Execution Flow
Certificate resolution order: 1. -CertificatePath (PFX) → 2. -CertificateThumbprint (LocalMachine\My, then CurrentUser\My) → 3. Auto-detect (first valid, non-expired code signing cert in both stores). Files with a valid signature are skipped unless -Force.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| -ModulePath | String | Optional | Root directory to sign recursively. Defaults to parent of $PSScriptRoot (auto-detect). |
| -CertificateThumbprint | String | Optional | Thumbprint of a certificate in LocalMachine\My or CurrentUser\My. |
| -CertificatePath | String | Optional | Path to a .pfx file. Takes precedence over -CertificateThumbprint. |
| -CertificatePassword | SecureString | Optional | Password for the PFX file. |
| -TimestampServer | String | Optional | Primary TSA URL. Default: http://timestamp.digicert.com. Fallback: http://timestamp.sectigo.com. |
| -IncludeExtensions | String[] | Optional | File extensions to sign. Default: @('.ps1', '.psm1', '.psd1'). |
| -Force | Switch | Optional | Re-signs files that already carry a valid signature. |
Return Value
Returns List<PSCustomObject> — one entry per file with: FilePath, FileName, Status (Signed / Skipped / Failed / WhatIf), PreviousStatus, Thumbprint, CertSubject, TimestampServer, ErrorMessage. Summary is also copied to the clipboard.
Examples
Example 1 — Auto-detect certificate
Invoke-sqmSignModule -ModulePath "C:\Dev\sqmSQLTool"
Example 2 — Sign with PFX file
$pwd = ConvertTo-SecureString "secret" -AsPlainText -Force
Invoke-sqmSignModule -ModulePath "C:\Dev\sqmSQLTool" -CertificatePath "C:\Certs\CodeSign.pfx" -CertificatePassword $pwd
Example 3 — WhatIf dry run
Invoke-sqmSignModule -ModulePath "C:\Dev\sqmSQLTool" -WhatIf
Example 4 — Force re-sign all files
Invoke-sqmSignModule -ModulePath "C:\Dev\sqmSQLTool" -CertificateThumbprint "AB12CD34EF56..." -Force