including its certificate, timestamp date in UTC, and timestamp hashing algorithm</maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para>Nested signatures are stored as unsigned attributes on the file's existing Authenticode signature data. Using `-Debug` can expose sensitive messages depending on the key provider used, use this only for debugging purposes.</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>Example 1: Signs a PowerShell ps1 script with SHA256 and SHA512</maml:title> <dev:code>PS C:\> $pass = Read-Host -AsSecureString -Prompt "Enter pfx password" PS C:\> $cert = Get-PfxCertificate -FilePath ~/code-signing.pfx -Password $pass PS C:\> Add-OpenAuthenticodeSignature -Path test.ps1 -Certificate $cert PS C:\> Add-OpenAuthenticodeSignature -Path test.ps1 -Certificate $cert -HashAlgorithm SHA512</dev:code> <dev:remarks> <maml:para>Signs the script `test.ps1` with the certificate specified. The initial signature will be for SHA256 but it will also contain a SHA512 signature as well.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 2: Signs a PowerShell ps1 script and a counter signature timestamp</maml:title> <dev:code>PS C:\> $pass = Read-Host -AsSecureString -Prompt "Enter pfx password" PS C:\> $cert = Get-PfxCertificate -FilePath ~/code-signing.pfx -Password $pass PS C:\> Add-OpenAuthenticodeSignature -Path test.ps1 -Certificate $cert -TimestampServer http://timestamp.digicert.com PS C:\> Add-OpenAuthenticodeSignature -Path test.ps1 -Certificate $cert -HashAlgorithm SHA512 -TimestampServer http://timestamp.digicert.com</dev:code> <dev:remarks> <maml:para>Like example 1 but also adds a counter signature with the Digicert timestamp server.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://www.github.com/jborean93/PowerShell-OpenAuthenticode/blob/main/docs/en-US/Add-OpenAuthenticodeSignature.md</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Authenticode Digital Signatures</maml:linkText> <maml:uri>https://learn.microsoft.com/en-us/windows-hardware/drivers/install/authenticode</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Clear-OpenAuthenticodeSignature</command:name> <command:verb>Clear</command:verb> <command:noun>OpenAuthenticodeSignature</command:noun> <maml:description> <maml:para>Removes all Authenticode signatures from the path specified.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Clears the Authenticode signature from the path specified. This effectively removes the signature contents from the file specified making it unsigned.</maml:para> <maml:para>No action is performed if the file has no Authenticode signature present.</maml:para> <maml:para>See about_AuthenticodeProviders (./about_AuthenticodeProviders.md)for more information about what providers are currently supported. When using a file path that has no extension, an explicit `-Provider` must be specified to indicate what Authenticode provider needs to be used to retrieve and validate the signature.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Clear-OpenAuthenticodeSignature</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Specifies the path to the files to clear the Authenticode signature on. Unlike `-Path`, the path is used exactly as it is typed, no wildcard matching will occur.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to extract the signature. This is required if the `-Content` or `-RawContent` parameter is specified. If `-Path`, or `-LiteralPath` is specified, the provider is found based on the extension of the file being read. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NotSpecified</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShell</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShellXml</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PEBinary</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Clear-OpenAuthenticodeSignature</maml:name> <command:parameter required="true" variableLength="true" globbing="true" pipelineInput="True (ByPropertyName, ByValue)" position="0" aliases="FilePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path to the files to clear the Authenticode signature on. Wildcards are permitted and a signature will be outputted for every file that matches the wildcard. This is only supported for paths in the FileSystem provider.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to extract the signature. This is required if the `-Content` or `-RawContent` parameter is specified. If `-Path`, or `-LiteralPath` is specified, the provider is found based on the extension of the file being read. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NotSpecified</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShell</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShellXml</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PEBinary</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Specifies the path to the files to clear the Authenticode signature on. Unlike `-Path`, the path is used exactly as it is typed, no wildcard matching will occur.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="true" pipelineInput="True (ByPropertyName, ByValue)" position="0" aliases="FilePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path to the files to clear the Authenticode signature on. Wildcards are permitted and a signature will be outputted for every file that matches the wildcard. This is only supported for paths in the FileSystem provider.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to extract the signature. This is required if the `-Content` or `-RawContent` parameter is specified. If `-Path`, or `-LiteralPath` is specified, the provider is found based on the extension of the file being read. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para>Accepts a list of paths for the `-Path` parameter.</maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>None</maml:name> </dev:type> <maml:description> <maml:para>None</maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>--- Example 1: Remove the Authenticode signature for a file ---</maml:title> <dev:code>PS C:\> Clear-OpenAuthenticodeSignature -Path test.ps1</dev:code> <dev:remarks> <maml:para>Removes the Authenticode signature information on the PowerShell script `test.ps1`</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 2: Remove the Authenticode signature on a file without an extension</maml:title> <dev:code>PS C:\> Clear-OpenAuthenticodeSignature -Path my_binary -Provider PEBinary</dev:code> <dev:remarks> <maml:para>Removes the Authenticode signature information on the PE binary file `my_binary`. As the file has no extension, the `-Provider` parameter tells the cmdlet how to manage the file `my_binary`.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Authenticode Digital Signatures</maml:linkText> <maml:uri>https://learn.microsoft.com/en-us/windows-hardware/drivers/install/authenticode</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Get-OpenAuthenticodeAzKey</command:name> <command:verb>Get</command:verb> <command:noun>OpenAuthenticodeAzKey</command:noun> <maml:description> <maml:para>Get an Azure KeyVault certificate and key for use with Authenticode signing.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Gets the Azure keyVault certificate and key from the vault and key name specified. This key can be used with Set-OpenAuthenticodeSignature (./Set-OpenAuthenticodeSignature.md)to sign a file without having to download the key locally. The authenticated Azure principal must have the following Azure access policy permissions on the requested key:</maml:para> <maml:para>* Key Permissions: `Sign`</maml:para> <maml:para>* Certificate Permissions: `Get`</maml:para> <maml:para></maml:para> <maml:para>The signing workflow does not require the key to be present on the local machine as it calls the Azure `Sign` API with the Authenticode digest. This ensures the key does not leave Azure itself but rather Azure is used to sign the data remotely.</maml:para> <maml:para>Currently only certificates signed with an RSA can be used, ECDSA support is planned for the future. The certificate must also have the Key Usage of `Digital Signature (80)` and Enhanced Key Usage `Code Signing (1.3.6.1.5.5.7.3.3)` for it to be used with Authenticode.</maml:para> <maml:para>Currently authentication relies on the lookup behaviour of DefaultAzureCredential (https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme?view=azure-dotnet). It will lookup environment variables, device managed identities, az cli contexts, etc to authenticate with Azure. If the Az.Accounts (https://www.powershellgallery.com/packages/Az.Accounts/) PowerShell module has been installed, the [Connect-AzAccount](https://learn.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-10.2.0)cmdlet can be used to authenticate the session before this cmdlet is called. It has not been set to allow for interactive authentication through the web browser.</maml:para> <maml:para>See about_AuthenticodeAzureKeys (./about_AuthenticodeAzureKeys.md)for more information on how a key can be used to sign files.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-OpenAuthenticodeAzKey</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="0" aliases="VaultName"> <maml:name>Vault</maml:name> <maml:description> <maml:para>The name of the Azure KeyVault to find the certificate in.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="1" aliases="CertificateName"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>The name of the Azure KeyVault certificate/key to retrieve.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="1" aliases="CertificateName"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>The name of the Azure KeyVault certificate/key to retrieve.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="0" aliases="VaultName"> <maml:name>Vault</maml:name> <maml:description> <maml:para>The name of the Azure KeyVault to find the certificate in.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>None</maml:name> </dev:type> <maml:description> <maml:para>None</maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>OpenAuthenticode.Shared.AzureKey</maml:name> </dev:type> <maml:description> <maml:para>The AzureKey object that can be used with the `-Key` parameter in `Set-OpenAuthenticodeSignature`.</maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para>Both RSA and ECDSA keys are supported with this cmdlet. When using an ECDSA key with `Set-OpenAuthenticodeSignature`, the `-HashAlgorithm` parameter used needs to match the ECDSA key digest size. Omit the `-HashAlgorithm` parameter for the cmdlet to use the correct hash algorithm.