/powershell_script_sign.ps1
Last active Jan 25, 2019
PowerShell self-signed script
| # CA Generation | |
| # {hex}30030101FF => ASN.1 BasicConstraints: CA:TRUE | |
| # $asn1=([System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension]::new($true, $flase, 0,$true)).RawData | |
| # $asn1 | Format-Hex -Encoding Ascii | |
| $ca_params =@{ | |
| "Type" = "Custom"; | |
| "Subject" = "CN=Local CA"; | |
| "FriendlyName" = "Local CA"; | |
| "KeyAlgorithm" = "RSA"; | |
| "KeyLength" = 2048; | |
| "KeyUsage" = "CertSign"; | |
| "TextExtension" = @("2.5.29.19={critical}{hex}30030101FF"); | |
| "NotAfter" = ((Get-Date).AddYears(10)); | |
| "CertStoreLocation" = "Cert:\CurrentUser\My"; | |
| } | |
| $root=New-SelfSignedCertificate @ca_params | |
| $root.ToString() | |
| # Certificate generation | |
| $cert_params =@{ | |
| "Signer" = $root; | |
| "Type" = "CodeSigningCert"; | |
| "Subject" = "CN=Code Signer"; | |
| "FriendlyName" = "Code Signer"; | |
| "KeyAlgorithm" = "RSA"; | |
| "KeyLength" = 2048; | |
| "KeyUsage" = "DigitalSignature"; | |
| "NotAfter" = ((Get-Date).AddYears(10)); | |
| "CertStoreLocation" = "Cert:\CurrentUser\My"; | |
| } | |
| $code=New-SelfSignedCertificate @cert_params | |
| $code.ToString() | |
| # tmp file | |
| $ca_file = [System.IO.Path]::GetTempFileName() | |
| # Export CA cert to trusted root | |
| Export-Certificate -Type CERT -Cert $root -FilePath $ca_file -Force | |
| # This require interactive confirmation by user | |
| Import-Certificate -CertStoreLocation Cert:\CurrentUser\Root -FilePath $ca_file | |
| # Export signer cert to trusted publishers | |
| Export-Certificate -Type CERT -Cert $code -FilePath $ca_file -Force | |
| Import-Certificate -CertStoreLocation Cert:\CurrentUser\TrustedPublisher -FilePath $ca_file | |
| # clean up | |
| Remove-Item $ca_file | |
| # $code=(Get-ChildItem cert:\CurrentUser\my -CodeSigningCert)[0] | |
| # sample script | |
| 'Write-Host "Hello, World!"' >.\sign_me.ps1 | |
| # Change execution policy for Windows client computers | |
| # https:/go.microsoft.com/fwlink/?LinkID=135170 | |
| Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope CurrentUser -Force | |
| # Default policy | |
| # Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser -Force | |
| Set-AuthenticodeSignature .\sign_me.ps1 $code | |
| # run sample script | |
| .\sign_me.ps1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment