# Signing with digital certs

 Topics: Developer Forum, Project Management Forum, User Forum Wiki Link: [discussion:71606]
 r_keith_hill Coordinator Oct 10, 2009 at 7:08 PM Check this out: http://www.activewin.com/awin/comments.asp?HeadlineIndex=48088 Could we use the certs from StartCom to sign our PowerShell scripts?  And if so, do we want to?  I like the idea that folks could run our stuff in a tighened exec policy.  In fact, with PSCX 2.0 being module-based instead of MSI based, won't this issue crop up more because our scripts will be marked as "internet-based" ie blocked.  So unless folks have access to something like streams.exe, they wouldn't be able to run them in RemoteSigned (which I think is probably the norm?).  Plus, signing the scripts would allow PSCX to run under the AllSigned exec policy.  OTOH if folks want to tweak a script, this may put them off.  Of course, if you just remove the signature you could tweak to your heart's content as along as the exec policy is Unrestricted or RemoteSigned (assuming you've unblocked the file). Jaykul Developer Oct 12, 2009 at 5:16 AM You need at least a Class 2 (validated) cert for code-signing (so not their free certs).  However, they do offer identity and organization validation for only $40/yr each (organization validation requires identity validation first), which is pretty cheap… and the fee is for the verification so you can get all the certificates that you want. There’s not a lot on the site about code signing at all, but they do say you can submit a CSR through their wizard. https://www.startssl.com/?app=25#60 and I’ve verified that they have Object Code Signing Certificates in their wizard. Given all of the above, I might just go ahead and get one of these myself. Incidentally, you don’t have to use streams to unblock, you can do it from the file properties dialog. Actually, you can also unblock with the PoshCode script module, and you could borrow the C# code in that script … and create a “remove-block.exe” which would run unsigned, even in PowerShell. But honestly, if they use an installer, the files won’t be blocked anyway right? Jaykul Developer Oct 15, 2009 at 4:30 AM Hey, I looked into it a bit, and if you can get yourself verified by a couple of "notaries" in their web-of-trust ... that's enough to let you get a cert. In fact, it's pretty much enough to let you become a notary (which is useful, since you have to be re-verified every year). I think I'm going to become one, and make my wife or a coworker become one too ... so we can verify each other in the future. Anyway, once you're verified (for free) by a notary, it's just the same as being verified the$40 way. r_keith_hill Coordinator Oct 15, 2009 at 4:49 AM If we don't sign we may also run into additional problems in PowerShell 2.0 as a consequence of converting to a module-based approach. Apparently in V2, only formatting files found in SystemRoot and ProgramFiles are exempt from signing when user is running with a Restricted execution policy. Jaykul Developer Nov 11, 2009 at 7:30 AM Hey guys, good news, I paid the \$40, and it all worked splendidly. They even called me to complete the verification process within an hour or so (even though it was past midnight at the time) ... and I got my code-signing cert. Check out http://poshcode.org/get/1470 (it's my "Authenticode.psm1" module) and see what you think of the resulting signature. Anyway, thought you'd like to know that system worked. ALSO -- I did become one of their notaries, so everyone bring your passports and drivers licenses (two forms of legal photo ID required -- although when I did it through their website, they let me do it with my expired passport + drivers license) to the MVP Summit ;-) markruddock16 Aug 8, 2012 at 5:27 PM I need to sign PSCX in order to use it for a US government site and I have a self-signed Certificate with which to sign it. However, the instruction show how to sign the cmdlets but how to sign the entire Module? Do I need to sign each cmdlet within PSCX? If it is possible to sign the entire PSCX Module, does anyone have experience with this?  A how to for this? Any help will be greatly appreciated. Mark Ruddock SAIC Jaykul Developer Aug 8, 2012 at 6:27 PM The bottom line is: send every file in the module through Set-AuthenticodeSignature. If it can be signed, it will be, otherwise it won't. My suggestion is to use the Authenticode module from poshcode.org which has a "sign" alias for it's Set-AuthenticodeSignature wrapper ... which adds a -Module parameter so you can usually just: sign -module pscx As a side note, maybe you should submit a request that the developers sign their releases, I happen to know they could do so at no cost to themselves except time ;-) -- Joel "Jaykul" Bennett http://HuddledMasses.org http://PowerShellGroup.org On Wed, Aug 8, 2012 at 12:27 PM, markruddock16 wrote: From: markruddock16 I need to sign PSCX in order to use it for a US government site and I have a self-signed Certificate with which to sign it. However, the instruction show how to sign the cmdlets but how to sign the entire Module? Do I need to sign each cmdlet within PSCX? If it is possible to sign the entire PSCX Module, does anyone have experience with this? A how to for this? Any help will be greatly appreciated. Mark Ruddock SAIC Read the full discussion online. To add a post to this discussion, reply to this email (Pscx@discussions.codeplex.com) To start a new discussion for this project, email Pscx@discussions.codeplex.com You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com. Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com markruddock16 Aug 8, 2012 at 7:48 PM Awesome, thanks and yes, please, all us developers out there, please get your cmdlets and Modules signed! By doing this, it is the only way that anyone else may safely run them in a secured environment, and I am not just talking the 3 letter acronym kind of secure here. It is any system that is operating with normal and needful safeguards and that is mostly everywhere. Self-signing won't cut it for most situations, except maybe where you are both the developer, self-signer and you are running it in your local environment where you can overide and put the certificate in the trusted store. I appreciate the help on this Jaykul and I will post what I find once I get these all signed with our certificate.  Best regards all,   Mark markruddock16 Aug 8, 2012 at 10:48 PM Joel, I am sorry to say that I am too much of a Noob to know how to make your ﻿﻿﻿﻿Authenticode.psm1 into a module and then calling its components so that I can do the code signing.  I can get Get-UserCertificate to run and also Get-AuthenticodeSignature too but then I am missing how to sign the particular cmdlet(s)... I have created numerous self-signed certificates at this stage and I have a pfx file or two that I have imported into CertMgr even but the steps for signing the cmdlets themselves is eluding me. Could you help me on this.  Perhaps you have a download of your module?  I prob am simply missing it... Any help you could grant me is greatly appreciated.  We have a mandated execution policy of no lower than remotesigned here so all the code and cmdlets we want touse from PSCX must get signed. Thanks! Mark Jaykul Developer Aug 9, 2012 at 6:44 AM All you have to do is download it from http://poshcode.org/get/1966 and save the file as "Authenticode.psm1" into a folder "Authenticode" in your Documents\WindowsPowerShell\Modules\ folder Then you can Import-Module Authenticode Honestly, you can just Import-Module C:\full\path\to\Authenticode.psm1 Then you can Set-AuthenticodeSignature -Module PSCX -- Joel "Jaykul" Bennett http://HuddledMasses.org http://PowerShellGroup.org On Wed, Aug 8, 2012 at 5:48 PM, markruddock16 wrote: From: markruddock16 Joel, I am sorry to say that I am too much of a Noob to know how to make your ﻿﻿﻿﻿Authenticode.psm1 into a module and then calling its components so that I can do the code signing. I can get Get-UserCertificate to run and also Get-AuthenticodeSignature too but then I am missing how to sign the particular cmdlet(s)... I have created numerous self-signed certificates at this stage and I have a pfx file or two that I have imported into CertMgr even but the steps for signing the cmdlets themselves is eluding me. Could you help me on this. Perhaps you have a download of your module? I prob am simply missing it... Any help you could grant me is greatly appreciated. We have a mandated execution policy of no lower than remotesigned here so all the code and cmdlets we want touse from PSCX must get signed. Thanks! Mark Read the full discussion online. To add a post to this discussion, reply to this email (Pscx@discussions.codeplex.com) To start a new discussion for this project, email Pscx@discussions.codeplex.com You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com. Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com markruddock16 Aug 9, 2012 at 6:09 PM Thanks very much and I appreciate your patience with my being so new to this and Powershell Modules. Your script works wonderfully.  However, my certificates are not suitable for code signing evidently. I have created certificates via openssl and also via the IIS  manager (inetMgr) but none of these are passing muster as a code signing certificate. I am going to embark upon Microsoft's Authenticode self-signed certificate path now...wish me luck. Again, thank you very much for your assistance with this. Mark Ruddock Jaykul Developer Aug 9, 2012 at 8:27 PM For what it's worth, I wrote an extensive post on generating and using OpenSSL self-signed certs for code signing http://huddledmasses.org/code-signing-with-openssl-and-powershell/ -- Joel "Jaykul" Bennett http://HuddledMasses.org http://PowerShellGroup.org On Thu, Aug 9, 2012 at 1:09 PM, markruddock16 wrote: From: markruddock16 Thanks very much and I appreciate your patience with my being so new to this and Powershell Modules. Your script works wonderfully. However, my certificates are not suitable for code signing evidently. I have created certificates via openssl and also via the IIS manager (inetMgr) but none of these are passing muster as a code signing certificate. I am going to embark upon Microsoft's Authenticode self-signed certificate path now...wish me luck. Again, thank you very much for your assistance with this. Mark Ruddock Read the full discussion online. To add a post to this discussion, reply to this email (Pscx@discussions.codeplex.com) To start a new discussion for this project, email Pscx@discussions.codeplex.com You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com. Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com markruddock16 Aug 9, 2012 at 8:52 PM I got it!  It looks like I had the certificates created without the code signing turned on somehow. It is all functional now, thanks to you Joel. Much appreciate this,   Mark Ruddock markruddock16 Aug 9, 2012 at 8:54 PM Oh, and btw Joel, I read that post about the certificate creation with Openssl.   It is a helpful read.  thx