2

We are going through our first go around in signing powershell scripts and just want to make sure we are doing everything correctly (best practices). So we just applied for an EV authenticode code signing cert from entrust.

So after we install the cert on a machine (personal certificates) and sign whatever scripts we need to sign then we will export the cert (without the private key) and push out the cert into the "Trusted Publishers" container through group policy. To be honest i'm not sure this step is required but i'm kind of using Scott Hanselman's blog post as a template. Scott was doing this with a self-signed cert so i'm not sure if this step is required or not since the cert will be coming from a CA but i don't want users getting an error message the first time they trying to run a signed script.

We are still working through exactly which machine we will install the cert onto but it looks like it might be our TFS Server (which is already tightly controlled).

So does everything look right? Is there any need to export the cert (without the private key) and install it in the "Trusted Root Cert Authorities" container of every pc since its not a self-signed cert

Edit: I want to make an observation/correction on Keith Hill's accepted answer. I don't think his statement about not having to install the cert on the users pcs is correct (unless you want them to get a warning message when they first try to run a script that you signed). We just got our EV Authenticode cert from entrust and trying to run the cert for the first time we get the following warning message "Do you want to run software from this untrusted publiser?" Now they can choose '[A] Always Run' which will essentially add the public key to the cert store but if you never want them to get this warning message then you should add the public key to the 'Trusted Publishers" either manually or through group policy (which fixes the problem).

If you think about it this makes sense. If you didn't have to add your public key to "Trusted Publishers" then anyone (outside your organization) that has access to a code signing cert could sign a powershell script that could be ran by the world that had their execution policy set to 'AllSigned'. Whats bad i found out in my testing is you can add the public key by answering '[A] Always Run' to warning discussed above and it will add the public key to the Current Users 'Trusted Publishers' without admin privileges.

Improve this question

1 Answer 1

Reset to default
2

If you got your EV cert from someplace like DigiCert or Symantec (i.e. a reputable vendor) then you won't have to install the cert's public key on users' systems. Scott did that just because he created a self-signed cert.

BTW installing the cert into the build machine's cert store is definitely better than checking the cert files into version control. :-) If anything, we found it to be a right PITA when we got an updated cert to have to update the file in all the release branches we still build. That encouraged us to switch over to reference the cert from the certificate store during the build process.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

FYI I edited my question above to make a correction to what i think might be wrong in your answer "You won't have to install the certs public key on the user's systems"
What you are seeing is a PowerShell feature which is just asking if you want to trust certs from the specified vendor. Certs don't guarantee that signed software is only from good guys. :-) If you sign a setup.exe or MSI file with an EV cert and then download from internet via IE you will notice that you don't get a warning about untrusted publisher. This is the primary reason we obtained an EV cert to sign the PSCX MSI file.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.