代码改变世界

How to sign a Powershell Script

2011-12-29 11:52  络绎  阅读(653)  评论(0)    收藏  举报

Pre-request

Before sign a power shell script file,  you need prepare your certificate. There are some ways to get certificate –

  1. Get certificate from CA;
  2. Generate certificates with some tools like makecert.exe. Here we take this way to generate certificate.

Generate certificate

  1. Start makecert.exe

We use makecert.exe to generate our certificate. makecert.exe will auto installed if you have installed Windows SDK or VS 2010. For VS 2010, Click Start -> All Programs -> Microsoft Visual studio 2010 -> Visual studio Tools, run Visual Studio Command Prompt (2010) with Administrator permission. To check if makecert.exe installed auto, you can type and run command “makecert –help” to see the output:

          

For Windows SDK, Click Start -> Microsoft Windows SDK v7.1, run Windows SDK 7.1 Command Prompt with Administrator permission. Use same command to check if makecert.exe installed.

  1. makecert.exe Parameters

Type Command “makecert -help” can get the parameters info. More info please see MSDN from http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.80).aspx.

  1. Create root certificate

Run command to create certificate named “Windows Powershell Certification Authority”:

makecert -n "CN=Windows Powershell Certification Authority" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -ss root -sr CurrentUser -sv Powershell_CA.pvk Powershell_CA.cer

During creation, it need you create the private Key password, please just input your password.

After certificate created successfully, you can see the output “Succeeded” on command prompt. Or you can see the certificate from MMC(Certificates-Current User):

MMC -> File -> Add/Remove Snap-in -> Certificate ->  Add -> My User Account -> OK -> Console Root -> Certificates – Current User -> Trusted Root Certification Authorities -> Certificates 

  1. Publish code sign certificate

Run command to use makecert to related the certificates’ owner’ public/private key.

makecert -n "CN=Windows Powershell Script Publisher" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -pe -iv Powershell_CA.pvk -ic Powershell_CA.cer

During command running, it need you input your private key. After command run successfully, you can see the output “Succeeded” on command prompt. Same with step 3, you can see the certificate on MMC:

MMC -> File -> Add/Remove Snap-in -> Certificate ->  Add -> My User Account -> OK -> Console Root -> Certificates – Current User -> Personal -> Certificates 

Sign your power shell script

  1. Launch Power shell prompt with Administrator permission, run command “$certstore = dir cert:\CurrentUser\my” to certificate stored location and get your certificate

  1. Run command “Set-AuthenticodeSignature -FilePath C:\v-jiansh\Test-Use.ps1 -Certificate $certstore[2]” to sign you script 

               You can see the script C:\v-jiansh\Test-Use.ps1 has been signed. You can open your script and you can see the signature lock has been added at the end of the script file.

Notice

  1. This signed script only can be run on your own computer, if you want to run it, you must export the root certificate you created on 3rd step of Generate Certificate and import them to your target computer.

1)      Select the certificate, right click your mouse, select All Tasks -> Export top to open certificate export wizard 

2)      Click Next button to open Export File Format pane, keep the default selection and click Next button to open File To Export pane

3)      Enter your certificate full path(name format is .cer), click Next button to open Completing pane

4)      Click Finish button to export your certificate

5)      Copy this certificate to your target computer, E.g. scxomt-ws7-19

6)      Launch MMC -> File -> Add/Remove Snap-in -> Certificate ->  Add -> My User Account -> OK -> Console Root -> Certificates – Current User -> Trusted Root Certification Authorities -> Certificates. Import the certificate to Trusted Root Certification Authorities.

  1. Notice the script created by Windows PowerShell ISE cannot be signed successfully. It will failed with following output:

PS C:\Users\v-jiansh> Set-AuthenticodeSignature C:\v-jiansh\Test-Use.ps1 -Certificate $certstore[2]

    Directory: C:\v-jiansh

SignerCertificate                         Status                                                Path

-----------------                         ------                                                ----

                                          UnknownError                                          Test-Use.ps1

                So if you get the same issue, you can use notepad to create a copy of the script then sign this copy file.