PowerShell代码Sigining:如何使用具有密码保护的自签名证书?
[英]PowerShell Code Sigining: How to do use a self signed certificate with password protection?
问题描述
I am new to signing code with PowerShell. 
我是第一次使用PowerShell签名代码。 I successfully created a self-signed certificate and signed code using the following commands 我使用以下命令成功创建了自签名证书和签名代码
New-SelfSignedCertificate -certstorelocation cert:\LocalMachine\My -dnsname "xyz" -Type CodeSigningCert
$codecert = (Get-ChildItem cert:\LocalMachine\My\DF0E60B359BBADF625DCF4CA52C947F23713487F -CodeSigningCert)[0]
Set-AuthenticodeSignature .\test.ps1 $codecert
That works so far. 到目前为止有效。 However, I am a bit surprised that it offers no protection while using the certificate. 但是,我对使用证书时不提供任何保护感到惊讶。 If I log in with a different user with no administrative privileges I am able to sign code with this certificate as well. 如果我以没有管理特权的其他用户身份登录,那么我也可以使用此证书签名代码。
I tried using the parameter -PIN like this: 我尝试像这样使用参数-PIN :
$pwd = ConvertTo-SecureString -String "meingeheimespasswort"
New-SelfSignedCertificate -certstorelocation cert:\LocalMachine\My -dnsname "xyz" -Type CodeSigningCert -PIN $pwd
$codecert = (Get-ChildItem cert:\LocalMachine\My\DF0E60B359BBADF625DCF4CA52C947F23713487F -CodeSigningCert)[0]
Set-AuthenticodeSignature .\test.ps1 $codecert
The last command Set-AuthenticodeSignature then returns status "unknown error". 然后,最后一条命令Set-AuthenticodeSignature返回状态“未知错误”。 It seems that there is no parameter like -password or -pin. 似乎没有像-password或-pin这样的参数。 Is that by the design and the reason why self-signed-certificates are said to be used only for testing? 这是否是出于设计目的,以及为什么据说仅将自签名证书用于测试的原因?
For me, it appears to be a security risk if everybody could just use the existing certificate to sign code. 对我来说,如果每个人都可以使用现有证书来签名代码,则似乎存在安全风险。
Thanks in advance for your help 在此先感谢您的帮助
Martin 马丁
1 个解决方案
解决方案1
1 已采纳 2018-03-02 16:36:23
bluuf is spot on. bluuf很有名。
You're storing the key in the local machine node of the Windows Certificate Repository, and then you're complaining another user on the local machine can access the certificate. 您将密钥存储在Windows证书存储库的本地计算机节点中,然后您抱怨本地计算机上的另一个用户可以访问证书。 This isn't really a Powershell problem. 这实际上不是Powershell的问题。 This is a you need to learn where to put your things problem. 这是您需要学习将问题放在哪里的问题。
Local machine certificate store: This type of certificate store is local to the computer and is global to all users on the computer.
Current user certificate store: This type of certificate store is local to a user account on the computer.
Reference: Local Machine and Current User Certificate Stores 参考: 本地计算机和当前用户证书存储
Secure key and certificate storage is an industry unto itself. 安全密钥和证书存储本身就是一个行业。 If you want to sign your code, you'll need to keep your keys and signing cert safe. 如果要对代码进行签名,则需要保留密钥和签名证书的安全性。 The following is a good piece from Thawte: 以下是Thawte的出色作品:
https://www.thawte.com/code-signing/whitepaper/best-practices-for-code-signing-certificates.pdf https://www.thawte.com/code-signing/whitepaper/best-practices-for-code-signing-certificates.pdf
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.