</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>----------- Example 1: Get key for use with signing -----------</maml:title> <dev:code>PS C:\> $key = Get-OpenAuthenticodeAzKey -Vault code-signing-test -Certificate Authenticode PS C:\> Set-AuthenticodeSignature test.ps1 -Key $key</dev:code> <dev:remarks> <maml:para>Gets the Azure KeyVault key `Authenticode` in the vault `code-signing-test` and uses it to sign the file `test.ps1`. This does not include any pre-requisite steps for setting up the authentication details used by `Get-OpenAuthenticodeAzKey`.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://www.github.com/jborean93/PowerShell-OpenAuthenticode/blob/main/docs/en-US/Get-OpenAuthenticodeAzKey.md</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Azure Key Vault</maml:linkText> <maml:uri>https://azure.microsoft.com/en-au/products/key-vault/</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>DefaultAzureCredential Workflow</maml:linkText> <maml:uri>https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme?view=azure-dotnet</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Get-OpenAuthenticodeSignature</command:name> <command:verb>Get</command:verb> <command:noun>OpenAuthenticodeSignature</command:noun> <maml:description> <maml:para>Gets information about the Authenticode signature for a file.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Gets the Authenticode signature information from the path or content specified. This information includes the certificate that signed the file, the hash algorithm used, and the timestamp countersignature information if it was used. An error record is written if the path specified does not have an authenticode signature present.</maml:para> <maml:para>See about_AuthenticodeProviders (./about_AuthenticodeProviders.md)for more information about what providers are currently supported. When using a file path that has no extension, an explicit `-Provider` must be specified to indicate what Authenticode provider needs to be used to retrieve and validate the signature.</maml:para> <maml:para>It is also possible to provide a file to validate using the `-Content` and `-RawContent` which accepts a string and byte array respectively. The `-Content` value is useful for files that are read as string like PowerShell scripts rather than binary files like a `.dll`.</maml:para> <maml:para>If a file has multiple signatures embedded, each signature and their hash algorithm will be output as their own objects. For example a file signed with the SHA1 hash and SHA256 hash will output 2 objects.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-OpenAuthenticodeSignature</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>Content</maml:name> <maml:description> <maml:para>Gets the Authenticode signature from the file strings contents. This is useful if the file is stored in memory and not on the filesystem. The `-Provider` parameter must be provided when using `-Content`.</maml:para> <maml:para>If the string value is from a file with a BOM it is important to ensure the string has the BOM chars present. An example of how to prefix a string with an encoding BOM is as follows.</maml:para> <maml:para></maml:para> <maml:para></maml:para> <maml:para>$encoding = [System.Text.Encoding]::Unicode $bom = $encoding.GetString($encoding.GetPreamble()) $content = $bom + (Get-Content $path -Raw) Note: it is far safer to just use `-Path` in the case above. This example is just to display how a BOM can be prefixed if it was required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to extract the signature. This is required if the `-Content` or `-RawContent` parameter is specified. If `-Path`, or `-LiteralPath` is specified, the provider is found based on the extension of the file being read. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NotSpecified</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShell</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShellXml</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PEBinary</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>SkipCertificateCheck</maml:name> <maml:description> <maml:para>Skips the CA trust validation of the certificate that signed the file. The signature will still be validated to ensure the file has been tampered with but if this switch is present, the certificate CA trust will not be checked.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TrustStore</maml:name> <maml:description> <maml:para>A collection of certificate to use as a custom trusted store location instead of the system provided certificates. Any self signed certificates in this collection will be treated as a trusted root CA during the certificate validation, other certificates will be treated as intermediaries used to help build the trust chain. This should only be used for testing purposes and the system store should be used in most production scenarios.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509Certificate2Collection</command:parameterValue> <dev:type> <maml:name>X509Certificate2Collection</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-OpenAuthenticodeSignature</maml:name> <command:parameter required="true" variableLength="true" globbing="true" pipelineInput="True (ByPropertyName, ByValue)" position="0" aliases="FilePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path to the files to retrieve the Authenticode information for. Wildcards are permitted and a signature will be outputted for every file that matches the wildcard. This is only supported for paths in the FileSystem provider.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to extract the signature. This is required if the `-Content` or `-RawContent` parameter is specified. If `-Path`, or `-LiteralPath` is specified, the provider is found based on the extension of the file being read. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NotSpecified</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShell</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShellXml</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PEBinary</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>SkipCertificateCheck</maml:name> <maml:description> <maml:para>Skips the CA trust validation of the certificate that signed the file. The signature will still be validated to ensure the file has been tampered with but if this switch is present, the certificate CA trust will not be checked.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TrustStore</maml:name> <maml:description> <maml:para>A collection of certificate to use as a custom trusted store location instead of the system provided certificates. Any self signed certificates in this collection will be treated as a trusted root CA during the certificate validation, other certificates will be treated as intermediaries used to help build the trust chain. This should only be used for testing purposes and the system store should be used in most production scenarios.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509Certificate2Collection</command:parameterValue> <dev:type> <maml:name>X509Certificate2Collection</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-OpenAuthenticodeSignature</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Specifies the path to the files to extract the Authenticode signature from. Unlike `-Path`, the path is used exactly as it is typed, no wildcard matching will occur.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to extract the signature. This is required if the `-Content` or `-RawContent` parameter is specified. If `-Path`, or `-LiteralPath` is specified, the provider is found based on the extension of the file being read. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NotSpecified</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShell</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShellXml</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PEBinary</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>SkipCertificateCheck</maml:name> <maml:description> <maml:para>Skips the CA trust validation of the certificate that signed the file. The signature will still be validated to ensure the file has been tampered with but if this switch is present, the certificate CA trust will not be checked.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TrustStore</maml:name> <maml:description> <maml:para>A collection of certificate to use as a custom trusted store location instead of the system provided certificates. Any self signed certificates in this collection will be treated as a trusted root CA during the certificate validation, other certificates will be treated as intermediaries used to help build the trust chain. This should only be used for testing purposes and the system store should be used in most production scenarios.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509Certificate2Collection</command:parameterValue> <dev:type> <maml:name>X509Certificate2Collection</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-OpenAuthenticodeSignature</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to extract the signature. This is required if the `-Content` or `-RawContent` parameter is specified. If `-Path`, or `-LiteralPath` is specified, the provider is found based on the extension of the file being read. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NotSpecified</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShell</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShellXml</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PEBinary</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RawContent</maml:name> <maml:description> <maml:para>Gets the Authenticode signature from the file bytes directly. This is useful if the file is stored in memory and not on the filesystem. The `-Provider` parameter must be provided when using `-RawContent`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Byte[]</command:parameterValue> <dev:type> <maml:name>Byte[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>SkipCertificateCheck</maml:name> <maml:description> <maml:para>Skips the CA trust validation of the certificate that signed the file. The signature will still be validated to ensure the file has been tampered with but if this switch is present, the certificate CA trust will not be checked.