What To Do / Not to Do in PowerShell: Part 9

You probably know that Windows PowerShell supports code-signing, a means of protecting users and ourselves against theunintentional execution of untrusted scripts. Heaven knows, half of y'all have probably set your shell's ExecutionPolicy to "Unrestricted," and are touching up your makeup even know for your appearance on CNN: "Gosh durn it, that Microsoft stuff just whacked my whole 'vironment, it did! We're a-switchin' to the Google!"

Another choice would be the RemoteSigned execution policy which, frankly, I don't care for. It basically only requires a signature for scripts that (a) live on a remote computer or (b) were downloaded through IE or Outlook. Not much extra security for me, there.

My choice is AllSigned, which requires all scripts to carry a signature. Yep, it's a bit less convenient, but I like the security it offers me. It forces me to stop, look at a script, and then sign it myself if it isn't already signed.

But I ask: Why aren't more of you signing your scripts? PoshCode.org is replete with unsigned scripts. Even Microsoft's own Scripting Guy doesn't sign his code? Whassup with that?

Okay, to be fair, signing does require a Class 3 Authenticode code-signing certificate. You can get one from anyone that sells normal Web SSL certificates, although a Class 3 will cost a bit more. They're also only issued to organizations, not individuals, so you'll have to wait a bit while they verify your company's identity. But the up side is that any script signed by you can be traced back to you. That's right, if you put some malicious dreck up in the Intertubes, and it damages my computer, I can use your signature to track you down and apply a liberal dose of baseball bat.

As a bonus, if anyone (even me) modifies your script, it breaks the signature. You script won't run. So you don't have to take responsibility for someone messing with your script, and then framing you as the bad guy. Sweet, right?

PowerShell will even let you make a self-signed certificate that will work only on your local machine. It's free, and it's perfect for just signing your own scripts. Read the "about_signing" help topic for info.

With a certificate installed, just use Set-AuthenticodeSignature to sign any script. Or, if you're using a commercial script editor - PowerShell Plus, PrimalScript, and so on - you can configure them to sign your scripts, or even to sign them every time you hit "Save." Convenient! Transparent! More secure! 

C'mon, start signing. It won't kill you.

PS: VBScript supported this, too. Nobody used it. Look where that got us.

Discuss this Blog Entry 5

on Jul 19, 2011
You don't even need a commercial script editor to do this. PowerGUI supports script signing, and it's free. You just need to install the optional Script Signing Add-on to enable this functionality, and then signing scripts is just a click away! Kirk out.
on Jul 20, 2011
We used to sign our scripts, to follow best practice. Process and Certificate overhead seemed manageable for a single team to 50 assets. When we had to teach our SA team on PowerShell and script-signing, it didn't go well. Politics ensued. The arguments that one could copy the script contents, paste it interactive into a console, and run it anyway, so the signing stops little. There's no end user access to the box, only SA and systems integrators. Those people will either be diligent, or they won't. When we say unsigned scripts are stopped from automatically being kicked off, they argue back that the testing cycle on non-live systems is where scripts should be tested. We say yes, but what if that script makes it to a live system? Then the argument goes back to diligence, human error, and the balance between getting stuff done, and going through a process with questionable benefit. Results so far, we have 100s of assets now, and we haven't seen a difference between signing and not-signing. Both teams play nice, and there are go to people to review and test scripts. There's no signing, and there is some script on the fly to put out fires - which has come in useful. Signing has questionable value in our situation, and everyone should evaluate their own situation. For cases more complex than ours, I'm glad signing is an available option.
on Jul 19, 2011
We decided early on that we would require signed scripts inside the organization. Our CA issues code signing certs and we use GPO to trust signers. Its almost trivial once you understand it. (It helps that I'm the only one writing these things) Quesiton - do you/would you require all internal code to be signed (.Net, etc)
on Jul 19, 2011
I work in a company that uses the AllSigned execution policy and there are very few people in the organisation doing anything with Powershell, but I still won't sign anything that I've uploaded to anywhere for someone else to use. If it's useful enough for me to upload (to wherever) and I've got it signed, I'll go as far as removing the signature before I upload it to anywhere. We have pretty comprehensive and easy to follow instructions readily available inside the organisation showing how to download and unblock a script and also how to obtain/create a codesigning certificate and sign a script. My reasoning is that anyone downloading any script written by anyone else should really give it a check over and 'validate' the fact that they're happy that it's non-malicious before they run it. My not signing published scripts forces the powershell curious to do that with any scripts that I've written before they can run them. It also forces me to have a good look through anything I get from them or elsewhere, and it's not been totaly unknown for me to 'learn something' whilst casting a cursory eye over someone elses code...
on Feb 2, 2017

Well, I DO have a Class 3 code-signing cert from a CA. I use it for my C# work and my PowerShell work that goes to friends and corporate people outside of the AD domain using their laptops. For the people IN the office and on the servers I made a local self-signed cert "signing authority" and a signing cert. and pushed them out to the domain. It works. As an external consultant, this makes it easier to keep what I do for myself or others (public CA) separate from what I do for clients (internal self-signed CA).

Please or Register to post comments.

What's PowerShell with a Purpose Blog?

Don Jones demystifies Windows PowerShell.

Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×