Signed powershell script not signed after source control

Question

I'm trying to set up some PowerShell build scripts. I've got a self-signed certificate that I can use to sign the script and get it to run with AllSigned. The problem is, this doesn't carry across our scm (git).

Whenever I try to clone and run the script, or change it and revert, I get the error that the file is unsigned.

File <> cannot be loaded. The file <> is not digitally signed. The script will not execute on the system. ...

If I re-sign the script, the signature block changes and I can run it again.

Is there any way to preserve the signing?

Answer 1

Dug into this a little more this morning:

Along with the signature block appended to the actual file, there is signature information stored as extended attributes for the file.

As can be expected, git doesn't track ea's. For attributes like permissions, the standard advice is to use a git hook. I haven't been able to find any way to set the attributes for a digital signature without re-signing the file.

This leaves 3 options:

• Switch the build server and any other computers needing to run the script to RemoteSigned.
• Use some shell voodoo, git hooks, and SignTool to re-sign the file each time the attribute is removed. Fragile and hacky.
• Rework the build / deploy process so that powershell scripts aren't required. I'm in the early stages, so this is my best option.