PowerShell is a great tool to automate lot of your daily tasks. However to write a PowerShell script needs to have an experience with the scripting. It takes lot of time for Juniors and sometime for Seniors Engineers as well.
Today Security is far beyond the perimeter of the company in on-premises , hybrid or cloud environments.
Sign your PowerShell scripts can be a very good habit that will be more effective and less painful. For those that they don't have use code-signing it's not so difficult as you can think.
So let's start to explain the advantages to sign a PowerShell script.
What are the major advantage to signing a PowerShell Script
We will not proceed to signing a PowerShell script if we will not have any advantage. So let's explain which are the major advantages.
- Signing a PowerShell script you can reduce your potential attack surface.
- Authenticates that you are the person who wrote the PowerShell script.
- Verify the script integrity. In simple words your script modified since it was signed.
However, a sign PowerShell script doesn't mean that it's safe or good to run. Major is to know the source of the powershell script
So let's start
Obtain a Code Signing Certificate
Before proceed to sign a PowerShell certificate you need to have an SSL Certificate that you will be use it for the code signing.
You have the following options for the SSL Certificate
- Public - You can purchase an SSL Certificate from various Providers in the Internet to use it for the code signing
- Local - If you have an internal PKI Solution you can generate a new SSL Certificate that you will use it to sign the PowerShell Script
- Self Sign - You can generate a self sign certificate. However it's not recommended to use it in a production environemnt or if you will share it in different users out of your local network. The self sign certificate it's recommended only for testing.
For the purpose of the Article i have created a self sign Certificate to do the test.
Generate a Self Sign Certificate for Code Signing
Let's generate the Self Sign Certificate for Code Signing
- Open the PowerShell as Administrator.
- Run the following command to create the certificate.
New-SelfSignedCertificate -Subject "askme4tech codesigning" -CertStoreLocation Cert:\LocalMachine\My -Type CodeSigningCert
- The certificate located in Certification Store Local Computer - Personal - Certificates
- Since the certificate it's self sign should be imported to the Certification Store Local Computer - Trusted Root Certification- Certificates. Then the computer can be trusted the publisher who sign the certificate.
- The PowerShell will check for the the certificate in store to validate the signature. If it's not trusted from the computer when will run the PowerShell script will fail with the following error
- We should export the Certificate from Certification Store Local Computer - Personal - Certificates with the following commands in order
- Find and copy the Thumbprint of the certificate.
Get-ChildIem -Path Cert:\LocalMachine\My
Then paste the Thumbprint in the following command and run it to export the Certificate.
$mypwd = ConvertTo-SecureString -String '1234' -Force -AsPlainText
Get-ChildItem -Path Cert:\LocalMachine\My\BAAE3B5A3410EB0B418B7F263DB01DB7978482B9 | Export-PfxCertificate -FilePath C:\a\askme4tech_codesigning.pfx -Password $mypwd
- Now that you have export the certificate in pfx format we can proceed to import in Certification Store Local Computer -Trusted Root Certification-Certificates.
Get-ChildItem -Path Cert:\LocalMachine\My
Get-ChildItem -Path C:\a\askme4tech_codesigning.pfx | Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\Root -Exportable -Password $mypwd
Let's verify that the certificate is in right place.
From the Start menu with right click type certlm.msc and press Enter
Expand the Trusted Root Certificate -- Certificates. You should see the certificate that you have imported. In our case the certificate name is askme4tech codesigning.
How to Sign a PowerShell Script
We have import the Certificate in the right places and we can proceed to sign the PowerShell scripts that we need.
For the article I have created a very simple script with the name powershell_codesigning.ps1. The only thing that it does is to write in the monitor We will sign the powershell script.
We will run the following command to sign the PowerShell script.
In the first line I use the variable $cert to store the certificate from the Certification Store Local Computer - Personal - Certificates.
In the second line I use the Set-AuthenticodeSignature command to sign the script
$cert=Get-ChildItem Cert:\LocalMachine\My -CodeSigningCert
Set-AuthenticodeSignature -FilePath 'C:\Users\konstantinost\Documents\askme4tech\powershell_script_signing\powershell_codesigning.ps1' -Certificate $cert
How to verify the code signing of the PowerShell script
Until now we have sign the PowerShell script. But how we can verify it?
Opening the Code
Open the PowerShell script and you will see a signature block after the code.
If you delete the signature block from the script then will revert to un-signed.
Opening the File Properties of the Script
Another way to verify that the script is signed is to open the Properties of the Script and click on tab Digital Signature.
Run the Signed PowerShell Script
At this point we have signed the powershell successfully. However we don't know if the PowerShell script can run successfully yet.
How we can verify it?
- Open the PowerShell As Administrator and type the following command to allow run only signed PowerShell scripts.
Set-ExecutionPolicy AllSigned
- Now run the script that you have signed. Should be run without errors.
- You should know that if you do any change in the PowerShell script then you should sign the PowerShell again.
- Let's do a small change and try to run the script. You will get an error. Sign the script again and then will run successfully.
That's it!!
You learn how to sign a PowerShell script and most important why ti sign or now sign a PowerShell script.
I hope to help you and learn something new
Have a nice weekend !!