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TrustStore</maml:name> <maml:description> <maml:para>A collection of certificate to use as a custom trusted store location instead of the system provided certificates. Any self signed certificates in this collection will be treated as a trusted root CA during the certificate validation, other certificates will be treated as intermediaries used to help build the trust chain. This should only be used for testing purposes and the system store should be used in most production scenarios.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509Certificate2Collection</command:parameterValue> <dev:type> <maml:name>X509Certificate2Collection</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>Content</maml:name> <maml:description> <maml:para>Gets the Authenticode signature from the file strings contents. This is useful if the file is stored in memory and not on the filesystem. The `-Provider` parameter must be provided when using `-Content`.</maml:para> <maml:para>If the string value is from a file with a BOM it is important to ensure the string has the BOM chars present. An example of how to prefix a string with an encoding BOM is as follows.</maml:para> <maml:para></maml:para> <maml:para></maml:para> <maml:para>$encoding = [System.Text.Encoding]::Unicode $bom = $encoding.GetString($encoding.GetPreamble()) $content = $bom + (Get-Content $path -Raw) Note: it is far safer to just use `-Path` in the case above. This example is just to display how a BOM can be prefixed if it was required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Specifies the path to the files to extract the Authenticode signature from. Unlike `-Path`, the path is used exactly as it is typed, no wildcard matching will occur.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="true" pipelineInput="True (ByPropertyName, ByValue)" position="0" aliases="FilePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path to the files to retrieve the Authenticode information for. Wildcards are permitted and a signature will be outputted for every file that matches the wildcard. This is only supported for paths in the FileSystem provider.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to extract the signature. This is required if the `-Content` or `-RawContent` parameter is specified. If `-Path`, or `-LiteralPath` is specified, the provider is found based on the extension of the file being read. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RawContent</maml:name> <maml:description> <maml:para>Gets the Authenticode signature from the file bytes directly. This is useful if the file is stored in memory and not on the filesystem. The `-Provider` parameter must be provided when using `-RawContent`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Byte[]</command:parameterValue> <dev:type> <maml:name>Byte[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>SkipCertificateCheck</maml:name> <maml:description> <maml:para>Skips the CA trust validation of the certificate that signed the file. The signature will still be validated to ensure the file has been tampered with but if this switch is present, the certificate CA trust will not be checked.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TrustStore</maml:name> <maml:description> <maml:para>A collection of certificate to use as a custom trusted store location instead of the system provided certificates. Any self signed certificates in this collection will be treated as a trusted root CA during the certificate validation, other certificates will be treated as intermediaries used to help build the trust chain. This should only be used for testing purposes and the system store should be used in most production scenarios.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509Certificate2Collection</command:parameterValue> <dev:type> <maml:name>X509Certificate2Collection</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para>Accepts a list of paths for the `-Path` parameter.</maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Security.Cryptography.Pkcs.SignedCms / OpenAuthenticode.AuthenticodeSignature</maml:name> </dev:type> <maml:description> <maml:para>The Authenticode signature details from the path specified if it was signed. This object has the following extra properties added as part of the extended type data of `OpenAuthenticode.AuthenticodeSignature`:</maml:para> <maml:para>+ `Path`: The file path that this signature is for</maml:para> <maml:para>+ `Certificate`: The X.509 certificate that signed the file</maml:para> <maml:para>+ `HashAlgorithm`: The hash algorithm that was used in the Authenticode signature</maml:para> <maml:para>+ `TimeStampInfo`: Information about the counter signature timestamp including its certificate, timestamp date in UTC, and timestamp hashing algorithm</maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para>Unlike Get-AuthenticodeSignature (https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-authenticodesignature?view=powershell-7.3)this cmdlet will write an error if there is a Authenticode signature validation problem. The error should contain the details on what went wrong.</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>----- Example 1: Get the Authenticode signature for a file -----</maml:title> <dev:code>PS C:\> Get-OpenAuthenticodeSignature -Path test.ps1</dev:code> <dev:remarks> <maml:para>Gets the Authenticode signature information from the PowerShell script `test.ps1`.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>- Example 2: Get the Authenticode signature for multiple files -</maml:title> <dev:code>PS C:\> Get-OpenAuthenticodeSignature -Path file1.ps1, signed.ps1</dev:code> <dev:remarks> <maml:para>Gets the Authenticode signature information for multiple PowerShell script files.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 3: Get the Authenticode signature for a file without an extension</maml:title> <dev:code>PS C:\> Get-OpenAuthenticodeSignature -Path hook -Provider PowerShell</dev:code> <dev:remarks> <maml:para>Gets the Authenticode signature for a PowerShell script without a file extension.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 4: Get the Authenticode signature for a script in memory</maml:title> <dev:code>PS C:\> $myScript = Get-Content -Path script.ps1 -Raw PS C:\> Get-OpenAuthenticodeSignature -Content $myScript -Provider PowerShell</dev:code> <dev:remarks> <maml:para>Gets the Authenticode signature for a PowerShell script as a string.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title> Example 5: Get the Authenticode signature from a file's bytes </maml:title> <dev:code>PS C:\> $bytes = Get-Content -Path script.ps1 -AsByteStream -Raw PS C:\> Get-OpenAuthenticodeSignature -RawContent $bytes -Provider PowerShell -Encoding ANSI</dev:code> <dev:remarks> <maml:para>Gets the Authenticode signature from the files raw bytes. The `-Encoding` parameter is not necessarily for most Authenticode providers but for PowerShell it is a helpful hint to tell it how to read those bytes as a string. By default PowerShell will use the encoding of the BOM if present, otherwise uses `UTF8`. In this example the encoding is set to `ANSI` which is typically `windows-1252`. The `ANSI` encoding refers to the legacy encoding that Windows PowerShell (before 5.1) used to read scripts.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://www.github.com/jborean93/PowerShell-OpenAuthenticode/blob/main/docs/en-US/Get-OpenAuthenticodeSignature.md</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Authenticode Digital Signatures</maml:linkText> <maml:uri>https://learn.microsoft.com/en-us/windows-hardware/drivers/install/authenticode</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Get-OpenAuthenticodeSslDotComKey</command:name> <command:verb>Get</command:verb> <command:noun>OpenAuthenticodeSslDotComKey</command:noun> <maml:description> <maml:para>Gets a SSL.com certificate key for use with Authenticode signing.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Gets the SSL.com certificate and key with the credentials specified. This key can be used with Set-OpenAuthenticodeSignature (./Set-OpenAuthenticodeSignature.md)to sign a file that is located in an SSL.com account. It uses the eSigner API to request a signed hash of the data needed without having the private key leave SSL.com's secure enclave.</maml:para> <maml:para>Currently the only signing algorithm that is supported by SSL.com is SHA256, using any other algorithm will result in an error.</maml:para> <maml:para>Before this cmdlet can be used as a key for signing files, a OAuth2 application needs to be registered for this cmdlet to use. See Register an Application with eSigner's CSC API (https://www.ssl.com/how-to/register-application-esigner-csc-api/)for a guide on how to set up a registered OAuth2 application. When creating the registered app the following must be set:</maml:para> <maml:para>+ `Application Name`: Can be anything but recommended to be something that can tie it back to this module.</maml:para> <maml:para>+ `Redirect URI`: Must be `urn:ietf:wg:oauth:2.0:oob` to support this cmdlet for prompting for the authorization code interactively</maml:para> <maml:para>+ `Scopes`: Must be `service`</maml:para> <maml:para>Once registered the `Client ID` and `Client Secret` are used to authenticate as this registered OAuth2 application. The `-UserName`/`-Password` or `-Credential` parameters can also be used in conjunction with `-ClientID`/`-ClientSecret` to automatically authenticate the user without any interactive prompts. Using just `-ClientID`/`-ClientSecret` will have the module prompt for the authorization code alongside a URL that can get this one time code.</maml:para> <maml:para>Once the key information has been retrieved, a signing operation will also require the One Time Password (OTP) value per operation (per `Set-OpenAuthenticodeSignature`/`Add-OpenAuthenticodeSignature` call). These cmdlets will prompt for the OTP when required. The `-TOTPSecret` parameter can be used to provide the TOPT secret code so that the OTP can be generated without any prompt.