Sign an arbitrary windows executable with a new self signed certificate

do-some-signing.ps1

# Snippets to sign an executable of your choice with a new certificate trusted only by you.
# Run these commands in an Administrative Powershell session.
#
# WARNING: This creates a new certificate authority and installs it on your computer!
# This means that if someone gets a hold of the certificate you generate here, they can
# impersonate (almost) any HTTPS website you visit (exception being sites which pin their 
# certificates - but that is not the norm yet).
#
# Source: https://stackoverflow.com/a/51443366/775982

# once-off steps: generate a new certificate for signing your own code, extract it to a
# file so that you can install it so that it's trusted for code signing and as a root CA
# then delete the certificate file to prevent someone else getting their hands on it
New-SelfSignedCertificate -DnsName [email protected] -Type CodeSigning -CertStoreLocation cert:\CurrentUser\My
Export-Certificate -Cert (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[0] -FilePath code_signing.crt
Import-Certificate -FilePath .\code_signing.crt -Cert Cert:\CurrentUser\TrustedPublisher
Import-Certificate -FilePath .\code_signing.crt -Cert Cert:\CurrentUser\Root
Remove-Item .\code_signing.crt

# sign the executable you want to sign
Set-AuthenticodeSignature .\something.exe -Certificate (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)
# now you should be able to check and see that there's a valid signature on the executable you signed

• Tips for hex editing natlink.exe.

Correctly edited natlink.exe using HxD. At the bottom you can change the input mode from overwrite to insert which makes it easier for editing.

The wrong way to edit as values of attributes in XML are whitespace sensitive. An extra space was accidentally included.

• Troubleshooting signing natlink.exe. Use at your own risk!
  Note: Backup specific certificates if needed. < Not tested
  Press the Windows key + R together to open the Run box. Type certmgr.msc and click OK to open Certificates Manager. Use Google to figure out which format to export certificates.

1. Fix Set-AuthenticodeSignature : Cannot convert 'System.Object[]' to the type

Set-AuthenticodeSignature : Cannot convert 'System.Object[]' to the type
'System.Security.Cryptography.X509Certificates.X509Certificate2' required by parameter 'Certificate'. Specified method
is not supported.

Try Set-AuthenticodeSignature .\natlink.exe -Certificate (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[0]

2. Status UnknownError after the following command to sign natlink.exe. Set-AuthenticodeSignature .\natlink.exe -Certificate (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[0] < With or without [0] at the end of the command.

   Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert Does it return that return one item or more items? Ideally it should be one.

Note: However I cannot guarantee that another entity is using [email protected] for certificates. Removing the wrong certificate could have unforeseeable and unintended consequences use at your own risk the following. Remove the extra certificates or remove all and restart the tutorial. Make sure to replace <Thumbprint> from the above command in the following command.

Get-ChildItem Cert:\CurrentUser\My\<Thumbprint> | Remove-Item

3. If restarting the tutorial the following commands may be helpful. Keep in mind all the previous warnings!
   Press the Windows key + R together to open the Run box. Type certmgr.msc and click OK to open Certificates Manager.

Go to Action > Find Certificates input in the contains text box [email protected] then delete as needed. You can help determine what certificates you added by the time and date they were created.