Signing and Verifying Script Files with Scripting.Signer object

M. Gallant 06/10/2002

Windows Script 5.6 introduces the capability to digitally sign win32 script files (wsf, vbs, vbe, js, jse) as well as the previously supported file types for Authenticode signatures (.exe, .dll, .ocx, .cab, .cat, .ctl types). Windows XP extends this security infrastructure with Software Restriction Policy technology.

The Scripting.Signer object provided by wshext.dll allows scripting of the basic file and string digital-signature processes, and signature verification. This approach can be used to sign and verify ANY file type that supports Authenticode signatures. This will empower developers to easily build cryptoAPI and signature-aware applications and utilities. The basic script appended at the bottom of this page demonstrates how to digitally sign and verify the signature on another script file (in this case, vbs script ShowMyShares.vbs). The SignFile() method is used to sign any script file using a code signing certificate (in this case, one with Common Name "Security Development" contained in the default system keystore). The signed script is subsequently verified using the VerifyFile() method.

The code-signing certificate used to sign the target script ShowMyShares.vbs was issued by an enterprise Certificate Authority (CA). Proper verification of any digitally signed file requires verification of the issuing CA. You must import this root CA certificate if you wish to test the signed script ShowMyShares.vbs provided here for testing and evaluation purposes:

Root CA certificate (ou=NorlockPKI,o=Nortel External)
Sha-1 Fingerprint: 3182 409C C8FC 6F86 2510 1424 37A4 3C6B A891 1068

Some interesting things to try: Script Security Documentation
'******************************************************************* ' File: wshsign.vbs (WSH for VBscript) ' Author: (c) M. Gallant 12/03/2000 ' ' Demonstrates Windows Script 5.6 b1 digital signing and ' signature verification using Scripting.Signer object. ' ' (1) Digitally signs file "ShowMyShares.vbs" in current script ' directory, using existing certificate in certificate default ' store with cn (Common Name) "Security Development" ' (2) Checks digital signature applied to "ShowMyShares.vbs" file ' in current script directory. ' ' Signing certificate issued by "ou=NorlockPKI,o=Nortel External" ' This root CA certificate available from: ' '******************************************************************** Option Explicit Dim oScrSig, oFso, sigfile, sigstatus, scriptpath, showGUI Const ftotest = "ShowMyShares.vbs" showGUI = False set oScrSig = WScript.CreateObject("Scripting.Signer") set oFso = WScript.CreateObject("Scripting.FileSystemObject") scriptpath = oFso.GetParentFolderName(WSCript.ScriptFullName) & "\" sigfile = scriptpath & ftotest oScrSig.SignFile sigfile, "Security Development" ' try to sign the file. sigstatus = oScrSig.VerifyFile(sigfile, showGUI) ' verify the signature. If sigstatus then WScript.Echo "Signature verified for " & ftotest Else WScript.Echo "Signature **FAILED** verification for " & ftotest End If