Bird
Raised Fist0
PowerShellscripting~20 mins

Code signing in PowerShell - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Code Signing Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
💻 Command Output
intermediate
2:00remaining
What is the output of this PowerShell code signing command?
Consider the following PowerShell command that attempts to sign a script file. What will be the output if the certificate thumbprint is invalid or not found?
PowerShell
Set-AuthenticodeSignature -FilePath script.ps1 -Certificate (Get-ChildItem Cert:\CurrentUser\My\INVALIDTHUMBPRINT)
ANo output, command runs silently
BScript signed successfully
CWarning: Certificate expired
DError: Cannot find certificate with thumbprint INVALIDTHUMBPRINT
Attempts:
2 left
💡 Hint
Think about what happens if the certificate object is null or empty.
💻 Command Output
intermediate
2:00remaining
What does this PowerShell snippet output when verifying a signed script?
Given a signed script file 'signedScript.ps1', what will this command output?
PowerShell
Get-AuthenticodeSignature -FilePath signedScript.ps1 | Select-Object Status
A
Status
-------
Valid
B
Status
-------
NotSigned
C
Status
-------
UnknownError
D
Status
-------
HashMismatch
Attempts:
2 left
💡 Hint
The script is signed and not tampered with.
📝 Syntax
advanced
2:00remaining
Which option correctly signs a script with a certificate from the CurrentUser store?
Select the PowerShell command that correctly signs 'myscript.ps1' using a certificate with thumbprint 'ABC123' from the CurrentUser\My store.
ASet-AuthenticodeSignature -FilePath myscript.ps1 -Certificate (Get-ChildItem Cert:\CurrentUser\My\ABC123)
BSet-AuthenticodeSignature -FilePath myscript.ps1 -Certificate (Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq 'ABC123' })
CSet-AuthenticodeSignature -FilePath myscript.ps1 -Certificate (Get-ChildItem Cert:\CurrentUser\Root\ABC123)
DSet-AuthenticodeSignature -FilePath myscript.ps1 -Certificate (Get-ChildItem Cert:\LocalMachine\My\ABC123)
Attempts:
2 left
💡 Hint
Get-ChildItem with a path ending with thumbprint does not work as expected; filtering is needed.
🔧 Debug
advanced
2:00remaining
Why does this code signing command fail with a null certificate error?
Analyze the following code snippet and select the reason it fails with a null certificate error.
PowerShell
 $cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Subject -like '*MyCert*' }
 Set-AuthenticodeSignature -FilePath script.ps1 -Certificate $cert
ASet-AuthenticodeSignature requires a file path with full absolute path
B$cert is null because the certificate store path is incorrect
C$cert contains multiple certificates, causing Set-AuthenticodeSignature to fail
DThe script file 'script.ps1' does not exist
Attempts:
2 left
💡 Hint
Consider what happens if the filter returns more than one certificate.
🚀 Application
expert
3:00remaining
How to automate signing multiple scripts with error handling in PowerShell?
You want to sign all '.ps1' files in a folder using a certificate with thumbprint 'DEF456'. Which script correctly signs each file and logs errors without stopping the entire process?
A
Get-ChildItem -Path . -Filter '*.ps1' | ForEach-Object {
  try {
    Set-AuthenticodeSignature -FilePath $_.FullName -Certificate (Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq 'DEF456' })
  } catch {
    Write-Output "Failed to sign $($_.Name): $_"
  }
}
B
foreach ($file in Get-ChildItem -Path . -Filter '*.ps1') {
  Set-AuthenticodeSignature -FilePath $file.FullName -Certificate (Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq 'DEF456' })
}
C
Get-ChildItem -Path . -Filter '*.ps1' | ForEach-Object {
  Set-AuthenticodeSignature -FilePath $_.FullName -Certificate (Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq 'DEF456' }) -ErrorAction SilentlyContinue
}
D
foreach ($file in Get-ChildItem -Path . -Filter '*.ps1') {
  try {
    Set-AuthenticodeSignature -FilePath $file.FullName -Certificate (Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq 'DEF456' })
  } catch {
    Write-Output "Error signing $($file.Name)"
    break
  }
}
Attempts:
2 left
💡 Hint
You want to continue signing even if one file fails and log the error.

Practice

(1/5)
1. What is the main purpose of code signing a PowerShell script?
easy
A. To prove the script is from a trusted source and has not been altered
B. To make the script run faster
C. To encrypt the script content
D. To convert the script into an executable file

Solution

  1. Step 1: Understand code signing purpose

    Code signing is used to verify the identity of the script author and ensure the script has not been changed.

  2. Step 2: Compare options

    Only To prove the script is from a trusted source and has not been altered describes this purpose correctly. Other options describe unrelated actions like encryption or performance.

  3. Final Answer:

    To prove the script is from a trusted source and has not been altered -> Option A

  4. Quick Check:

    Code signing = prove trust and integrity [OK]
Hint: Code signing proves trust and no changes [OK]
Common Mistakes:
  • Thinking code signing encrypts the script
  • Believing code signing speeds up execution
  • Confusing code signing with file conversion
2. Which PowerShell command is used to sign a script with a certificate?
easy
A. New-ScriptSignature
B. Sign-ScriptCertificate
C. Set-AuthenticodeSignature
D. Add-ScriptCertificate

Solution

  1. Step 1: Identify the correct cmdlet for signing

    The official PowerShell cmdlet to sign scripts is Set-AuthenticodeSignature.

  2. Step 2: Verify other options

    Other options are not valid PowerShell commands for signing scripts.

  3. Final Answer:

    Set-AuthenticodeSignature -> Option C

  4. Quick Check:

    Sign script cmdlet = Set-AuthenticodeSignature [OK]
Hint: Remember: Set-AuthenticodeSignature signs scripts [OK]
Common Mistakes:
  • Using non-existent cmdlets like Sign-ScriptCertificate
  • Confusing signing with creating certificates
  • Misspelling the cmdlet name
3. What will be the output of this PowerShell command if the script is successfully signed? 
Set-AuthenticodeSignature -FilePath 'script.ps1' -Certificate $cert
medium
A. The script file is deleted
B. An error message about missing parameters
C. No output is shown
D. A Signature object showing Status as Valid

Solution

  1. Step 1: Understand Set-AuthenticodeSignature output

    This cmdlet returns a Signature object with a Status property indicating if signing succeeded.

  2. Step 2: Interpret successful signing output

    If signing succeeds, Status will be 'Valid'. No deletion or silent output occurs.

  3. Final Answer:

    A Signature object showing Status as Valid -> Option D

  4. Quick Check:

    Successful signing = Status Valid output [OK]
Hint: Successful signing returns Status Valid object [OK]
Common Mistakes:
  • Expecting no output after signing
  • Thinking the script file is deleted
  • Confusing error messages with success
4. You run this command but get an error: Set-AuthenticodeSignature : Cannot find the certificate. What is the likely cause?
medium
A. The script is already signed
B. The certificate variable is empty or invalid
C. PowerShell version is too old
D. The script file path is incorrect

Solution

  1. Step 1: Analyze the error message

    The error says it cannot find the certificate, meaning the $cert variable is likely empty or invalid.

  2. Step 2: Check other options

    Incorrect file path causes a different error. PowerShell version or existing signature do not cause this specific error.

  3. Final Answer:

    The certificate variable is empty or invalid -> Option B

  4. Quick Check:

    Certificate missing error = invalid $cert [OK]
Hint: Check certificate variable if 'Cannot find certificate' error [OK]
Common Mistakes:
  • Assuming file path is the problem
  • Thinking PowerShell version causes this error
  • Believing script already signed causes this error
5. You want to sign multiple scripts in a folder using the same certificate. Which PowerShell snippet correctly signs all .ps1 files?
hard
A. Get-ChildItem -Path . -Filter '*.ps1' | ForEach-Object { Set-AuthenticodeSignature -FilePath $_.FullName -Certificate $cert }
B. Set-AuthenticodeSignature -FilePath '*.ps1' -Certificate $cert
C. ForEach ($file in '*.ps1') { Set-AuthenticodeSignature -FilePath $file -Certificate $cert }
D. Get-Content '*.ps1' | Set-AuthenticodeSignature -Certificate $cert

Solution

  1. Step 1: Identify correct way to get all .ps1 files

    Get-ChildItem -Filter '*.ps1' lists all script files in the folder.

  2. Step 2: Apply signing to each file

    Using ForEach-Object to call Set-AuthenticodeSignature on each file with the certificate is correct.

  3. Step 3: Check other options

    Set-AuthenticodeSignature -FilePath '*.ps1' -Certificate $cert tries to sign a wildcard path directly (invalid). ForEach ($file in '*.ps1') { Set-AuthenticodeSignature -FilePath $file -Certificate $cert } treats '*.ps1' as a string list (wrong). Get-Content '*.ps1' | Set-AuthenticodeSignature -Certificate $cert pipes file content, not file paths (wrong).

  4. Final Answer:

    Get-ChildItem -Path . -Filter '*.ps1' | ForEach-Object { Set-AuthenticodeSignature -FilePath $_.FullName -Certificate $cert } -> Option A

  5. Quick Check:

    Use Get-ChildItem + ForEach-Object to sign all scripts [OK]
Hint: Use Get-ChildItem and ForEach-Object to sign multiple files [OK]
Common Mistakes:
  • Trying to sign wildcard paths directly
  • Using file content instead of file paths
  • Treating '*.ps1' as a list of files