</maml:para> <maml:para>Overall the following parameters are sensitive values and should be protected in whatever way possible:</maml:para> <maml:para>+ `ClientSecret` - The registered OAuth2 application secret</maml:para> <maml:para>+ `Credential` / `Username` / `Password` - The SSL.com credentials used for non-interactive logins</maml:para> <maml:para>+ `TOPTSecret` - The certificate's TOPT secret code used for non-interactive OTP generation</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-OpenAuthenticodeSslDotComKey</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>ApiEndpoint</maml:name> <maml:description> <maml:para>The SSL.com eSigner API endpoint to use for key operations. This defaults to the production API for eSigner, use `https://cs-try.ssl.com/` when testing out the sandbox eSigner instance.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>https://cs.ssl.com/</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>AuthorizationCode</maml:name> <maml:description> <maml:para>The OAuth2 authorization code which can be retrieved manually through `https://login.ssl.com/` by selecting `AUTHORIZE` on a registered OAuth2 application for your account. If omitted, the cmdlet will display a URL which can be used to retrieve this code interactively. An Authorization Code can only be used once.</maml:para> <maml:para>It might be necessary to open the link twice if the first attempt goes directly to the account management page. The second attempt should redirect to a page that contains the authorization code that can be typed into the prompt to continue.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue> <dev:type> <maml:name>SecureString</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="CredentialID"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>Selects the certificate to use for the signing operations. This value can be one of the following:</maml:para> <maml:para>+ eSigner credential ID GUID string</maml:para> <maml:para>+ Certificate Thumbprint string</maml:para> <maml:para>+ X509Certificate2 object</maml:para> <maml:para>The eSigner credential ID is the GUID identifier for the signing credential associated with the certificate. This can be retrieved through the eSigner certificate details page under the `SIGNING CREDENTIALS` section.</maml:para> <maml:para>The certificate thumbprint string or X509Certificate2 is used to select the certificate in the eSigner account that matches with that thumbprint.</maml:para> <maml:para>If no certificate or credential is specified, the first valid certificate found in the eSigner account will be used. Use the `-Verbose` parameter to see what certificate was selected if none are provided.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SslDotComCertificate</command:parameterValue> <dev:type> <maml:name>SslDotComCertificate</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>ClientId</maml:name> <maml:description> <maml:para>The registered OAuth client identifier that has been registered for `OpenAuthenticode`. An OAuth2 application can be registered under https://login.ssl.com/ with the scope of `service` and redirect URI of `urn:ietf:wg:oauth:2.0:oob`. It is important that the redirect URI is the one above to ensure OpenAuthenticode can prompt for an authorization code.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>ClientSecret</maml:name> <maml:description> <maml:para>The registered OAuth client secret that has been registered for `OpenAuthenticode`. An OAuth2 application can be registered under https://login.ssl.com/ with the scope of `service` and redirect URI of `urn:ietf:wg:oauth:2.0:oob`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue> <dev:type> <maml:name>SecureString</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TOPTSecret</maml:name> <maml:description> <maml:para>The Time-based One Time Password (TOTP) secret that can be used to generate OTP codes during signing. This secret is generated in the eSigner console for the certificate when setting up the second factor authentication. See the section Type in your eSigner Time-based One-Time Password (TOTP) (https://www.ssl.com/how-to/automate-ev-code-signing-with-signtool-or-certutil-esigner/)for more information on how to get this code.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-OpenAuthenticodeSslDotComKey</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>ApiEndpoint</maml:name> <maml:description> <maml:para>The SSL.com eSigner API endpoint to use for key operations. This defaults to the production API for eSigner, use `https://cs-try.ssl.com/` when testing out the sandbox eSigner instance.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>https://cs.ssl.com/</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="CredentialID"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>Selects the certificate to use for the signing operations. This value can be one of the following:</maml:para> <maml:para>+ eSigner credential ID GUID string</maml:para> <maml:para>+ Certificate Thumbprint string</maml:para> <maml:para>+ X509Certificate2 object</maml:para> <maml:para>The eSigner credential ID is the GUID identifier for the signing credential associated with the certificate. This can be retrieved through the eSigner certificate details page under the `SIGNING CREDENTIALS` section.</maml:para> <maml:para>The certificate thumbprint string or X509Certificate2 is used to select the certificate in the eSigner account that matches with that thumbprint.</maml:para> <maml:para>If no certificate or credential is specified, the first valid certificate found in the eSigner account will be used. Use the `-Verbose` parameter to see what certificate was selected if none are provided.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SslDotComCertificate</command:parameterValue> <dev:type> <maml:name>SslDotComCertificate</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>ClientId</maml:name> <maml:description> <maml:para>The registered OAuth client identifier that has been registered for `OpenAuthenticode`. An OAuth2 application can be registered under https://login.ssl.com/ with the scope of `service` and redirect URI of `urn:ietf:wg:oauth:2.0:oob`. It is important that the redirect URI is the one above to ensure OpenAuthenticode can prompt for an authorization code.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>ClientSecret</maml:name> <maml:description> <maml:para>The registered OAuth client secret that has been registered for `OpenAuthenticode`. An OAuth2 application can be registered under https://login.ssl.com/ with the scope of `service` and redirect URI of `urn:ietf:wg:oauth:2.0:oob`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue> <dev:type> <maml:name>SecureString</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Credential</maml:name> <maml:description> <maml:para>The username and password credential for the SSL.com account. This can be used to bypass the OAuth2 authorization prompt and log in without any interaction required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue> <dev:type> <maml:name>PSCredential</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TOPTSecret</maml:name> <maml:description> <maml:para>The Time-based One Time Password (TOTP) secret that can be used to generate OTP codes during signing. This secret is generated in the eSigner console for the certificate when setting up the second factor authentication. See the section Type in your eSigner Time-based One-Time Password (TOTP) (https://www.ssl.com/how-to/automate-ev-code-signing-with-signtool-or-certutil-esigner/)for more information on how to get this code.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-OpenAuthenticodeSslDotComKey</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>ApiEndpoint</maml:name> <maml:description> <maml:para>The SSL.com eSigner API endpoint to use for key operations. This defaults to the production API for eSigner, use `https://cs-try.ssl.com/` when testing out the sandbox eSigner instance.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>https://cs.ssl.com/</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="CredentialID"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>Selects the certificate to use for the signing operations. This value can be one of the following:</maml:para> <maml:para>+ eSigner credential ID GUID string</maml:para> <maml:para>+ Certificate Thumbprint string</maml:para> <maml:para>+ X509Certificate2 object</maml:para> <maml:para>The eSigner credential ID is the GUID identifier for the signing credential associated with the certificate. This can be retrieved through the eSigner certificate details page under the `SIGNING CREDENTIALS` section.</maml:para> <maml:para>The certificate thumbprint string or X509Certificate2 is used to select the certificate in the eSigner account that matches with that thumbprint.</maml:para> <maml:para>If no certificate or credential is specified, the first valid certificate found in the eSigner account will be used. Use the `-Verbose` parameter to see what certificate was selected if none are provided.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SslDotComCertificate</command:parameterValue> <dev:type> <maml:name>SslDotComCertificate</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>ClientId</maml:name> <maml:description> <maml:para>The registered OAuth client identifier that has been registered for `OpenAuthenticode`. An OAuth2 application can be registered under https://login.ssl.com/ with the scope of `service` and redirect URI of `urn:ietf:wg:oauth:2.0:oob`. It is important that the redirect URI is the one above to ensure OpenAuthenticode can prompt for an authorization code.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>ClientSecret</maml:name> <maml:description> <maml:para>The registered OAuth client secret that has been registered for `OpenAuthenticode`. An OAuth2 application can be registered under https://login.ssl.com/ with the scope of `service` and redirect URI of `urn:ietf:wg:oauth:2.0:oob`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue> <dev:type> <maml:name>SecureString</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Password</maml:name> <maml:description> <maml:para>The password for the SSL.com account. This can be used with `-UserName` to bypass the OAuth2 authorization prompt and log in without any interaction required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue> <dev:type> <maml:name>SecureString</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TOPTSecret</maml:name> <maml:description> <maml:para>The Time-based One Time Password (TOTP) secret that can be used to generate OTP codes during signing. This secret is generated in the eSigner console for the certificate when setting up the second factor authentication. See the section Type in your eSigner Time-based One-Time Password (TOTP) (https://www.ssl.com/how-to/automate-ev-code-signing-with-signtool-or-certutil-esigner/)for more information on how to get this code.