[英]Creating self-signed PowerShell scripts start to finish
While investigating this problem myself, I was unable to find any start-to finish solutions on self-signing PowerShell scripts. 当我自己调查此问题时,我无法找到有关自签名PowerShell脚本的任何从头到尾的解决方案。 So, how do you handle it all self-contained within PowerShell itself to utilize the AllSigned
Execution Policy and help secure your systems better? 因此,您如何处理所有这些在PowerShell自身中包含的功能,以利用AllSigned
执行策略并更好地保护您的系统?
This is a modern approach to self-signed PowerShell scripts. 这是一种用于自签名PowerShell脚本的现代方法。 I found older versions of PowerShell ISE (only confirmed 2.0) will encode your scripts in Big Endian vs UTF-8 and cause issues with signing. 我发现旧版本的PowerShell ISE(仅确认为2.0)将使用Big Endian与UTF-8对您的脚本进行编码,并导致签名问题。 With this method, you shouldn't run into that since we're on v4+ here. 使用这种方法,您不应该遇到这种情况,因为我们在这里使用v4 +。
Requirement: PoSH 4.0+. 要求:PoSH 4.0+。
This function will: check if a Pfx cert exists and import it to LocalMachine\\TrustedPublisher
; 此功能将:检查Pfx证书是否存在并将其导入LocalMachine\\TrustedPublisher
; check if a cert was passed to it, export to a Pfx cert and import it; 检查是否将证书传递给它,导出到Pfx证书并导入; or create the cert to LocalMachine\\Personal
, export it, and import it. 或将证书创建到LocalMachine\\Personal
,然后将其导出并导入。 I was unable to get the permissions to work with me to use the Cert:\\CurrentUser
stores outside of \\My
(Personal). 我无法获得使用\\My
(个人)之外的Cert:\\CurrentUser
存储的权限。
$ErrorActionPreference = 'Stop'
Function New-SelfSignedCertificate
{
Param([Parameter(Mandatory=$True)]$PfxCertPath,$CertObj)
# Creates a SecureString object
$Cred = (Get-Credential).Password
If (Test-Path $PfxCertPath)
{
Try {
Import-PfxCertificate -FilePath $PfxCertPath -Password $Cred -CertStoreLocation Cert:\LocalMachine\TrustedPublisher
Write "$($PfxCertPath.FriendlyName) exists and is valid. Imported certificate to TrustedPublishers"
} Catch {
Write "Type mismatch or improper permission. Ensure your PFX cert is formed properly."
Write "[$($_.Exception.GetType().FullName)] $($_.Exception.Message)"
}
} ElseIf ($CertObj) {
Try {
Export-PfxCertificate -Cert $CertObj -FilePath $PfxCertPath -Password $Cred -Force
Import-PfxCertificate -FilePath $PfxCertPath -Password $Cred -CertStoreLocation Cert:\LocalMachine\TrustedPublisher
} Catch {
Write "[$($_.Exception.GetType().FullName)] $($_.Exception.Message)"
}
} Else {
Try {
$DNS = "$((GWMI Win32_ComputerSystem).DNSHostName).$((GWMI Win32_ComputerSystem).Domain)"
$CertObj = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName $DNS -Type CodeSigningCert -FriendlyName 'Self-Sign'
Export-PfxCertificate -Cert $CertObj -FilePath $PfxCertPath -Password $Cred -Force
Import-PfxCertificate -FilePath $PfxCertPath -Password $Cred -CertStoreLocation Cert:\LocalMachine\TrustedPublisher
} Catch {
Write "[$($_.Exception.GetType().FullName)] $($_.Exception.Message)"
}
}
}
# Can be called like:
# Sign-Script -File C:\Script.ps1 -Certificate (GCI Cert:\LocalMachine\TrustedPublisher -CodeSigningCert)
#
# After the cert is imported to TrustedPublisher, you can use the
# exported pfx cert to sign on the machine instead of this method
Function Sign-Script
{
Param($File,$Cert)
If($Cert-is[String]){Try{$Cert=Get-PfxCertificate("$Cert")}Catch{}}
Set-AuthenticodeSignature -FilePath $File -Certificate $Cert -Force
}
Function Check-SignedScript
{
Param($File)
Get-AuthenticodeSignature -FilePath $File
}
After all is said and done, you can execute Set-ExecutionPolicy AllSigned
as admin and use this script to sign all your scripts. 说完一切之后,您可以以管理员身份执行Set-ExecutionPolicy AllSigned
,并使用此脚本对所有脚本进行签名。 Check-SignedScript
will tell you if the sign is valid and you can tell if Sign-Script
worked as your file will have # SIG # Begin signature block
at the end. Check-SignedScript
会告诉您该符号是否有效,并且您可以判断Sign-Script
是否作为文件工作,将在最后带有# SIG # Begin signature block
。 Any edits to a signed script need to be re-signed in order to execute. 对签名脚本的所有编辑都需要重新签名才能执行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.