none
How to sign a powershell script RRS feed

  • Question

  • Hi,

    I have a powershell script and I want to sign the script and run the script on 2012 R2 without changing security policies.

    Can anybody let me know how to do it correctly.

    we have code signing certificate from our company. when I sign with signtool with that certificate.

    Do we need to set allsigned before running any signed application?

    THanks in advance


    Thanks, Krishna

    Friday, August 7, 2015 8:59 AM

Answers

  • This lot did work.  I had forgotten that I was supposed to be signing a .ps1 file.


    PS C:\PS> get-childitem cert:\CurrentUser\my -codesigning
    PS C:\PS> $cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
    PS C:\PS> $cert
    PS C:\PS> Set-AuthenticodeSignature C:\PS\test_rebrand_echo.ps1 $cert -TimestampServer http://timestamp.digicert.com -WhatIf
    PS C:\PS> Set-AuthenticodeSignature C:\PS\test_rebrand_echo.ps1 $cert -TimestampServer http://timestamp.digicert.com

        Directory: C:\PS


    SignerCertificate                         Status                                                                     Path                                                                     
    -----------------                         ------                                                                     ----                                                                     
                                                    Valid                                                               test_rebrand_echo.ps1
    # End

    Sunday, August 23, 2015 1:10 PM

All replies

  • Well, I think that in theory it is something like this but as you can see that does not quite work.

    PS D:\PS> get-childitem cert:\CurrentUser\my -codesigning


        Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\my


    Thumbprint                                Subject                                                                                                                                             
    ----------                                -------                                                                                                                                             
    17144C9DA3E96A0E3FF984657D2185F8431FAFE6  CN=TERENCE MICHAEL NOTTE IRISH, O=TERENCE MICHAEL NOTTE IRISH, L=WELWYN GARDEN CITY, S=HERTFORDSHIRE, C=GB                                          
    PS D:\PS> $cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]


    PS D:\PS> $cert
        Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My


    Thumbprint                                Subject                                                                                                                                             
    ----------                                -------                                                                                                                                             
    17144C9DA3E96A0E3FF984657D2185F8431FAFE6  CN=TERENCE MICHAEL NOTTE IRISH, O=TERENCE MICHAEL NOTTE IRISH, L=WELWYN GARDEN CITY, S=HERTFORDSHIRE, C=GB                                          
    PS D:\PS> Set-AuthenticodeSignature D:\PS\Rebrandtest.bat $cert -TimestampServer http://timestamp.digicert.com -WhatIf
    What if: Performing the operation "Set-AuthenticodeSignature" on target "D:\PS\Rebrandtest.bat".


    PS D:\PS> Set-AuthenticodeSignature D:\PS\Rebrandtest.bat $cert -TimestampServer http://timestamp.digicert.com

        Directory: D:\PS


    SignerCertificate                         Status                                                                     Path                                                                     
    -----------------                         ------                                                                     ----                                                                     
                                              UnknownError                                                               Rebrandtest.bat     

    So, at present, I am also stuck.

    Wednesday, August 19, 2015 3:41 PM
  • Let us hope that some clever Microsoft person comes up with an answer.
    • Proposed as answer by T M N Irish Sunday, August 23, 2015 1:09 PM
    • Unproposed as answer by T M N Irish Sunday, August 23, 2015 1:09 PM
    Wednesday, August 19, 2015 3:43 PM
  • This lot did work.  I had forgotten that I was supposed to be signing a .ps1 file.


    PS C:\PS> get-childitem cert:\CurrentUser\my -codesigning
    PS C:\PS> $cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
    PS C:\PS> $cert
    PS C:\PS> Set-AuthenticodeSignature C:\PS\test_rebrand_echo.ps1 $cert -TimestampServer http://timestamp.digicert.com -WhatIf
    PS C:\PS> Set-AuthenticodeSignature C:\PS\test_rebrand_echo.ps1 $cert -TimestampServer http://timestamp.digicert.com

        Directory: C:\PS


    SignerCertificate                         Status                                                                     Path                                                                     
    -----------------                         ------                                                                     ----                                                                     
                                                    Valid                                                               test_rebrand_echo.ps1
    # End

    Sunday, August 23, 2015 1:10 PM
  • Thank you very much.

    Thanks, Krishna

    Monday, August 24, 2015 8:43 AM