Application and Script Signing – USGS Technical Support Teams

Application and script signing allows locally developed scripts, macros, and applications to run in our environment without being affected by the heightened security settings.

Questions should be emailed to gs_ssl@usgs.gov. Certs can be given out through the digicert portal.

Request SSL Certificates

Two options are available for requesting certificates, upload a CSR file or use the Request Form

To request a SSL Certificate go to the DOI Certificate Request Site

To submit a Certificate Request by uploading a CSR file click “Add a new document” in the Certificate request library below.

To submit a Certificate Request by filling out the CSR form click “Add new item” in the CSR Form Submission list below.

You can view the status of a submitted CSR by clicking “Pending CSRs” in the menu to the left.

For usgs.gov domain names, request an SSL Certificate using the USGS SSL Certificate Request Form

Generate Code Signing Certificate

To generate a signing certificate the developer will submit a request to the USGS Service desk asking to be added to the Code Signing security group.

BWTST will notify the developer when accesses has been granted.

The certificate expires 1 year from the day it is generated. Create a calendar reminder for a couple weeks prior to the expiration to generate a new cert and re-sign all scripts and apps.

To Generate the certificate:

Open the User Certificates snap-in with the non-admin account

Right-click Personal > Certificates, hover over All Tasks, and select Request New Certificate…

Press Next on Select Certificate Enrollment Policy

Check the “DOI Code Signing” certificate and click the More information link.

Under Subject Name: select Type “Common Name” as USGS CodeSign and “Organization” as US Geological Survey. Alternative Name: select Type “Email” address and enter your email address.

Signing Office Macros

Screenshots were made using Office 365. Other versions may look slightly different

Open your office project
Go to the developer tab
- If the developer tab is not available go to the File menu and Options
- Go to Customize Ribbon and check Developer in the right hand block
From the Developer tab open the Visual Basic Editor
Go to the Tools menu > Digital Signatures
- Under Sign as select Choose
- A Windows Security dialog box comes up
  - Select More choices and choose your code signing certificate the click OK
- Click OK on the Digital signature box
- Save your document.

Signing PowerShell scripts

Open a new PowerShell window
Store your code signing certificate as a variable $cert=(dir Cert:\CurrentUser\my\ -CodeSigningCert)
Navigate to where your script is saved
Sign the script using the Set-AuthenticodeSignature cmdlet
- It’s good practice to specify a timestamp server (e.g., http://rfc316timestamp.globalsign.com/advanced)
- Set-AuthenticodeSignature -FilePath .\CreateSiteFolders.ps1 -Certificate $cert -TimestampServer ‘http://rfc316timestamp.globalsign.com/advanced’

Signing VB Scripts - More to come

Apple Signing and Notarization

The Enterprise Security Standards Team has an Apple Developer Account for the purposes of application signing and notarization which is a security requirement on macOS beginning with macOS 10.15 Catalina. Beginning in macOS 10.15, all software built after June 1, 2019, and distributed with Developer ID must be notarized. If you require an application or installer to be signed, please contact ESS at gs-acio-iso_enterprise_security_standards@usgs.gov for more information.