Signing Win32 Script Files

M. Gallant 06/11/2002

Windows Script 5.6 introduces the capability to digitally sign win32 script files (wsf, vbs, vbe, js, jse) as well as the previously supported file types for Authenticode signatures (.exe, .dll, .ocx, .cab, .cat, .ctl types).

For digitally signing and verifying files, developers using Win32 technology have the following approaches:

Use the Microsoft Authenticode command line & GUI tools directly
Script the Microsoft Authenticode signcode.exe command
Use the Scripting.Signer object provided via Wshext.dll with Windows Script 5.6
Use the CAPICOM 2 COM capability which provides comprehensive X509 certificate, signature and encryption scripting capability
Use the Win32 cryptoAPI API directly

Configuring signed script security via the registry (with information on WinXP configuration)

Script TrustPolicy Editor:

TrustPolicy registry editor html application for signed scripts
TrustPolicy registry editor signed self-extracting archive with html application

Signature-block Extractor:

When scripts are signed using WSH 5.6 functionality, a base-64 encoded signature block in standard "p7s" cryptographic format is appended to the bottom of the script file, using comment lines which depend on the file type (vbs, js, wsf). The utility GetP7s.vbs extracts this signature block into a separate file of type .p7s which can be directly viewed with IE5+ .p7s file association capability:
rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1

The signature block file can also be parsed and scripted using the Authenticode 5 tool certmgr to retrieve any level of information required within the signature block.