How to sign XML file with PowerShell

Jean-Yves Moschetto (ANVOLE) | 16 May, 2017 | PowerShell, XML, Sign | View Counts (3386) |Return|
0 ( 2 reviews)


It often happened in my developments to have to protect my sources, and be sure that the configuration XML file I used, was not modified by some people.

For that, the idea if to sign my configuration XML file, and later the program which has to read the file to first check XML signature.

Of course, you first need a "Code Signing" certificate

Param ([string]$CommandLine)
[void][reflection.assembly]::Load('System.Security, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a')
function Sign-XML
 Param ( [xml]$xml, [system.Security.Cryptography.RSA]$rsaKey )
 [System.Security.Cryptography.xml.SignedXml]$signedXml = $NULL
 $signedXml = New-Object System.Security.Cryptography.Xml.SignedXml -ArgumentList $xml
 $signedXml.SigningKey = $rsaKey
 $Reference = New-Object System.Security.Cryptography.Xml.Reference
 $Reference.Uri = ""
 $env = New-Object System.Security.Cryptography.Xml.XmlDsigEnvelopedSignatureTransform
 [System.Xml.XmlElement]$xmlSignatur = $signedXml.GetXml()
 #Add signature to end of xml file
 $xml.DocumentElement.AppendChild($xml.ImportNode($xmlSignatur, $true))
 if ($xml.FirstChild -is [system.xml.XmlDeclaration])
function Verify-XmlSignature
 Param (
 [System.Security.Cryptography.Xml.SignedXml]$signedXml = New-Object System.Security.Cryptography.Xml.SignedXml -ArgumentList $checkxml
 $XmlNodeList = $checkxml.GetElementsByTagName("Signature")
 $signedXml.LoadXml([System.Xml.XmlElement] ($XmlNodeList[0]))
 $check = $signedXml.CheckSignature($key)
 return $check
$SignerSubject = 'E=jeanyves.moschetto@yoursystems.eu, CN=Jean-Yves Moschetto, OU=Carib Infra, O=YourSystems, L=LILLE, S=NORD, C=FR'
$SigningCert = Get-ChildItem -Path cert:\CurrentUser\My -CodeSigningCert | Where-Object { $_.Subject -eq "$SignerSubject" }

$Source = [System.IO.FileInfo]$CommandLine
$Destination = "$($Source.DirectoryName)\$($Source.BaseName).signed$($Source.Extension)"
[xml]$XMLsource = Get-content -Path $Source.FullName
Sign-XML -xml $XMLsource -rsaKey $SigningCert.PrivateKey

#DO TEST DECRYPT FILE HERE - Function to be taken in program for which to protect xml
[xml]$XMLdestination = Get-content -Path $Destination 
$Result = Verify-XmlSignature -checkxml $XMLdestination -Key $SigningCert.PublicKey.Key



This is beyond the result of a signed XML file. We can clearly see the added section "Signature"



Hard to replicate Exchange Connectors

When you have multiple Microsoft Exchange Servers receiving emails, you have to create exactly the s...

Bulk Deploy Microsoft Windows Nano Server 2016 and join domain

As I searched the web how to automatically deploy NANO server and join it to Active Directory, I cou...

DSC myAdExchPrepareSchema.psm1

During some automatized deployments, as often, we have to deploy Microsoft Exchange 2016 automatical...

Authenticating users with smartcard and login/password

When a user opens an Active Directory session with his smartcard, it happens that some applications ...