PowerShell Code Signing of scripts


A GitHub repository is available with PowerShell scripts for signing PowerShell scripts!! In particular you can create a personal certificate for local signing, sign individual scripts, recursively sign a folder of scripts and rfecursively unsign them.

Some PowerShell scripts for personally signing PowerShell scripts!

Note that the GitHub link for this repository, sign-me-up-scotty, came from two sources. The first is the Scott Haselman (and Geoff Bard) post Signing PowerShell Scripts, with respect to code signing PowerShell scripts. A great source of information on this, as always from Scott, Thanks Scott. Also its is a play on the quote beam-me-up-scotty from the SciFi TV series Star Trek.

This page is a mirror of the ReadMe at the repository: djaus2/sign-me-up-scotty. Please leave comments and feedback at the bottom of this post.

Ever had this:

 .\1-create--local-certificate-authority : File  
sign-me-up-scotty\scripts\1-create--local-certificate-authority.ps1  
cannot be loaded. The file  
sign-me-up-scotty\scripts\1-create--local-certificate-authority.ps1 is  
not digitally signed. You cannot run this script on the current system. For more information about running scripts and  
setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.  
At line:1 char:1  
+ .\1-create--local-certificate-authority  
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException  
    + FullyQualifiedErrorId : UnauthorizedAccess

Background

I have developed and extended (many times) the GitHub repository djaus2/az-iothub-ps, which is a tool for developing in a menu driven manner, entities for Azure IoT Hub, Devices, Device Provisioing Services and IoT Central. The focus with this is upon creating, managing and interconnecting these enitities as well as getting the interconnection metadata into contexts (eg enviroment variables and json files) that Quickstart samples can cosume and thus make the explorartion of the Quickstarts of these far easier. My argument is that many of the Quickstart tutorials are long-winded, Do-this-do-that etc. I have had a quest for some time to make this all simpler!

Why this repository?

I found when I downloaded the djaus2/az-iothub-ps repository, I could not run the scripts as they were remote and unsigned. Whilst I did initially try setting the execution policy using Set-ExecutionPolicy but whilst this can work I found it a bit of hack. There are Group Policy issues, hierachy of levels, requirements to do it in registry etc Is it a good practice to set Unrestricted? etc Etc.

So I have a GitHub repository which is a collection of numerous PowerShell scripts that are all subscripts to the Main Menu PowerShell script (get-iothub) in this case. Whilst I can run teh scripts on the machine where they are created, if the repository is cloned or downloaded elsewhere, PowerShell signature restrictions, especially since I install PS-7, restrict or inhibit the running of the scripts.

Q1. How then can the scripts be signed locally for use by the current user?
Q2. How than this be done for a plethora of scripts as in the above repository; using one command line entry? i.e. recursively.
Q3. If the local clone of the repository is code signed as in Q2, how can this be removed in one hit before, or as part of a pipeline, when changes are made and they are comitted back to the repository?
Q4. Is there a better way for PowerShell scripts in repositories? (Cloning, Updates and Commits)

Disclaimer
Given the nature of PowerShell, and what a script is allowed to do if a script is enabled on your system, it is up to you to check out these links and the scripts in repository and to ascertain their suitability for, and intrusiveness into, your system.
Also, note that some scripts here are recursive.

What’s in the Repository?

As indicated, this page is a mirror of the ReadMe at the repository: djaus2/sign-me-up-scotty. Please leave comments and feedback at the bottom of this post.

Usage

  • You may run into a “Catch-22” scenario. You can’t run the signing scripts unless they are signed. To get around this complete the first 3 scripts by copying the command from each directly to the command line.
  • Once they are setup you can run the later scripts as PS scripts.

If you must …

Some PS Excecution Policy

PS C:\scripts> Get-ExecutionPolicy
Unrestricted

PS C:\scripts> Set-ExecutionPolicy unrestricted

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): Y
  • Need to run these 2 commands in Admin mode
  • You may need to run scripts 1. and 2. in the VS Developer Command Prompt

What happens to a file when signed?

A signed PS Script}
Comparison of a signed and unsigned PS script.

 TopicSubtopic
  Next: > This blog site construction
<  Prev:   Azure Sphere Projects
   
 This Category Links 
Category:Coding Index:Coding
  Next: > PowerShell
<  Prev: