{"id":86114,"date":"2019-07-24T10:32:34","date_gmt":"2019-07-24T18:32:34","guid":{"rendered":"http:\/\/devblogs.microsoft.com\/scripting\/?p=86114"},"modified":"2019-10-29T06:49:52","modified_gmt":"2019-10-29T14:49:52","slug":"reporting-on-digitally-signed-files-with-powershell","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/reporting-on-digitally-signed-files-with-powershell\/","title":{"rendered":"Reporting on Digitally Signed Files with PowerShell"},"content":{"rendered":"

Summary<\/strong>: Using the Get-AuthenticodeSignature cmdlet to show if a file is Digitally Signed<\/p>\n

Q: Hey, Doctor Scripto!<\/p>\n

I was curious, since many new files are Digitally signed with a certificate if there was an easy way to see the status of the Digital Signatures of many files easily?<\/p>\n

\u2014SH<\/p>\n

A: Hello SH your good friend Doctor Scripto is here today to help you along.<\/p>\n

One of the things which changed with PowerShell in version 3.0 was a beautiful little Cmdlet called Get-AuthenticodeSignature<\/p>\n

This Cmdlets task was very simple, examine a file and show the properties of the Digital Certificate on a file. Here\u2019s an example of it in action<\/p>\n

<\/p>\n

A quick glance shows us the file has a Valid digital signature. If you would like to see more details you can pipe the results into Format-List<\/p>\n

<\/p>\n

Visually this is a nice way of trying to determine if the content you downloaded is at least signed with a current certificate from a vendor.<\/p>\n

I can even take a list of files, pipe them in to see their status!<\/p>\n

<\/p>\n

However the Cmdlet does have a Snag. If I wish to take this information and try to Export it as a list to a CSV to report on a list of files, it produces some unexpected results.<\/p>\n

Instead of seeing a nicely formatting CSV file in columns and perhaps the odd Object reference, it looks more like a regular text file<\/p>\n

<\/p>\n

This had the good Doctor doing some head scratching. How could this be fixed? Something in the way the part of the object had parsed did not show up the way we wanted. I was expecting individual columns on data.<\/p>\n

I could just hear myself shouting out, \u201cThis is a job for \u2026 Select-Object!\u201d<\/p>\n

First let\u2019s see what was exposed using Get-Member to decide where the problem might be.<\/p>\n

<\/p>\n

I could see a total of seven properties to view. The bool and string properties were probably straight forward and not causing an issue. System.Management.Automation as it was accessing a single property within itself was probably ok. \u00a0 I could be wrong, but sometimes a good honest guest works.<\/p>\n

But those X509Certificate2 objects? I foresaw them containing a lot of information such as Expiry, Issue, signatures. They could have been the problem.<\/p>\n

A simple test I did was to Run the Get-AuthenticodeSignature and only take the ones I guessed were ok and output them to a CSV file.<\/p>\n

Get-ChildItem c:\\windows\\notepad*.exe | Get-AuthenticodeSignature | `<\/span>\nSelect-Object -Property Path,ISOSBinary,SignatureType,Status,StatusMessage | `<\/span>\nExport-CSV C:\\report\\Signature.csv -NoTypeInformation<\/span><\/p>\n

<\/p>\n

This time the results were much nicer. So the challenge was to pull out the objects from WITHIN the object in X509Certificate2. Again a task designed for Select-Object and Get-Member.<\/p>\n

The first we needed to do was to see the properties *IN* that X509Certificate2 object.<\/p>\n

<\/p>\n

Now we can see a myriad of additional properties that were in that object. To obtain a property such as the SerialNumber, we need to leverage a feature of Select-Object called a \u201cCalculated Property\u201d. This feature has been around PowerShell for a VERY long time and is quite useful in these situations.<\/p>\n

Get-ChildItem C:\\Windows\\notepad.exe | Get-AuthenticodeSignature | `<\/span>\nSelect-Object -Property @{Name=’SignerSerialNumber’;Expression={($_.SignerCertificate.SerialNumber)}}<\/span><\/p>\n

Using this in PowerShell produced the following result<\/span><\/p>\n

SignerSerialNumber<\/span>\n——————<\/span>\n33000001C422B2F79B793DACB20000000001C4<\/span><\/p>\n

A much more desirable output. At this point it was a matter of producing a Calculated Property for each of the individual items from the X509Certificate2 object.<\/span><\/p>\n

