2

I have read through this post on signing a PowerShell script with a certificate. This is more on using external certificate from VeriSign (or similar) to encode and protect the code I have developed within a PowerShell script.

I am just trying to find out if this will actually work. I would expect the process to go as:

  1. Purchase code-signing certificate from VeriSign
  2. Install certificate on my computer
  3. Sign the PowerShell script
  4. Execute the script on desired device

Since this script would be signed with a external CA wouldn't Windows be able to authenticate the certificate since Windows trust VeriSign root CA? My guess would be since Windows has the root CA for VeriSign already and trust it, if I happen on a system that does not allow Internet access that the certificate will still be verified and allow me to run it?

Improve this question
5
  • Windows caches certificate revocation statuses for a certain period. If the system has no internet access, how will it update its CRLs? I don't know if it matters; you can disconnect your system, run certutil -urlcache * delete and try to execute your signed script… Commented Jul 2, 2013 at 21:37
  • Did you try it? Could you please try and let us know whether it worked. It sounds like it should work, if you have any issue with getting it to work let us know what these issues are. Commented Jul 2, 2013 at 22:49
  • I have not tried it because I do not want to try and purchase a 3 year certificate and find it has not worked. Commented Jul 3, 2013 at 0:11
  • I just purchased a code signing cert from Comodo ($75, 1 year via Tucows), but my signed script still prompts the user with the scary "untrusted publisher" warning. Perhaps I'm doing it wrong, or perhaps this is how it's supposed to work, but I've yet to see the the benefit of purchasing a cert for PowerShell. Getting the cert was a real pain as well. It's easier to prompt the user to import a self-signed cert, trade 1 scary warning for another, and save your money. I hope someone can convince me otherwise. Commented Jun 5, 2014 at 11:32
  • They still get that warning because the machine is not aware of the issuer of that certificate. As the answer to this question mentions the use of intermediate CA, whoever that is for your cert has to be added to the machine I believe in order for it to trust the certificate you purchased. Commented Jun 5, 2014 at 14:54

3 Answers 3

Reset to default
1

That should work. I've never tried it, though, but your logic makes sense.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

I looked at the cert store on my Win7 machine and it has an Oracle code signing cert issued by "Verisign Class 3 Code Signing 2010 CA". That CA is an intermediate CA. The root CA is "Verisign Class 3 Public Primary Certification AUthority - G5". That root CA is in Windows trusted root CA store. So what I gather from this is:

  1. That yes you can do it - Oracle does it

  2. Verisign does issue code signing certs, but they are signed with an intermediate CA. This means Windows has to obtain this cert somehow. The Verisign intermediate cert does have the "Authority Info Access" field which is one way Windows can retrieve an intermediate cert. But the machine would have to be able to access the internet.

    • An alternative (if internet access isn't available) is to install the intermediate cert on your users' machines. Could be part of an installer. I think that must be what Oracle did on my machine

    • For an Authenticode EXE, another alternative (if machine can't access internet) is to make sure intermediate cert was embedded in the authenticode signature in the EXE. However I don't know if Powershell would support that.

As another confirmation you could call/email Verisign to verify their support.

Improve this answer

Comments

0

Executing the script on desired device still requires you to set the execution policy to at least AllSigned on that device. And you will still get a question if you want to trust this publisher, unless you add the certificate to the device or the domain. See here.

Improve this answer

4 Comments

Yes. Main purpose in signing the PowerShell script is to encrypt the code so it is not readable.
Signing PS code does not encrypt it. "Signing" gives consumers assurance that s/w came from a trusted source. But, that assurance is limited, based on the policies of the CA. Typically the CA will ask for evidence that you own the domain name that is put into the cert's "Issuer" field. For big s/w publishers, or if publishing the s/w within your org, or if the consumer is already a customer that's probably good enough. But I wouldn't trust a script that I downloaded from a publisher that I hadn't heard of. If you want obfuscation, then PS is a bad choice. Use C#, Java, etc. instead.
@Lars, is there any way the "untrusted publisher" prompt can be skipped? I've just purchased a code signing cert from Comodo under the mistaken assumption that it would remove this warning. Is there another certificate authority (or method or procedure) that would allow my signed scripts to be trusted by default?
No, this does not depend on the certificate. The certificate only shows who the publisher is, but that does not mean you should trust it. You could add your certificate to the trusted publishers part in the certificate store. I have not tried it, but that should mean you would get no prompt at all. See blogs.technet.com/b/heyscriptingguy/archive/2010/06/17/….... hmm I see that is already in my origional answer...

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.