PowerShell Code Signing of scripts
coding powershell
A GitHub repository is available with PowerShell scripts for signing PowerShell scripts!! In particular you can create a personal certificate for local signing, sign individual scripts, recursively sign a folder of scripts and rfecursively unsign them.
Some PowerShell scripts for personally signing PowerShell scripts!
Note that the GitHub link for this repository, sign-me-up-scotty, came from two sources. The first is the Scott Haselman (and Geoff Bard) post Signing PowerShell Scripts, with respect to code signing PowerShell scripts. A great source of information on this, as always from Scott, Thanks Scott. Also its is a play on the quote beam-me-up-scotty from the SciFi TV series Star Trek.
This page is a mirror of the ReadMe at the repository: djaus2/sign-me-up-scotty. Please leave comments and feedback at the bottom of this post.
Ever had this:
.\1-create--local-certificate-authority : File
sign-me-up-scotty\scripts\1-create--local-certificate-authority.ps1
cannot be loaded. The file
sign-me-up-scotty\scripts\1-create--local-certificate-authority.ps1 is
not digitally signed. You cannot run this script on the current system. For more information about running scripts and
setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ .\1-create--local-certificate-authority
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
Background
I have developed and extended (many times) the GitHub repository djaus2/az-iothub-ps, which is a tool for developing in a menu driven manner, entities for Azure IoT Hub, Devices, Device Provisioing Services and IoT Central. The focus with this is upon creating, managing and interconnecting these enitities as well as getting the interconnection metadata into contexts (eg enviroment variables and json files) that Quickstart samples can cosume and thus make the explorartion of the Quickstarts of these far easier. My argument is that many of the Quickstart tutorials are long-winded, Do-this-do-that etc. I have had a quest for some time to make this all simpler!
Why this repository?
I found when I downloaded the djaus2/az-iothub-ps repository, I could not run the scripts as they were remote and unsigned. Whilst I did initially try setting the execution policy using Set-ExecutionPolicy but whilst this can work I found it a bit of hack. There are Group Policy issues, hierachy of levels, requirements to do it in registry etc Is it a good practice to set Unrestricted? etc Etc.
So I have a GitHub repository which is a collection of numerous PowerShell scripts that are all subscripts to the Main Menu PowerShell script (get-iothub) in this case. Whilst I can run teh scripts on the machine where they are created, if the repository is cloned or downloaded elsewhere, PowerShell signature restrictions, especially since I install PS-7, restrict or inhibit the running of the scripts.
Q1. How then can the scripts be signed locally for use by the current user?
Q2. How than this be done for a plethora of scripts as in the above repository; using one command line entry? i.e. recursively.
Q3. If the local clone of the repository is code signed as in Q2, how can this be removed in one hit before, or as part of a pipeline,
when changes are made and they are comitted back to the repository?
Q4. Is there a better way for PowerShell scripts in repositories? (Cloning, Updates and Commits)
Some Links
- djaus2/sign-me-up-scotty
- Signing PowerShell Scripts - Scott Hanselman
- Code Signing Multiple PowerShell Scripts - The Server Analyst
- Set-ExecutionPolicy
- Publish-Script
- How to Set PowerShell Script Execution Policy in Windows 10
Disclaimer
Given the nature of PowerShell, and what a script is allowed to do if a script is enabled on your system, it is up to you to check out these links and the scripts in repository and to ascertain their suitability for, and intrusiveness into, your system.
Also, note that some scripts here are recursive.
What’s in the Repository?
- Following Scott Hanselman’s post:
- A script to create a local authority
1-create–local-certificate-authority - A script to create a personal certificate:
2-create-personal-certificate.ps1 - A script to verify the personal certifcate
3-verify.ps1 - A script to sign one PowerShell script using that certificate:
sign-one.ps1
Place the PS File (path) in the command line,
- A script to create a local authority
- Following the The Server Analyst post:
- A script to recursively sign all scripts at or below the current folder:
signall.ps1
Note that it was modified so as it recurses from the current folder. - I’ve added a script to recursively unsign all sigened scripts below the current folder:
unsignall.ps1
Note that this also recurses from the current folder.
- A script to recursively sign all scripts at or below the current folder:
As indicated, this page is a mirror of the ReadMe at the repository: djaus2/sign-me-up-scotty. Please leave comments and feedback at the bottom of this post.
Usage
- You may run into a “Catch-22” scenario. You can’t run the signing scripts unless they are signed. To get around this complete the first 3 scripts by copying the command from each directly to the command line.
- Once they are setup you can run the later scripts as PS scripts.
If you must …
Some PS Excecution Policy
PS C:\scripts> Get-ExecutionPolicy
Unrestricted
PS C:\scripts> Set-ExecutionPolicy unrestricted
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y
- Need to run these 2 commands in Admin mode
- You may need to run scripts 1. and 2. in the VS Developer Command Prompt
What happens to a file when signed?
Comparison of a signed and unsigned PS script.
Topic | Subtopic | |
Next: > | This blog site construction | Site Calendar Page |
< Prev: | Azure Sphere Projects | Azure Sphere Getting Started |
This Category Links | ||
Category: | Coding Index: | Coding |
Next: > | PowerShell | A Function to download and run an Installer |
< Prev: | Some PowerShell Functionality |