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>UserName</maml:name> <maml:description> <maml:para>The username for the SSL.com account. This can be used with `-Password` to bypass the OAuth2 authorization prompt and log in without any interaction required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>ApiEndpoint</maml:name> <maml:description> <maml:para>The SSL.com eSigner API endpoint to use for key operations. This defaults to the production API for eSigner, use `https://cs-try.ssl.com/` when testing out the sandbox eSigner instance.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>https://cs.ssl.com/</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>AuthorizationCode</maml:name> <maml:description> <maml:para>The OAuth2 authorization code which can be retrieved manually through `https://login.ssl.com/` by selecting `AUTHORIZE` on a registered OAuth2 application for your account. If omitted, the cmdlet will display a URL which can be used to retrieve this code interactively. An Authorization Code can only be used once.</maml:para> <maml:para>It might be necessary to open the link twice if the first attempt goes directly to the account management page. The second attempt should redirect to a page that contains the authorization code that can be typed into the prompt to continue.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue> <dev:type> <maml:name>SecureString</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="CredentialID"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>Selects the certificate to use for the signing operations. This value can be one of the following:</maml:para> <maml:para>+ eSigner credential ID GUID string</maml:para> <maml:para>+ Certificate Thumbprint string</maml:para> <maml:para>+ X509Certificate2 object</maml:para> <maml:para>The eSigner credential ID is the GUID identifier for the signing credential associated with the certificate. This can be retrieved through the eSigner certificate details page under the `SIGNING CREDENTIALS` section.</maml:para> <maml:para>The certificate thumbprint string or X509Certificate2 is used to select the certificate in the eSigner account that matches with that thumbprint.</maml:para> <maml:para>If no certificate or credential is specified, the first valid certificate found in the eSigner account will be used. Use the `-Verbose` parameter to see what certificate was selected if none are provided.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SslDotComCertificate</command:parameterValue> <dev:type> <maml:name>SslDotComCertificate</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>ClientId</maml:name> <maml:description> <maml:para>The registered OAuth client identifier that has been registered for `OpenAuthenticode`. An OAuth2 application can be registered under https://login.ssl.com/ with the scope of `service` and redirect URI of `urn:ietf:wg:oauth:2.0:oob`. It is important that the redirect URI is the one above to ensure OpenAuthenticode can prompt for an authorization code.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>ClientSecret</maml:name> <maml:description> <maml:para>The registered OAuth client secret that has been registered for `OpenAuthenticode`. An OAuth2 application can be registered under https://login.ssl.com/ with the scope of `service` and redirect URI of `urn:ietf:wg:oauth:2.0:oob`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue> <dev:type> <maml:name>SecureString</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Credential</maml:name> <maml:description> <maml:para>The username and password credential for the SSL.com account. This can be used to bypass the OAuth2 authorization prompt and log in without any interaction required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue> <dev:type> <maml:name>PSCredential</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Password</maml:name> <maml:description> <maml:para>The password for the SSL.com account. This can be used with `-UserName` to bypass the OAuth2 authorization prompt and log in without any interaction required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue> <dev:type> <maml:name>SecureString</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TOPTSecret</maml:name> <maml:description> <maml:para>The Time-based One Time Password (TOTP) secret that can be used to generate OTP codes during signing. This secret is generated in the eSigner console for the certificate when setting up the second factor authentication. See the section Type in your eSigner Time-based One-Time Password (TOTP) (https://www.ssl.com/how-to/automate-ev-code-signing-with-signtool-or-certutil-esigner/)for more information on how to get this code.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>UserName</maml:name> <maml:description> <maml:para>The username for the SSL.com account. This can be used with `-Password` to bypass the OAuth2 authorization prompt and log in without any interaction required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>None</maml:name> </dev:type> <maml:description> <maml:para>None</maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>OpenAuthenticode.Shared.SslDotComKey</maml:name> </dev:type> <maml:description> <maml:para>The SSL.com key object that can be used with the `-Key` parameter in `Set-OpenAuthenticodeSignature`.</maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para>SSL.com has functionality to scan the data for malware before it can sign the data. If malware scanning is enabled on the certificate used for signing, the cmdlet will send the file(s)'s hash to SSL.com for a pre-check as required by their API. The only way to avoid this step is to disable the malware checks in the certificate details page.</maml:para> <maml:para>Using the `-Debug` parameter will output log level API operations and could expose sensitive data. Make sure to only use `-Debug` for debugging scenarios to avoid accidentally exposing this data.</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------- Example 1: Create key with interactive prompts --------</maml:title> <dev:code>PS C:\> $keyParams = @{ ClientId = 'AB19ajIo1GrcTm-tg2aq6-Zml1CJNtwcQzvp82Jv-wdnk' ClientSecret = '...' } PS C:\> $key = Get-OpenAuthenticodeSslDotComKey @keyParams No AuthorizationCode was specified. Please go to the following URL and paste in the result authorization code to continue. https://login.ssl.com/oauth2/authorize?client_id=AB19ajIo1GrcTm-tg2aq6-Zml1CJNtwcQzvp82Jv-wdnk&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&scope=service You may need to load the URL twice if the first attempt goes to the account settings page. The ClientID must be a registered OAuth application that has the service scope and redirect URL of 'urn:ietf:wg:oauth:2.0:oob' for this to work. Authorization Code: ******************************************* PS C:\> Set-OpenAuthenticodeSignature test.ps1 -Key $key Please enter OTP for b6216ec3-b5b7-44a7-8ac9-836ad49a1952 to authorize signing OTP: 123456</dev:code> <dev:remarks> <maml:para>This example will create a key object with the OAuth2 registered client. As no username/password or authorization key is supplied, the cmdlet will prompt for the user to manually sign in with the link supplied and provide the authorization code it generates. Once logged in successfully, it will select the first valid certificate available for use with signing. When signing the data, a prompt for the One Time Password (OTP) will be shown. Enter this OTP for the signing to continue.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>---------- Example 2: Create key with no interaction ----------</maml:title> <dev:code>PS C:\> $keyParams = @{ ClientId = 'AB19ajIo1GrcTm-tg2aq6-Zml1CJNtwcQzvp82Jv-wdnk' ClientSecret = '...' UserName = 'username' Password = 'SSL.com Password' TOTPSecret = '...' } PS C:\> $key = Get-OpenAuthenticodeSslDotComKey @keyParams PS C:\> Set-OpenAuthenticodeSignature test.ps1 -Key $key</dev:code> <dev:remarks> <maml:para>Provides the `UserName` and `Password` (or alternatively use `-Credential`) to authorize the user with OAuth2 password based authentication. The `-TOPTSecret` is also provided so that the signing operation will not need to prompt for the OTP. Keep in mind the `-TOPTSecret` is not the OTP bin at the current time but rather the TOTP secret code (seed) that can be retrieved through the certificate details page.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 3: Use a specific certificate specified by credential id for signing</maml:title> <dev:code>PS C:\> $keyParams = @{ ClientId = 'AB19ajIo1GrcTm-tg2aq6-Zml1CJNtwcQzvp82Jv-wdnk' ClientSecret = '...' UserName = 'username' Password = 'SSL.com Password' TOTPSecret = '...' Certificate = '0a8b5f68-406b-4f61-88dc-3e7aaa8e6bbe' } PS C:\> $key = Get-OpenAuthenticodeSslDotComKey @keyParams PS C:\> Set-OpenAuthenticodeSignature test.ps1 -Key $key</dev:code> <dev:remarks> <maml:para>Specifies the eSigner credential ID associated with the certificate to use for signing instead of selecting the first certificate found. If the certificate for this ID is not found, an error will be written.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 4: Use a specific certificate specified by thumbprint for signing</maml:title> <dev:code>PS C:\> $cert [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($pathToCert) PS C:\> $keyParams = @{ ClientId = 'AB19ajIo1GrcTm-tg2aq6-Zml1CJNtwcQzvp82Jv-wdnk' ClientSecret = '...' UserName = 'username' Password = 'SSL.com Password' TOTPSecret = '...' Certificate = $cert.Thumbprint } PS C:\> $key = Get-OpenAuthenticodeSslDotComKey @keyParams PS C:\> Set-OpenAuthenticodeSignature test.ps1 -Key $key</dev:code> <dev:remarks> <maml:para>Specifies the certificate thumbprint of a certificate to use for signing. This thumbprint can be retrieved from the `.crt` downloaded from the eSigner portal or just manually retrieved through other means. If the certificate with this thumbprint is not found, an error will be written.