Menu
I'm trying to sign a .ps1 using self-signed certificates (the use case is for scripts I write myself on my private dev station, so no need to use - or pay for -
a real CA). However, no matter how many guides on the topic of certificates generation and digital signatures I read, I can't seem to get it working.
Here's what I have accomplished so far:
# Create a certificate to use as trusted root of the signing chain
$root = New-SelfSignedCertificate `
-Subject "CN=PowerShell Trusted Authority" `
-FriendlyName "PowerShell Trusted Authority" `
-KeyUsageProperty Sign `
-KeyUsage CertSign, CRLSign, DigitalSignature `
-CertStoreLocation Cert:\LocalMachine\My\ `
-NotAfter (Get-Date).AddYears(10)
# Create a certificate to use for signing powershell scripts
New-SelfSignedCertificate `
-Signer $root `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Move the root cert into Trusted Root CAs
Move-Item "Cert:\LocalMachine\My\$($root.Thumbprint)" Cert:\LocalMachine\Root
All of the above done from an administrative powershell instance. After that is done, I can see both certificates, in the expected locations, in the management console, and the certificate path of the signing cert checks out as valid.
I then open a regular PS prompt and attempt to sign the script:
# Obtain a reference to the signing certificate
PS> $cert = Get-ChildItem Cert:\LocalMachine\My\ -CodeSigningCert
# Attempt at signing
PS> Set-AuthenticodeSignature .\Microsoft.PowerShell_profile.ps1 $cert
Directory: C:\Users\tomas\Documents\WindowsPowerShell
SignerCertificate Status Path
----------------- ------ ----
UnknownError Microsoft.PowerShell_profile.ps1
As you can see, the actual signing fails. Looking at the powershell file, I see that no signature has been appended to the script.
If I do the signing from an admin prompt, I seem to get a little further; a signature block is added to the script, and the thumbprint of the signing cert is printed in the output from Set-AuthenticodeSignature, but the status is still UnknownError and execution under the AllSigned policy is still not allowed.
# Output some info about the certificate:
PS> $cert | Format-List
Subject : CN=PowerShell Code Signing
Issuer : CN=PowerShell Trusted Authority
Thumbprint : <omitted>
FriendlyName :
NotBefore : 9/20/2017 10:48:59 PM
NotAfter : 9/20/2018 11:08:59 PM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
I've tried a multitude of variants of New-SelfSignedCertificate incantations, especially to generate the certificate for code signing, but always with the same status message (UnknownError).
My ultimate goal here is to be able to have Set-ExecutionPolicy AllSigned and still run scripts that I've created myself. What am I missing in this process to make that work?
308
To create a self-signed code-signing certificate, run the New-SelfSignedCertificate command below in PowerShell. The Type parameter specifies to create a CodeSigningCert certificate type. The certificate will be valid for 24 months. Note that assigning a specific validity period is optional with the NotAfter parameter.
Using UnRestricted Execution Policy to fix script not digitally signed. The easiest and unsecured way to fix PowerShell script is not digitally signed error is to change the local computer execution policy to unrestricted. Allows running local scripts and all scripts downloaded from the internet.
In order to change the PowerShell Execution Policy you have to start PowerShell as an administrator and run the following command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned . You can also set the RemoteSigned to unrestricted, but it is discouraged by Microsoft.
Thinking about this, you don't need a certificate chain trust, therefore, you don't need your first certificate. You can use the second certificate and move it into your Trusted Root folder and it will work. Using the first certificate and then creating another certificate seems to fail because the 'root' is self signed and then can't sign another certificate.
SELF SIGNED CERTIFICATE method
# Create a certificate to use for signing powershell scripts
$selfsigncert = New-SelfSignedCertificate `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Move the root cert into Trusted Root CAs
Move-Item "Cert:\LocalMachine\My\$($selfsigncert.Thumbprint)" Cert:\LocalMachine\Root
# Obtain a reference to the code signing cert in Trusted Root
$selfsignrootcert = "Cert:\LocalMachine\Root\$($selfsigncert.Thumbprint)"
# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $selfsignrootcert
If you have access to an Enterprise Root CA, you can use the method you have used in your question.
ENTERPRISE ROOT CA method (same method as you have in your question) - you need to know your Root CA certificate thumbprint
# Get Enterprise Root CA thumbprint
$rootcert = get-childitem Cert:\LocalMachine\Root\XXXXXXXXXXXX
# Generate certificate
$fromrootcert = New-SelfSignedCertificate `
-Signer $rootcert `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $fromrootcert
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With