PowerShell Code Signing


bannerPhoto by Tadas Sar on Unsplash

If you are a system administrator, you might have had to run Task Scheduler jobs or delegate tasks to end-users. But have you wondered how you could run these tasks securely? How do you ensure the integrity and quality of the scripts on your system? This is where code signing can help!

A digital signature is a process that guarantees that a file or message has not been altered after the signature has been calculated. Signing scripts ensures the integrity of a script you run. After you verify that a script is safe to run, you can digitally sign the script to prevent others from tampering with it.

Files can be signed with signing certificates. And by adjusting Powershell Execution Policies to allow only signed scripts to run, you maintain control over the integrity of the scripts on your system. Today, let’s dive into how Powershell code signing works and how to sign a script to use!

Configuring Signing Certificates

First, let’s create a certificate template! A certificate template will enable users to request individual certificates to sign their scripts.

Creating a Certificate Template

First, go to your Control Panel, then go to “Administrative Tools > Certification Authority”. Right-click on “Certificate Templates” and click on “Manage”. You should see a list of built-in templates available for use. Right-click on “Code Signing” and select “Duplicate Template”.

You should see a window prompting you to set the properties of the new template. In the “General” tab, you will be able to set the name of the template. In the “Compatibility” tab, you’ll be able to set the Certificate Authority and Certificate Recipient. In the “Cryptography” tab, you can configure the details of the cryptographic algorithm used, like Cryptographic Provider, Algorithm name, Key Size, and more.

And in the “Security” tab, you can configure which users or groups can create code signing certificates. Users that are allowed to create code signing certificates need to be granted “Enroll” and “Read” permissions.

If you already have a certificate template configured, you can simply import it for use.

ldifde -i -k -f TEMPLATE_FILE

Back in “Administrative Tools > Certification Authority”, right-click the “Certificate Templates” then go to “New > Certificate Template to Issue”.

Creating a Signing Certificate

On a development machine, you can now create a code signing certificate. First, open the Microsoft Management Console (mmc.msc). Then, go to “File > Add/Remove Snap-in”. From the “Available snap-ins” menu, select “Certificates” and click “Add”, then “Ok”.

In the original window, right-click on “Personal”, select “All Tasks > Request New Certificate”. Tick the appropriate certificate and click on “Enroll”. A code signing certificate will be created.

You can import a certificate to use by running this command:

Import-Certificate -FilePath "CERT_TO_IMPORT" -CertStoreLocation cert:CERT_LOCATION

You can also export a certificate from a certificate store into a file:

$cert = Get-ChildItem -Path cert:CERT_LOCATION

Export-Certificate -Cert $cert -FilePath FILE_PATH

Signing Scripts

Now you can sign a script with the code signing certificate! These commands will retrieve a code signing certificate and use it to sign your script:

$cert=Get-ChildItem -Path Cert:CERT_LOCATION -CodeSigningCert

Set-AuthenticodeSignature -FilePath SCRIPT_PATH -Certificate $cert

You can now run your signed script!

SCRIPT_PATH

How to Prevent Digital Signatures from Expiring

The digital signature in a script is valid until the signing certificate expires. Or, the signature can remain valid if a timestamp server can verify that the script was signed while the signing certificate was valid. Since most signing certificates expire after one year, using a timestamp server ensures that users can use your script for a longer time.

Powershell Execution Policies

PowerShell’s execution policy controls how PowerShell loads configuration files and runs scripts. By setting appropriate execution policies, you can prevent the execution of malicious scripts. In particular, setting the execution policy to “AllSigned” can make sure that only scripts and configuration files that have been signed with a trusted certificate can run on your systems.

To find the effective execution policy on your computer, you can use:

Get-ExecutionPolicy

You can set PowerShell’s execution policy to AllSigned by using this command:

Set-ExecutionPolicy AllSigned

Conclusion

Signing scripts and restricting Powershell’s execution policy accordingly is a good way to ensure the integrity of the scripts you run. In this post, we went through how you can create a code signing certificate and how you can use that certificate to sign scripts.

Vickie Li