Using Digital Signatures with Timestamp Server

When you start signing script files, you want to make sure signatures stay intact even if the certificate that signed it expires at some day in the future. What matters is that the certificate was valid when it signed the script.

To ensure this, you need a timestamp server from a trusted authority that adds a timestamp to the signature. This way, you not only signed a script. You also added the date when you signed it. As long as your certificate was valid at that time, all is fine.

We have adjusted the code from our previous tip, and added a timestamp server URL. The code below adds signatures to all of your scripts in your user profile that do not yet have a signature. Remove the -WhatIf parameter if you really want to add the signatures to your script files:

# read in the certificate from a pre-existing PFX file
$cert = Get-PfxCertificate -FilePath "$env:temp\codeSignCert.pfx"

# find all scripts in your user profile...
Get-ChildItem -Path $home\Documents -Filter *.ps1 -Include *.ps1 -Recurse -ErrorAction SilentlyContinue |
# ...that do not have a signature yet...
Where-Object {
  ($_ | Get-AuthenticodeSignature).Status -eq 'NotSigned'
  } |
# and apply one
# (note that we added -WhatIf so no signing occurs. Remove this only if you
# really want to add digital signatures!)
Set-AuthenticodeSignature -Certificate $cert -TimestampServer http://timestamp.digicert.com -WhatIf

Twitter This Tip! ReTweet this Tip!