34,333
edits
Changes
→Signing a Windows PowerShell Script
== Signing a Windows PowerShell Script ==
The first step in signing a PowerShell script is to obtain the certificate and assign it to a variable:
<pre>
PS C:\Users\Administrator> $certificate = @(get-childitem cert:\currentuser\my -codesigning)[0]
</pre>
The [0] index in the above command instructs PowerShell to use the first certificate in the store. If multiple certificates are stored, the index value should be modified to match the desired certificate. For example, to access the second certificate the index would need to be changed to [1].
Having extracted the certificate object from the store, the next step is to configure PowerShell to only accept signed scripts:
<pre>
PS C:\Users\Administrator> set-executionpolicy allsigned
</pre>
At this point, any attempt to execute an unsigned script will result in an error message:
<pre>
PS C:\Users\Administrator> ./t.ps1
File C:\Users\Administrator\t.ps1 cannot be loaded. The file C:\Users\Administrator\t.ps1 is not
digitally signed. The script will not execute on the system. Please see "get-help about_signing" for
more details..
At line:1 char:7
+ ./t.ps1 <<<<
</pre>
The next step is to sign the script, a task which is achieved using the ''Set-AuthenticodeSignature'' cmdlet passing through the script name and certificate as arguments:
<pre>
PS C:\Users\Administrator> set-authenticodesignature ./t.ps1 $certificate
Directory: C:\Users\Administrator
SignerCertificate Status Path
----------------- ------ ----
3152D8D9584375916BB9A7511BF2E789F257AD0B Valid t.ps1
</pre>
Attempting to execute the script now causes PowerShell to display a warning that the script was signed by an untrusted publisher, but provides the option to run the script anyway (Run once), or to run the script and also trust all future scripts signed with this certificate (Always run).
Previously in this chapter, it was noted that signing also prevents tampering with the contents of a script. When the contents of a signed script are modified, an attempt to execute the script will result in the following error:
<pre>
PS C:\Users\Administrator> ./t.ps1
File C:\Users\Administrator\hello.ps1 cannot be loaded. The contents of file C:\Users\Administrator
\hello.ps1 may have been tampered because the hash of the file does not match the hash stored in the
digital signature. The script will not execute on the system. Please see "get-help about_signing"
for more details..
At line:1 char:11
+ ./hello.ps1 <<<<
</pre>
== Protecting Certificates with Private Key Encryption ==
In the above examples, we were able to extract a certificate from the system's certificate store and sign PowerShell scripts without having to prove who we are. The danger in this is that anyone with access to the certificate could use to to sign any script, including a malicious script which would then potentially be trusted by other users. Clearly, an additional layer of defense is desirable, and this is provided through private key encryption of the certificate.
Installed along with the ''makecert.exe'' tool was another tool known as the ''Certificate Manager'' which is used, amongst other tasks, to enable private key encryption on certificates. After the Windows Platform SDK has been installed, this tool is located in the same directory as ''makecert.exe'' and is named ''certmgr.exe''. Assuming this directory is the system PATH environment variable, launch certmgr.exe either from within PowerShell, or at a command prompt as follows:
<pre>
PS C:\Users\Administrator> certmgr
</pre>
The Certificate Manager will open a window displaying a number of different categories of certificates. Navigate to the certificate to be protected (in the case of the example in this chapter select ''Trusted Root Certification Authorities -> Certificates -> ''