Get-ChildItem C:\\Windows\\notepad.exe | Get-AuthenticodeSignature | `<\/span>\nSelect-object -Property Path, Status,StatusMessage,SignatureType, `<\/span>\n@{Name=’SubjectName’;Expression={($_.SignerCertificate.Subject)}}, `<\/span>\n@{Name=’SubjectIssuer’;Expression={($_.SignerCertificate.Issuer)}}, `<\/span>\n@{Name=’SubjectSerialNumber’;Expression={($_.SignerCertificate.SerialNumber)}}, `<\/span>\n@{Name=’SubjectNotBefore’;Expression={($_.SignerCertificate.NotBefore)}}, `<\/span>\n@{Name=’SubjectNotAfter’;Expression={($_.SignerCertificate.NotAfter)}}, `<\/span>\n@{Name=’SubjectThumbprint’;Expression={($_.SignerCertificate.ThumbPrint)}}, `<\/span>\n@{Name=’TimeStamperName’;Expression={($_.SignerCertificate.Subject)}}, `<\/span>\n@{Name=’TimeStamperIssuer’;Expression={($_.SignerCertificate.Issuer)}}, `<\/span>\n@{Name=’TimeStamperSerialNumber’;Expression={($_.SignerCertificate.SerialNumber)}}, `<\/span>\n@{Name=’TimeStamperNotBefore’;Expression={($_.SignerCertificate.NotBefore)}}, `<\/span>\n@{Name=’TimeStamperNotAfter’;Expression={($_.SignerCertificate.NotAfter)}}, `<\/span>\n@{Name=’TimeStamperThumbprint’;Expression={($_.SignerCertificate.ThumbPrint)}}<\/span><\/p>\n

With this we now had an object that would export directly to a CSV.<\/p>\n

As a simple way to consume it, we could even write it up as a function.<\/p>\n

Function Expand-AuthenticodeSignature($AuthenticodeSignature)<\/span>\n{<\/span>\n$AuthenticodeSignature | Select-object -Property Path, `<\/span>\nStatus,StatusMessage,SignatureType, `<\/span>\n@{Name=’SubjectName’;Expression={($_.SignerCertificate.Subject)}}, `<\/span>\n@{Name=’SubjectIssuer’;Expression={($_.SignerCertificate.Issuer)}}, `<\/span>\n@{Name=’SubjectSerialNumber’;Expression={($_.SignerCertificate.SerialNumber)}}, `<\/span>\n@{Name=’SubjectNotBefore’;Expression={($_.SignerCertificate.NotBefore)}}, `<\/span>\n@{Name=’SubjectNotAfter’;Expression={($_.SignerCertificate.NotAfter)}}, `<\/span>\n@{Name=’SubjectThumbprint’;Expression={($_.SignerCertificate.ThumbPrint)}}, `<\/span>\n@{Name=’TimeStamperName’;Expression={($_.SignerCertificate.Subject)}}, `<\/span>\n@{Name=’TimeStamperIssuer’;Expression={($_.SignerCertificate.Issuer)}}, `<\/span>\n@{Name=’TimeStamperSerialNumber’;Expression={($_.SignerCertificate.SerialNumber)}}, `<\/span>\n@{Name=’TimeStamperNotBefore’;Expression={($_.SignerCertificate.NotBefore)}}, `<\/span>\n@{Name=’TimeStamperNotAfter’;Expression={($_.SignerCertificate.NotAfter)}}, `<\/span>\n@{Name=’TimeStamperThumbprint’;Expression={($_.SignerCertificate.ThumbPrint)}}}<\/span><\/p>\n

Now that we have the data in a more consumable and exportable fashion. We can even grab a list of files with their Digital Certificate status<\/p>\n

$List=Get-ChildItem C:\\Windows\\*.exe | Get-AuthenticodeSignature<\/p>\n

\u2026.then produce the new output in a script with our function and Export it directly to a CSV file<\/p>\n

Expand-AuthenticodeSignature -AuthenticodeSignature $List | Export-Csv C:\\report\\working.csv<\/p>\n

As you can see, the results are much more useful.<\/p>\n

<\/p>\n

SH that is all there is to seeing how to report on Digitally Signed files with Get-AuthenticodeSigntature<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Your good friend, Doctor Scripto<\/strong><\/p>\n

PowerShell, Doctor Scripto, Certificates, Sean Kearney<\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Using the Get-AuthenticodeSignature cmdlet to show if a file is Digitally Signed Q: Hey, Doctor Scripto! I was curious, since many new files are Digitally signed with a certificate if there was an easy way to see the status of the Digital Signatures of many files easily? \u2014SH A: Hello SH your good friend […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1739,1738,685],"tags":[646,1740,377,154],"class_list":["post-86114","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-doctor-scripto","category-powershell","category-scripting-techniques","tag-certificate","tag-doctor-scripto","tag-powershell","tag-sean-kearney"],"acf":[],"blog_post_summary":"

Summary: Using the Get-AuthenticodeSignature cmdlet to show if a file is Digitally Signed Q: Hey, Doctor Scripto! I was curious, since many new files are Digitally signed with a certificate if there was an easy way to see the status of the Digital Signatures of many files easily? \u2014SH A: Hello SH your good friend […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/86114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=86114"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/86114\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=86114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=86114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=86114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}