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://www.github.com/jborean93/PowerShell-OpenAuthenticode/blob/main/docs/en-US/Get-OpenAuthenticodeSslDotComKey.md</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>eSigner FAQ</maml:linkText> <maml:uri>https://www.ssl.com/faqs/esigner-faq/</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Set-OpenAuthenticodeSignature</command:name> <command:verb>Set</command:verb> <command:noun>OpenAuthenticodeSignature</command:noun> <maml:description> <maml:para>Set an authenticode signature on a file.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>This cmdlet can sign the file provided with an Authenticode signature. This signature can be validated using Get-OpenAuthenticodeSignature (./Get-OpenAuthenticodeSignature.md)or any of the Authenticode APIs, including the ones of a Windows host. It will replace an existing signatures on the file with the new one generated by the cmdlet. To add a signature to an existing set, use Add-OpenAuthenticodeSignature (./Add-OpenAuthenticodeSignature.md).</maml:para> <maml:para>It is possible to sign a file using a certificate object with an associated key. The simplest way to get a certificate is to use the Get-PfxCertificate cmdlet (https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-pfxcertificate?view=powershell-7.3)which works on both Windows and non-Windows hosts. It is also possible to get a code signing certificate through the `Cert:` provider alongside the `-CodeSigningCert` parameter on Windows. The certificate must have the Key Usage of `Digital Signature (80)` and Enhanced Key Usage `Code Signing (1.3.6.1.5.5.7.3.3)` for it to be used with Authenticode. The certificate must also use the RSA or ECDSA key algorithm for it to be used, other algorithms are not implemented. While it should be signed by a trusted CA authority for it to be validated normally, it is not a requirement to sign the file.</maml:para> <maml:para>See about_AuthenticodeProviders (./about_AuthenticodeProviders.md)for more information about what providers are currently supported. When using a file path that has no extension, an explicit `-Provider` must be specified to indicate what Authenticode provider needs to be used to sign and embed the signature in the file specified.</maml:para> <maml:para>Setting a signature will edit the file provided, use `-WhatIf` to test whether a signature can be set without actually changing the file.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Set-OpenAuthenticodeSignature</maml:name> <command:parameter required="true" variableLength="true" globbing="true" pipelineInput="True (ByPropertyName, ByValue)" position="0" aliases="FilePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path to the files to sign with an Authenticode signature. Wildcards are permitted and a signature will be outputted for every file that matches the wildcard. This is only supported for paths in the FileSystem provider.</maml:para> <maml:para>If the path does not have a file extension, the `-Provider` parameter must be set to tell the cmdlet how it should be signed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>The certificate used to sign the files specified. Use the `Get-PfxCertificate` or `Get-ChildItem Cert:\... -CodeSigningCert` (Windows only) to get a certificate to use for signing. A valid certificate must meet the following requirements:</maml:para> <maml:para>+ Must have access to its associated private key for it to be able to sign the file.</maml:para> <maml:para>+ Has the Key Usage of `Digital Signature (80)` and Enhanced Key Usage `Code Signing (1.3.6.1.5.5.7.3.3)`.</maml:para> <maml:para>+ Uses the RSA or ECDSA signature algorithm</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509Certificate2</command:parameterValue> <dev:type> <maml:name>X509Certificate2</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>HashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm to use when generating the Authenticode signature. If a `-Key` was specified and had a set default hash algorithm, that algorithm will be used as the default. If no `-Key` was specified, or the key had no default hash algorithm, `SHA256` will be used.</maml:para> <maml:para>Known algorithms are:</maml:para> <maml:para>* `SHA1`</maml:para> <maml:para>* `SHA256`</maml:para> <maml:para>* `SHA384`</maml:para> <maml:para>* `SHA512`</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>IncludeOption</maml:name> <maml:description> <maml:para>Determines which certificates in the certificate trust chain are included in the digital signature. Existing options are:</maml:para> <maml:para>* `None` - No chain information is included</maml:para> <maml:para>* `ExcludeRoot` - The entire chain is included except for the root certificate</maml:para> <maml:para>* `EndCertOnly` - Only the end certificate is included</maml:para> <maml:para>* `WholeChain` - The whole chain is included</maml:para> <maml:para></maml:para> <maml:para>The default is `ExcludeRoot` which will include all the certs and their intermediaries in the Authenticode signature, except the root CA certificate.</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">None</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ExcludeRoot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndCertOnly</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WholeChain</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">X509IncludeOption</command:parameterValue> <dev:type> <maml:name>X509IncludeOption</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>PassThru</maml:name> <maml:description> <maml:para>Output the signature information that was placed in the file. If not set, the cmdlet will not output anything.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to sign the file. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NotSpecified</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShell</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShellXml</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PEBinary</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Silent</maml:name> <maml:description> <maml:para>Do not show any PIN prompts when attempting to open the key for signing. If a key requires a PIN prompt and `-Silent` is specified, the signing operation will fail. This is only valid for keys retrieved by Windows and is ignored by custom keys provided with `-Key`.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampHashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm used in the counter signature timestamp if `-TimestampServer` was specified. This defaults to the value of `-HashAlgorithm` if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampServer</maml:name> <maml:description> <maml:para>The timestamp server used to counter sign the Authenticode signature. The time stamp represents the exact time the certificate was added to the file. A time stamp prevents the signature from being invalidated once the certificate has expired.</maml:para> <maml:para>The value specified here is the URL to an RFC 3161 compliant time stamping server. It is possible to specify the hashing algorithm the timestamp server uses with the `-TimeStampHashAlgorithm`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Set-OpenAuthenticodeSignature</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>The certificate used to sign the files specified. Use the `Get-PfxCertificate` or `Get-ChildItem Cert:\... -CodeSigningCert` (Windows only) to get a certificate to use for signing. A valid certificate must meet the following requirements:</maml:para> <maml:para>+ Must have access to its associated private key for it to be able to sign the file.</maml:para> <maml:para>+ Has the Key Usage of `Digital Signature (80)` and Enhanced Key Usage `Code Signing (1.3.6.1.5.5.7.3.3)`.</maml:para> <maml:para>+ Uses the RSA or ECDSA signature algorithm</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509Certificate2</command:parameterValue> <dev:type> <maml:name>X509Certificate2</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>HashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm to use when generating the Authenticode signature. If a `-Key` was specified and had a set default hash algorithm, that algorithm will be used as the default. If no `-Key` was specified, or the key had no default hash algorithm, `SHA256` will be used.</maml:para> <maml:para>Known algorithms are:</maml:para> <maml:para>* `SHA1`</maml:para> <maml:para>* `SHA256`</maml:para> <maml:para>* `SHA384`</maml:para> <maml:para>* `SHA512`</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>IncludeOption</maml:name> <maml:description> <maml:para>Determines which certificates in the certificate trust chain are included in the digital signature. Existing options are:</maml:para> <maml:para>* `None` - No chain information is included</maml:para> <maml:para>* `ExcludeRoot` - The entire chain is included except for the root certificate</maml:para> <maml:para>* `EndCertOnly` - Only the end certificate is included</maml:para> <maml:para>* `WholeChain` - The whole chain is included</maml:para> <maml:para></maml:para> <maml:para>The default is `ExcludeRoot` which will include all the certs and their intermediaries in the Authenticode signature, except the root CA certificate.</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">None</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ExcludeRoot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndCertOnly</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WholeChain</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">X509IncludeOption</command:parameterValue> <dev:type> <maml:name>X509IncludeOption</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Specifies the path to the files to sign with an Authenticode signature. Unlike `-Path`, the path is used exactly as it is typed, no wildcard matching will occur.</maml:para> <maml:para>If the path does not have a file extension, the `-Provider` parameter must be set to tell the cmdlet how it should be signed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>PassThru</maml:name> <maml:description> <maml:para>Output the signature information that was placed in the file. If not set, the cmdlet will not output anything.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to sign the file. