PowerCLI

 View Only
Back to discussions
Expand all | Collapse all

digital_sign_powershell_script

  • 1.  digital_sign_powershell_script

    Posted Nov 14, 2019 01:34 PM

    Hi Luc,

    good afternoon

    can you please check the following article.

    i performed on windows 2016 system to digitally sign one powershell script .

    though it worked but am i supposed to get any digital block inside the script.

    https://community.spiceworks.com/how_to/153255-windows-10-signing-a-powershell-script-with-a-self-signed-certificate



  • 2.  RE: digital_sign_powershell_script

    Posted Nov 14, 2019 02:12 PM

    You should see a block of text at the end of the signed script.
    The block will start with

    # SIG # Begin signature block

    and end with

    # SIG # End signature block



  • 3.  RE: digital_sign_powershell_script



  • 4.  RE: digital_sign_powershell_script

    Posted Nov 14, 2019 03:14 PM

    Try the following snippet.
    It should show you how a script looks before and after signing.

    It uses a self-signed certificate to sign the script.

    $code = @'

    Write-Host "Hello!"

    '@

    $code | Set-Content -Path .\test.ps1


    Get-Content -Path .\test.ps1


    $sCert = @{

      Subject           = 'MyCert'

      Type              = 'CodeSigning'

      CertStoreLocation = 'Cert:\CurrentUser\My'

    }

    $cert = New-SelfSignedCertificate @sCert


    $sSign = @{

      Certificate = $cert

      FilePath    = '.\test.ps1'

    }

    Set-AuthenticodeSignature @sSign


    Get-Content -Path .\test.ps1



  • 5.  RE: digital_sign_powershell_script

    Posted Nov 15, 2019 01:01 PM

    Hi Luc ,

    I think i am not getting it correctly .

    if you could suggest the  unknown error .



  • 6.  RE: digital_sign_powershell_script

    Posted Nov 15, 2019 01:21 PM

    That is to be expected with a self-signed certificate.

    Behind the covers, it would produce the error "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider", which the cmdlet seems to translate to this UnknownError.
    In short, the self-signed certificate does not chain to a trusted root certificate.



  • 7.  RE: digital_sign_powershell_script

    Posted Nov 15, 2019 01:47 PM

    i am looking for something that would create block in actual powershell script .is it something possible by any ways .



  • 8.  RE: digital_sign_powershell_script

    Posted Nov 15, 2019 01:53 PM

    I'm afraid not, it would be like

    You're changing the content of a file, that you want to protect against content change :smileygrin:

    You could eventually call an external script that does the signing.



  • 9.  RE: digital_sign_powershell_script

    Posted Nov 15, 2019 02:07 PM

    i mean to say digitally sign by trusted CA .so that the content is ecrypted and whenever someone try to alter the script it compares the content

    with encrypted digital signature .

    i am not sure what advantages im getting using self signed script if i need to run on remote systems that has execution policy

    as remote signed .



  • 10.  RE: digital_sign_powershell_script

    Posted Nov 15, 2019 02:11 PM

    You can/should, of course, use a trusted CA, just make sure it has the CodeSigning attribute.

    The previous code snippet was just an example to try out signing scripts (since you mentioned you didn't get the signature block in the script).

    Btw, there is a difference between signing and encrypting, but you probably know that.



  • 11.  RE: digital_sign_powershell_script

    Posted Nov 15, 2019 02:52 PM

    my understanding so far is if we digitally sign any script with trusted CA it create a start and end block in the script with encrypted content of the script in signaure block .

    so one part of signature is actually the encrypyed content of the script .is this not true??



  • 12.  RE: digital_sign_powershell_script

    Posted Nov 15, 2019 03:37 PM

    Not in my book, signing and encrypting a script are two different things.
    And require different certificate attributes afaik.

    See Encryption and Signing for some background info.



  • 13.  RE: digital_sign_powershell_script

    Posted Nov 19, 2019 11:22 AM

    Thanks Luc ,

    I m checking this .