Can I digitally sign JScript (.js) or VBScript (.vbs) files?

Asked 12/12, 2015 at 10:44 Answered 24/12, 2015 at 0:0

Solved windows vbscript digital-signature jscript wsh

I know that one can sign a Windows binary executable file using signtool. So all this time I was under assumption that one cannot sign any of the files interpreted by Windows Script Host, such as JScript (.js) or VBScript (.vbs) because those are mere text files.

But today, while opening a .js file that I downloaded off my web site, I was greeted by this warning:

So does this mean that there's a way to sign those .js/.vbs files? If so, then how?

Cincinnatus answered 12/12, 2015 at 10:44 Comment(0)

Just to finalize my original question. The answer is yes. To the best of my knowledge, one can sign the following files using Microsoft's SignTool:

Obviously Windows executables: .exe, .dll, .com (for old DOS format), .scr (for screensaver), .ocx (for ActiveX control), .cpl (for Control Panel executable.)
Windows installer files: .msi, .msp
Text-based scripts: .js (for JScript), .vbs (for VBScript), .jse (for encoded JScript), .vbe (for encoded VBScript)
PowerShell scripts: .ps1 , .psm1, .ps1xml
Windows Script Files: .wsf (with mixed content)

Cincinnatus answered 24/12, 2015 at 0:0 Comment(2)

You can add .wsf (Windows Script File) to the list. – Gentlewoman 17/12, 2019 at 16:41

Can you sign HTA files? The question has come up - Is it possible to add digital signature on a hta file?. – Toothed 14/1, 2021 at 15:59

The Scripting.Signer Object can sign a script with a digital signature.

Dim filespec : Set filespec = "my_script.vbs"
Dim cert : Set cert = "my" ' the default private certificate
Dim oSign : Set oSign = CreateObject("Scripting.Signer")
Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")
Dim file : Set file = fso.GetFile(filespec)

oSign.SignFile file.Path, cert

Flank answered 12/12, 2015 at 20:4 Comment(3)

Hmm. That's interesting... except that I can't make it to work. I replaced cert in your example with the name that I get for my code signing cert that I use to sign .exe files. To get that name I run certmgr.msc and locate the cert in Truster Publishers->Certificates and get it from the Issued To column. But in that case the SignFile method returns Error: Cannot find the certificate and private key to use for decryption. and Code: 8009200C. Any idea why? – Cincinnatus 12/12, 2015 at 22:56

Oh, just realized that signtool can sign the following script files as well: .vbs, .vbe, .js, .jse, .wsf by adding a signature in the comments at the end. So there's no need to do this VB masturbation: msdn.microsoft.com/en-us/library/8s9b9yaz(v=vs.110).aspx It would help if that MSDN page mentioned it though... – Cincinnatus 13/12, 2015 at 0:20

Hmm… You might also need to pass a store in the third position of the SignFile procedure? I think signtool and Scripting.Signer might both be calling the same Windows API under the covers, anyway. – Flank 13/12, 2015 at 4:2

Recommended topics

Hot tags