Can I digitally sign JScript (.js) or VBScript (.vbs) files?

Question

I know that one can sign a Windows binary executable file using signtool. So all this time I was under assumption that one cannot sign any of the files interpreted by Windows Script Host, such as JScript (.js) or VBScript (.vbs) because those are mere text files.

But today, while opening a .js file that I downloaded off my web site, I was greeted by this warning:

So does this mean that there's a way to sign those .js/.vbs files? If so, then how?

c00000fd · Accepted Answer · 2019-12-17T17:46:54.710

8

Just to finalize my original question. The answer is yes. To the best of my knowledge, one can sign the following files using Microsoft's SignTool:

Obviously Windows executables: .exe, .dll, .com (for old DOS format), .scr (for screensaver), .ocx (for ActiveX control), .cpl (for Control Panel executable.)
Windows installer files: .msi, .msp
Text-based scripts: .js (for JScript), .vbs (for VBScript), .jse (for encoded JScript), .vbe (for encoded VBScript)
PowerShell scripts: .ps1 , .psm1, .ps1xml
Windows Script Files: .wsf (with mixed content)

edited Dec 17 '19 at 17:46

answered Dec 24 '15 at 00:00

c00000fd

20,994
29
177
400

2

You can add `.wsf` (Windows Script File) to the list. – Emmanuel Bourg Dec 17 '19 at 16:41
Can you sign HTA files? The question has come up - [Is it possible to add digital signature on a hta file?](https://stackoverflow.com/q/65701712). – user692942 Jan 14 '21 at 15:59

score 2 · Answer 2 · answered Dec 12 '15 at 20:04

2

The Scripting.Signer Object can sign a script with a digital signature.

Dim filespec : Set filespec = "my_script.vbs"
Dim cert : Set cert = "my" ' the default private certificate
Dim oSign : Set oSign = CreateObject("Scripting.Signer")
Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")
Dim file : Set file = fso.GetFile(filespec)

oSign.SignFile file.Path, cert

answered Dec 12 '15 at 20:04

Jacob Krall

28,341
6
66
76

Hmm. That's interesting... except that I can't make it to work. I replaced `cert` in your example with the name that I get for my code signing cert that I use to sign .exe files. To get that name I run `certmgr.msc` and locate the cert in `Truster Publishers->Certificates` and get it from the `Issued To` column. But in that case the `SignFile` method returns `Error: Cannot find the certificate and private key to use for decryption.` and `Code: 8009200C`. Any idea why? – c00000fd Dec 12 '15 at 22:56
Oh, just realized that `signtool` can sign the following script files as well: `.vbs, .vbe, .js, .jse, .wsf` by adding a signature in the comments at the end. So there's no need to do this VB masturbation: https://msdn.microsoft.com/en-us/library/8s9b9yaz(v=vs.110).aspx It would help if that MSDN page mentioned it though... – c00000fd Dec 13 '15 at 00:20
Hmm… You might also need to pass a `store` in the third position of the `SignFile` procedure? I think `signtool` and `Scripting.Signer` might both be calling the same Windows API under the covers, anyway. – Jacob Krall Dec 13 '15 at 04:02

Can I digitally sign JScript (.js) or VBScript (.vbs) files?

2 Answers2

Linked