How to sign your first script in 48 hours

Problem


When the task to be addressed is small, do not want to write to solve a utility, especially if you .NET programmer.
Script? Definitely Yes, but to put on the war machine running Windows third-party interpreter is very much not Christian. So why not take advantage of Windows Powershell? Ready to be honest: practically no experience with him was not, but it was too tempting to look.
The script that solves the task and was ready in 15 minutes, if you don't consider one "but". Script to call it was difficult because it was a set of instructions unsuitable to run in a script. The, from the point of view of PowerShell.

There's a rational explanation, of course, the execution of scripts is subject to certain limitations specified policy on execution of scripts. After creating the script, I was not able to implement it immediately in his car. However, the problem to be solved for the local machine temporarily changing the execution policy on Unrestricted or better RemoteSigned on the production server rises seriously.

There's always a way. It is logical that the finished script for performance to sign. The process of signature engine quite lengthy and arduous, but served as a good ground for this post.

After two days of suffering at home and in the office, present to the public a brief manual for signature scripts for PowerShell.

Solution


By default, the execution of all scripts is forbidden. For starters, you must allow only signed scripts from trusted publishers and trusted root certificate. In the session administrator Powershell:

> Set-ExecutionPolicy AllSigned

Further dances with a tambourine touch utility to create the root and personal certificates.
All certificates according to the "instructions" for signing a script

> Get-Help About_Signing

are created using the utility makecert.exe, located in %Program Files%\Microsoft SDKs\Windows\v7.0A\bin\makecert

The following two steps are performed in a normal command session:

> makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r-sv root.pvk root.cer -ss Root -sr localMachine

> makecert -pe -n "CN=PowerShell User" -ss MY-a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer


The first line creates the root certificate using a certification authority a local machine. Most popular "free" method of obtaining of the certificate.
The second line creates a personal user certificate PowerShell to sign scripts, assuring its root certificate. If all goes well, both rows should show the result of Succeeded.

The above manipulation is possible and is not performed if a personal X509 certificate already exists.

After that, just in case, you can verify that the OS know about the newly created certificate. PowerShell:

> Get-Childitem cert:\CurrentUser\my-codesigning

To sign scripts is already possible, but in this case, the signature of the script each time will leave this line of Powershell:

> Set-AuthenticodeSignature "$ @ " @(Get-ChildItem cert:\CurrentUser\My-codesigning)[0]

It would be logical to create a script that will sign other scripts. The script should create it in any text editor, except PowerShell ISE. For scripts created within this environment will encounter problems with signing in Unknown Error. The decision, taken SDAs.

The script itself looks like this:
the param([string] $file=$(throw "Please specify a filename."))
$cert = @(Get-ChildItem cert:\CurrentUser\My-codesigning)[0]
Set-AuthenticodeSignature $file $cert

Using the instructions above, sign this script in interactive mode PowerShell.
After that, the script to execute on another machine can be signed as follows:

> .\Add-Signature.ps1 MyScript.ps1

sad


On any machine except the one on which you created the certificate:
the
  • If the root certificate is not trusted to run the script will fail at all.
    • the
  • If the personal certificate of the Issuer who signed the script is not trusted, the code will be executed only with confirmation.

    • In order to add the root and personal certificates in the trusted, you need to use admin console mmc snap Certificates. Certificates add to folder Trusted Root Certification Authorities and Trusted Publishers.

    It does not claim to the only correct decision, but the results show that while it is more or less normal way. Asking knowledgeable to help clarify the situation and to point a link, if possible.
    Article based on information from habrahabr.ru

    Комментарии

    Отправить комментарий

    Популярные сообщения из этого блога

    Wikia Search — first impressions

    Изображение
    Today, January 7, as promised, was launched search engine Wikia Search , still only in alpha version. ( edit Angela Beasley at 06:58 UTC or 09:58 Moscow time.) Of bugs: when searching in Russian (for example, the word habrahabr ) there are errors with the coding, although it seems that everything is in utf-8. Users who have an account on Wikia, you can login with the same username, but properties users flew in Wikia Search Alpha, and on the Wikia website. About search: while search (English queries), you can create ministate (miniarticles). Next to the search result indicates the number like 1.26 (something like pagerank'a or TIC), clicking on which shows how it was counted. When you hover over the number next to it shows the stars, which don't work (looks like that will be implemented by the ranking of results). It is unclear how results are ranked, because the query " George Bush " first gets a website "George Bush Is A Crackwhore!" wit...
    Далее...

    Emulator data from GNSS receiver NMEA

    Изображение
    Introduction I had the need to test an application that uses the GNSS data NMEA. was Due to the fact that worked on the project navigation of the aircraft, test the air expensive naturally on earth to drive a car with a GNSS receiver is not particularly convenient, that like sitting at the table to have a virtual parallel port data Protocol NMEA allegedly moving equipment. First, search for different software had to try and find something suitable, but most paid and control of the emulation data is not very convenient, although practically emulate all settings of the NMEA standard. But I needed something simple emulating coordinates, speed, in principle, nothing more was required quite convenient and logical control. So I had to write an app of this kind in C#. Fly_nmea NMEA ("National Marine Electronics Association") — the full name is "NMEA 0183" is a text communication Protocol, marine (typically navigation) equipment together. Data is transmit...
    Далее...

    mSearch: search + filter for MODX Revolution

    Изображение
    Something blog MODX habré completely withered, we need to spice things up. I want to introduce you to your component, which has recently been almost completely rewritten and expanded. It's called mSearch and originally conceived as a simple site search with account of morphology of the Russian language. That is, you had a quick and easy solution for any site without installing Sphinx and other major systems. In the process gugleniya, I came across a interesting this task by phpMorphy . Full text search on a table with an index, with the generation of different word forms. The idea I liked, by my criteria it came up and I wrote my solution, basing this method. the mSearch This snippet and plugin. The snippet is looking for the plug-in index documents when saving. Installation, as usual, from the repository, in 4 clicks. At the same time, you will be prompted to download and install for phpMorphy dictionaries of the Russian language — do not give up. ...
    Далее...