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NotSpecified</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShell</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShellXml</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PEBinary</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Silent</maml:name> <maml:description> <maml:para>Do not show any PIN prompts when attempting to open the key for signing. If a key requires a PIN prompt and `-Silent` is specified, the signing operation will fail. This is only valid for keys retrieved by Windows and is ignored by custom keys provided with `-Key`.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampHashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm used in the counter signature timestamp if `-TimestampServer` was specified. This defaults to the value of `-HashAlgorithm` if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampServer</maml:name> <maml:description> <maml:para>The timestamp server used to counter sign the Authenticode signature. The time stamp represents the exact time the certificate was added to the file. A time stamp prevents the signature from being invalidated once the certificate has expired.</maml:para> <maml:para>The value specified here is the URL to an RFC 3161 compliant time stamping server. It is possible to specify the hashing algorithm the timestamp server uses with the `-TimeStampHashAlgorithm`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Set-OpenAuthenticodeSignature</maml:name> <command:parameter required="true" variableLength="true" globbing="true" pipelineInput="True (ByPropertyName, ByValue)" position="0" aliases="FilePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path to the files to sign with an Authenticode signature. Wildcards are permitted and a signature will be outputted for every file that matches the wildcard. This is only supported for paths in the FileSystem provider.</maml:para> <maml:para>If the path does not have a file extension, the `-Provider` parameter must be set to tell the cmdlet how it should be signed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>HashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm to use when generating the Authenticode signature. If a `-Key` was specified and had a set default hash algorithm, that algorithm will be used as the default. If no `-Key` was specified, or the key had no default hash algorithm, `SHA256` will be used.</maml:para> <maml:para>Known algorithms are:</maml:para> <maml:para>* `SHA1`</maml:para> <maml:para>* `SHA256`</maml:para> <maml:para>* `SHA384`</maml:para> <maml:para>* `SHA512`</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>IncludeOption</maml:name> <maml:description> <maml:para>Determines which certificates in the certificate trust chain are included in the digital signature. Existing options are:</maml:para> <maml:para>* `None` - No chain information is included</maml:para> <maml:para>* `ExcludeRoot` - The entire chain is included except for the root certificate</maml:para> <maml:para>* `EndCertOnly` - Only the end certificate is included</maml:para> <maml:para>* `WholeChain` - The whole chain is included</maml:para> <maml:para></maml:para> <maml:para>The default is `ExcludeRoot` which will include all the certs and their intermediaries in the Authenticode signature, except the root CA certificate.</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">None</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ExcludeRoot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndCertOnly</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WholeChain</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">X509IncludeOption</command:parameterValue> <dev:type> <maml:name>X509IncludeOption</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Key</maml:name> <maml:description> <maml:para>A custom key object that can be used to signed the file. Currently this is only supported by Azure KeyVault keys and this value can be retrieved from Get-OpenAuthenticodeAzKey (./Get-OpenAuthenticodeAzKey.md).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">KeyProvider</command:parameterValue> <dev:type> <maml:name>KeyProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>PassThru</maml:name> <maml:description> <maml:para>Output the signature information that was placed in the file. If not set, the cmdlet will not output anything.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to sign the file. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NotSpecified</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShell</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShellXml</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PEBinary</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Silent</maml:name> <maml:description> <maml:para>Do not show any PIN prompts when attempting to open the key for signing. If a key requires a PIN prompt and `-Silent` is specified, the signing operation will fail. This is only valid for keys retrieved by Windows and is ignored by custom keys provided with `-Key`.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampHashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm used in the counter signature timestamp if `-TimestampServer` was specified. This defaults to the value of `-HashAlgorithm` if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampServer</maml:name> <maml:description> <maml:para>The timestamp server used to counter sign the Authenticode signature. The time stamp represents the exact time the certificate was added to the file. A time stamp prevents the signature from being invalidated once the certificate has expired.</maml:para> <maml:para>The value specified here is the URL to an RFC 3161 compliant time stamping server. It is possible to specify the hashing algorithm the timestamp server uses with the `-TimeStampHashAlgorithm`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Set-OpenAuthenticodeSignature</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>HashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm to use when generating the Authenticode signature. If a `-Key` was specified and had a set default hash algorithm, that algorithm will be used as the default. If no `-Key` was specified, or the key had no default hash algorithm, `SHA256` will be used.</maml:para> <maml:para>Known algorithms are:</maml:para> <maml:para>* `SHA1`</maml:para> <maml:para>* `SHA256`</maml:para> <maml:para>* `SHA384`</maml:para> <maml:para>* `SHA512`</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>IncludeOption</maml:name> <maml:description> <maml:para>Determines which certificates in the certificate trust chain are included in the digital signature. Existing options are:</maml:para> <maml:para>* `None` - No chain information is included</maml:para> <maml:para>* `ExcludeRoot` - The entire chain is included except for the root certificate</maml:para> <maml:para>* `EndCertOnly` - Only the end certificate is included</maml:para> <maml:para>* `WholeChain` - The whole chain is included</maml:para> <maml:para></maml:para> <maml:para>The default is `ExcludeRoot` which will include all the certs and their intermediaries in the Authenticode signature, except the root CA certificate.</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">None</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ExcludeRoot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndCertOnly</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WholeChain</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">X509IncludeOption</command:parameterValue> <dev:type> <maml:name>X509IncludeOption</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Key</maml:name> <maml:description> <maml:para>A custom key object that can be used to signed the file. Currently this is only supported by Azure KeyVault keys and this value can be retrieved from Get-OpenAuthenticodeAzKey (./Get-OpenAuthenticodeAzKey.md).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">KeyProvider</command:parameterValue> <dev:type> <maml:name>KeyProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Specifies the path to the files to sign with an Authenticode signature. Unlike `-Path`, the path is used exactly as it is typed, no wildcard matching will occur.</maml:para> <maml:para>If the path does not have a file extension, the `-Provider` parameter must be set to tell the cmdlet how it should be signed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>PassThru</maml:name> <maml:description> <maml:para>Output the signature information that was placed in the file. If not set, the cmdlet will not output anything.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to sign the file. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NotSpecified</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShell</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PowerShellXml</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PEBinary</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Silent</maml:name> <maml:description> <maml:para>Do not show any PIN prompts when attempting to open the key for signing. If a key requires a PIN prompt and `-Silent` is specified, the signing operation will fail. This is only valid for keys retrieved by Windows and is ignored by custom keys provided with `-Key`.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampHashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm used in the counter signature timestamp if `-TimestampServer` was specified. This defaults to the value of `-HashAlgorithm` if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampServer</maml:name> <maml:description> <maml:para>The timestamp server used to counter sign the Authenticode signature. The time stamp represents the exact time the certificate was added to the file. A time stamp prevents the signature from being invalidated once the certificate has expired.</maml:para> <maml:para>The value specified here is the URL to an RFC 3161 compliant time stamping server. It is possible to specify the hashing algorithm the timestamp server uses with the `-TimeStampHashAlgorithm`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>The certificate used to sign the files specified. Use the `Get-PfxCertificate` or `Get-ChildItem Cert:\... -CodeSigningCert` (Windows only) to get a certificate to use for signing. A valid certificate must meet the following requirements:</maml:para> <maml:para>+ Must have access to its associated private key for it to be able to sign the file.</maml:para> <maml:para>+ Has the Key Usage of `Digital Signature (80)` and Enhanced Key Usage `Code Signing (1.3.6.1.5.5.7.3.3)`.