Code Signing Certificate Resource Code Signing Best Practices & Security Resources

How to Sign PowerShell Script with Code Signing Certificate

Microsoft has launched a strong scripting language that has replaced traditional VB Script that was being used to manage Windows Eco System. PowerShell, which gives the power to enhance your Windows Operating system, especially servers. Automation is creating a vast market place for PowerShell Script as more and more people using PowerShell to manage their Windows Based IT Infrastructure. PowerShell Gives you better manageability of your IT Infrastructure, and it is used to monitor Microsoft's software. Manage Microsoft's Software, and you can deploy the software with the help of the PowerShell script.

Though PowerShell was designed to use internally and more secure shell, there is an option in PowerShell that is used by the software developer to develop their software and sell it to the customers. When you are selling something, you have to make sure that it is trustworthy. PowerShell Scripts, which is used to manage critical IT Infrastructure needs to be trusted and make sure that your Script is not tampered by anyone else. Whether you are creating PowerShell Script to be used Internally or Externally, that needs to be signed so that it runs without any issue. PowerShell has a great feature to protect the system from running malicious scripts. "ExectutionPolicy” is the critical security option available in PowerShell that would not allow any malfunctioned script to run on your system. Though you may need to tweak these settings to manage your IT Infrastructure easier. You can set the “ExectutionPolicy" for a different scope. Following are the scope:

MachinePolicy	Managed by Group Policy for all users in the computer
UserPolicy	Managed by Group Policy for Current user in the computer
Process	Only applicable to current PowerShell Session
CurrentUser	This affects the only current user in the computer
LocalMachine	This affects all users in the computer

Following are the deferent settings of “ExectutionPolicy" and their impact on the system:

Setting Value	Setting Impact
AllSigned	All Script to be signed by the publisher using third party certificate even Script written locally. This is the best settings in production as it requires all Script to be signed, including configuration files.
ByPass	Nothing is restricted; there is no warnings or prompts. This can run malicious Script in the system.
Default	Default settings is “Restricted for Client” and “RemoteSigned" for Server. So there is no script run at the client, but Script can run at Server.
RemoteSigned	Needs Script to be signed using digital certificates. Does not require Digital certificate if Script developed locally
Restricted	Does not allow Script to be executed, and the user can use commands only.
Unrestricted	Unsigned Script can run, and there is chances that you might run malicious Script using these settings.
Undefined	If this setting is set to default Setting, "Restricted" would be applied.

Why do you need to Sign your PowerShell Script?

1. You created this fantastic PowerShell script that would help the user to manage their IIS Server, and you want to make sure that it is not source of malicious software distribution for other software. You need to Sign your PowerShell Script with Code Signing Certificate.
2. You created this internal Script that would help your teammates to manage their as it is not signed they have to lower the security settings in PowerShell so that your script would be running smoothly but this allows other malicious scripts to sabotage the system.

How can you sign your PowerShell script so that it would be trusted and user don't have to lower their security settings?

To Sign your PowerShell Script, you need a Code Signing Certificate. Once you purchase a Microsoft Authenticode Signing Certificate from here, you can use it to sign your PowerShell Script.

There is a default PowerShell command that you can use to sign your PowerShell Script. The command is Set-AuthenticodeSignature that you can use to Sign PowerShell Script.

Following is the command to Sign PowerShell Script when you stored the certificate is stored in Certificate Store:

$cert=Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert Set-AuthenticodeSignature -FilePath PsTestInternet2.ps1 -Certificate $cert -Timestamp http://timestamp.comodoca.com?td=sha256.

Please make sure that your certificate has been install at the correct location. It should be at Cert:\CurrentUser\My location. The PFX or P12 file that you have needs to be installed at the above location. You can learn more about how to Install PFX or P12 in our next article.

Following is the command to Sign PowerShell Script when you have a certificate in PFX or P12 format:

$cert = Get-PfxCertificate -FilePath C:\Test\Mysign.pfx Set-AuthenticodeSignature -FilePath ServerProps.ps1 -Certificate $cert -Timestamp http://timestamp.comodoca.com?td=sha256

This would prompt you for PFX or P12 file password that you have when you exported the certificate from the Firefox browser.

Conclusion:

Whether you are creating PowerShell script form your internal use or you want to distribute PowerShell script over the internet. You should sign the certificate. It is always a good idea to sign the tools that you developed should be Signed, so the user trust it, and they use it more.