</maml:para> <maml:para>+ Uses the RSA or ECDSA signature algorithm</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509Certificate2</command:parameterValue> <dev:type> <maml:name>X509Certificate2</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>A hint to provide to the Authenticode provider that indicates what the file string encoding method is. This is only used by Authenticode providers that need to read the file as a string, like PowerShell. The default used is dependent on the Authenticode provider but most commonly will be `UTF-8`.</maml:para> <maml:para>This accepts a `System.Text.Encoding` type but also a string or int representing the encoding from `[System.Text.Encoding]::GetEncoding(...)`. Some common encoding values are:</maml:para> <maml:para>* `Utf8` - UTF-8 but without a Byte Order Mark (BOM)</maml:para> <maml:para>* `ASCII` - ASCII (bytes 0-127)</maml:para> <maml:para>* `ANSI` - The ANSI encoding commonly used in legacy Windows encoding</maml:para> <maml:para>* `OEM` - The value of `[System.Text.Encoding]::Default` which is UTF-8 without a BOM</maml:para> <maml:para>* `Unicode` - UTF-16-LE</maml:para> <maml:para>* `Utf8Bom` - UTF-8 but with a BOM</maml:para> <maml:para>* `Utf8NoBom` - Same as `Utf8`</maml:para> <maml:para></maml:para> <maml:para>The `ANSI` encoding typically refers to the legacy Windows encoding used in older PowerShell versions. If creating a script that should be used across the various PowerShell versions, it is highly recommended to use an encoding with a `BOM` like `Utf8Bom` or `Unicode`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Encoding</command:parameterValue> <dev:type> <maml:name>Encoding</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>HashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm to use when generating the Authenticode signature. If a `-Key` was specified and had a set default hash algorithm, that algorithm will be used as the default. If no `-Key` was specified, or the key had no default hash algorithm, `SHA256` will be used.</maml:para> <maml:para>Known algorithms are:</maml:para> <maml:para>* `SHA1`</maml:para> <maml:para>* `SHA256`</maml:para> <maml:para>* `SHA384`</maml:para> <maml:para>* `SHA512`</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>IncludeOption</maml:name> <maml:description> <maml:para>Determines which certificates in the certificate trust chain are included in the digital signature. Existing options are:</maml:para> <maml:para>* `None` - No chain information is included</maml:para> <maml:para>* `ExcludeRoot` - The entire chain is included except for the root certificate</maml:para> <maml:para>* `EndCertOnly` - Only the end certificate is included</maml:para> <maml:para>* `WholeChain` - The whole chain is included</maml:para> <maml:para></maml:para> <maml:para>The default is `ExcludeRoot` which will include all the certs and their intermediaries in the Authenticode signature, except the root CA certificate.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509IncludeOption</command:parameterValue> <dev:type> <maml:name>X509IncludeOption</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Key</maml:name> <maml:description> <maml:para>A custom key object that can be used to signed the file. Currently this is only supported by Azure KeyVault keys and this value can be retrieved from Get-OpenAuthenticodeAzKey (./Get-OpenAuthenticodeAzKey.md).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">KeyProvider</command:parameterValue> <dev:type> <maml:name>KeyProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Specifies the path to the files to sign with an Authenticode signature. Unlike `-Path`, the path is used exactly as it is typed, no wildcard matching will occur.</maml:para> <maml:para>If the path does not have a file extension, the `-Provider` parameter must be set to tell the cmdlet how it should be signed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>PassThru</maml:name> <maml:description> <maml:para>Output the signature information that was placed in the file. If not set, the cmdlet will not output anything.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="true" pipelineInput="True (ByPropertyName, ByValue)" position="0" aliases="FilePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path to the files to sign with an Authenticode signature. Wildcards are permitted and a signature will be outputted for every file that matches the wildcard. This is only supported for paths in the FileSystem provider.</maml:para> <maml:para>If the path does not have a file extension, the `-Provider` parameter must be set to tell the cmdlet how it should be signed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Provider</maml:name> <maml:description> <maml:para>Specify the Authenticode provider used to sign the file. If the file has no extension then an explicit provider must be specified.</maml:para> <maml:para>Valid providers are:</maml:para> <maml:para>* `NotSpecified` - Uses the file extension to find the provider</maml:para> <maml:para>* `PowerShell` - Uses the PowerShell script Authenticode provider</maml:para> <maml:para>* `PowerShellXml` - Uses the PowerShell script Authenticode provider for XML files like `.psc1` and `.ps1xml`</maml:para> <maml:para>* `PEBinary` - Windows `.exe`, `.dll` files, including cross platform dotnet assemblies</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AuthenticodeProvider</command:parameterValue> <dev:type> <maml:name>AuthenticodeProvider</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Silent</maml:name> <maml:description> <maml:para>Do not show any PIN prompts when attempting to open the key for signing. If a key requires a PIN prompt and `-Silent` is specified, the signing operation will fail. This is only valid for keys retrieved by Windows and is ignored by custom keys provided with `-Key`.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampHashAlgorithm</maml:name> <maml:description> <maml:para>The hashing algorithm used in the counter signature timestamp if `-TimestampServer` was specified. This defaults to the value of `-HashAlgorithm` if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">HashAlgorithmName</command:parameterValue> <dev:type> <maml:name>HashAlgorithmName</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>TimeStampServer</maml:name> <maml:description> <maml:para>The timestamp server used to counter sign the Authenticode signature. The time stamp represents the exact time the certificate was added to the file. A time stamp prevents the signature from being invalidated once the certificate has expired.</maml:para> <maml:para>The value specified here is the URL to an RFC 3161 compliant time stamping server. It is possible to specify the hashing algorithm the timestamp server uses with the `-TimeStampHashAlgorithm`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para>Accepts a list of paths for the `-Path` parameter.</maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>None</maml:name> </dev:type> <maml:description> <maml:para>No output is present if `-PassThru` is not specified.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>System.Security.Cryptography.Pkcs.SignedCms / OpenAuthenticode.AuthenticodeSignature</maml:name> </dev:type> <maml:description> <maml:para>If `-PassThru` is specified, this will output the Authenticode signature details that was signed to the path specified. This object has the following extra properties added as part of the extended type data of `OpenAuthenticode.AuthenticodeSignature`:</maml:para> <maml:para>+ `Path`: The file path that this signature is for</maml:para> <maml:para>+ `Certificate`: The X.509 certificate that signed the file</maml:para> <maml:para>+ `HashAlgorithm`: The hash algorithm that was used in the Authenticode signature</maml:para> <maml:para>+ `TimeStampInfo`: Information about the counter signature timestamp including its certificate, timestamp date in UTC, and timestamp hashing algorithm</maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para>Unlike Set-AuthenticodeSignature (https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-authenticodesignature?view=powershell-7.3)this cmdlet uses an RFC 3161 compliant time stamp server for the counter signatures. Windows treats both an RFC 3161 and the legacy Authenticode timestamped signature as the same so this should not affect the validation of the signature on Windows. Using `-Debug` can expose sensitive messages depending on the key provider used, use this only for debugging purposes.</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>----------- Example 1: Signs a PowerShell ps1 script -----------</maml:title> <dev:code>PS C:\> $pass = Read-Host -AsSecureString -Prompt "Enter pfx password" PS C:\> $cert = Get-PfxCertificate -FilePath ~/code-signing.pfx -Password $pass PS C:\> Set-OpenAuthenticodeSignature -Path test.ps1 -Certificate $cert</dev:code> <dev:remarks> <maml:para>Signs the script `test.ps1` with the certificate specified.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 2: Signs a PowerShell ps1 script and a counter signature timestamp</maml:title> <dev:code>PS C:\> $pass = Read-Host -AsSecureString -Prompt "Enter pfx password" PS C:\> $cert = Get-PfxCertificate -FilePath ~/code-signing.pfx -Password $pass PS C:\> Set-OpenAuthenticodeSignature -Path test.ps1 -Certificate $cert -TimestampServer http://timestamp.digicert.com</dev:code> <dev:remarks> <maml:para>Like example 1 but also adds a counter signature with the Digicert timestamp server.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>--------- Example 3: Sign using an Azure KeyVault key ---------</maml:title> <dev:code>PS C:\> $key = Get-OpenAuthenticodeAzKey -Vault code-signing-test -Certificate Authenticode PS C:\> Set-AuthenticodeSignature test.ps1 -Key $key</dev:code> <dev:remarks> <maml:para>Gets the Azure KeyVault key `Authenticode` in the vault `code-signing-test` and uses it to sign the file `test.ps1`. This does not include any pre-requisite steps for setting up the authentication details used by `Get-OpenAuthenticodeAzKey`.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://www.github.com/jborean93/PowerShell-OpenAuthenticode/blob/main/docs/en-US/Set-OpenAuthenticodeSignature.md</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Authenticode Digital Signatures</maml:linkText> <maml:uri>https://learn.microsoft.com/en-us/windows-hardware/drivers/install/authenticode</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> </helpItems> |