Coordinator
Oct 10, 2009 at 6:08 PM
|
Check this out:
http://www.activewin.com/awin/comments.asp?HeadlineIndex=48088
Could we use the certs from StartCom to sign our PowerShell scripts? And if so, do we want to? I like the idea that folks could run our stuff in a tighened exec policy. In fact, with PSCX 2.0 being module-based instead of MSI based, won't
this issue crop up more because our scripts will be marked as "internet-based" ie blocked. So unless folks have access to something like streams.exe, they wouldn't be able to run them in RemoteSigned (which I think is probably the norm?).
Plus, signing the scripts would allow PSCX to run under the AllSigned exec policy.
OTOH if folks want to tweak a script, this may put them off. Of course, if you just remove the signature you could tweak to your heart's content as along as the exec policy is Unrestricted or RemoteSigned (assuming you've unblocked the file).
|
|
|
Developer
Oct 12, 2009 at 4:16 AM
|
You need at least a Class 2 (validated) cert for code-signing (so not their free certs). However, they do offer identity and organization validation for
only $40/yr each (organization validation requires identity validation first), which is pretty cheap… and the fee is
for the verification so you can get all the certificates that you want.
There’s not a lot on the site about code signing at all, but they do say you can submit a CSR through their wizard.
https://www.startssl.com/?app=25#60 and I’ve verified that they have Object Code Signing Certificates in their wizard. Given all of the above, I might just go ahead and get one of these myself.
Incidentally, you don’t have to use streams to unblock, you can do it from the file properties dialog. Actually, you can also unblock with the PoshCode
script module, and you could borrow the C# code in that script … and create a “remove-block.exe” which
would run unsigned, even in PowerShell. But honestly, if they use an installer, the files won’t be blocked anyway right?
|
|
|
Developer
Oct 15, 2009 at 3:30 AM
|
Hey, I looked into it a bit, and if you can get yourself verified by a couple of "notaries" in their web-of-trust ... that's enough to let you get a cert. In fact, it's pretty much enough to let you become a notary (which is useful, since
you have to be re-verified every year). I think I'm going to become one, and make my wife or a coworker become one too ... so we can verify each other in the future.
Anyway, once you're verified (for free) by a notary, it's just the same as being verified the $40 way.
|
|
|
Coordinator
Oct 15, 2009 at 3:49 AM
|
If we don't sign we may also run into additional problems in PowerShell 2.0 as a consequence of converting to a module-based approach. Apparently in V2, only formatting files found in SystemRoot and ProgramFiles are exempt from signing when user is running
with a Restricted execution policy.
|
|
|
Developer
Nov 11, 2009 at 6:30 AM
|
Hey guys, good news, I paid the $40, and it all worked splendidly. They even called me to complete the verification process within an hour or so (even though it was past midnight at the time) ... and I got my code-signing cert.
Check out http://poshcode.org/get/1470 (it's my "Authenticode.psm1" module) and see what you think of the resulting signature.
Anyway, thought you'd like to know that system worked.
ALSO -- I did become one of their notaries, so everyone bring your passports and drivers licenses (two forms of legal photo ID required -- although when I did it through their website, they let me do it with my expired passport + drivers
license) to the MVP Summit ;-)
|
|
|
|
|
I need to sign PSCX in order to use it for a US government site and I have a self-signed Certificate with which to sign it.
However, the instruction show how to sign the cmdlets but how to sign the entire Module?
Do I need to sign each cmdlet within PSCX?
If it is possible to sign the entire PSCX Module, does anyone have experience with this? A how to for this?
Any help will be greatly appreciated.
Mark Ruddock
SAIC
|
|
|
Developer
Aug 8, 2012 at 5:27 PM
|
The bottom line is: send every file in the module through Set-AuthenticodeSignature. If it can be signed, it will be, otherwise it won't.
My suggestion is to use the Authenticode module from poshcode.org which has a "sign" alias for it's Set-AuthenticodeSignature wrapper ... which adds a -Module parameter so you can usually just: sign -module pscx
As a side note, maybe you should submit a request that the developers sign their releases, I happen to know they could do so at no cost to themselves except time ;-)
--
Joel "Jaykul" Bennett
http://HuddledMasses.org
http://PowerShellGroup.org
On Wed, Aug 8, 2012 at 12:27 PM, markruddock16 <notifications@codeplex.com> wrote:
From: markruddock16
I need to sign PSCX in order to use it for a US government site and I have a self-signed Certificate with which to sign it.
However, the instruction show how to sign the cmdlets but how to sign the entire Module?
Do I need to sign each cmdlet within PSCX?
If it is possible to sign the entire PSCX Module, does anyone have experience with this? A how to for this?
Any help will be greatly appreciated.
Mark Ruddock
SAIC
|
|
|
|
|
Awesome, thanks and yes, please, all us developers out there, please get your cmdlets and Modules signed!
By doing this, it is the only way that anyone else may safely run them in a secured environment, and I am not just talking the 3 letter acronym kind of secure here.
It is any system that is operating with normal and needful safeguards and that is mostly everywhere.
Self-signing won't cut it for most situations, except maybe where you are both the developer, self-signer and you are running it in your local environment where you can overide and put the certificate in the trusted store.
I appreciate the help on this Jaykul and I will post what I find once I get these all signed with our certificate.
Best regards all,
Mark
|
|
|
|
|
Joel,
I am sorry to say that I am too much of a Noob to know how to make your Authenticode.psm1 into a module and then calling its components so that I can do the code signing. I can get Get-UserCertificate to run and also Get-AuthenticodeSignature
too but then I am missing how to sign the particular cmdlet(s)...
I have created numerous self-signed certificates at this stage and I have a pfx file or two that I have imported into CertMgr even but the steps for signing the cmdlets themselves is eluding me.
Could you help me on this. Perhaps you have a download of your module? I prob am simply missing it...
Any help you could grant me is greatly appreciated. We have a mandated execution policy of no lower than remotesigned here so all the code and cmdlets we want touse from PSCX must get signed.
Thanks!
Mark
|
|
|
Developer
Aug 9, 2012 at 5:44 AM
|
All you have to do is download it from
http://poshcode.org/get/1966 and save the file as "Authenticode.psm1" into a folder "Authenticode" in your Documents\WindowsPowerShell\Modules\ folder
Then you can Import-Module Authenticode
Honestly, you can just Import-Module C:\full\path\to\Authenticode.psm1
Then you can Set-AuthenticodeSignature -Module PSCX
--
Joel "Jaykul" Bennett
http://HuddledMasses.org
http://PowerShellGroup.org
On Wed, Aug 8, 2012 at 5:48 PM, markruddock16 <notifications@codeplex.com> wrote:
From: markruddock16
Joel,
I am sorry to say that I am too much of a Noob to know how to make your Authenticode.psm1 into a module and then calling its components so that I can do the code signing. I can get Get-UserCertificate to run and also Get-AuthenticodeSignature
too but then I am missing how to sign the particular cmdlet(s)...
I have created numerous self-signed certificates at this stage and I have a pfx file or two that I have imported into CertMgr even but the steps for signing the cmdlets themselves is eluding me.
Could you help me on this. Perhaps you have a download of your module? I prob am simply missing it...
Any help you could grant me is greatly appreciated. We have a mandated execution policy of no lower than remotesigned here so all the code and cmdlets we want touse from PSCX must get signed.
Thanks!
Mark
|
|
|
|
|
Thanks very much and I appreciate your patience with my being so new to this and Powershell Modules.
Your script works wonderfully. However, my certificates are not suitable for code signing evidently.
I have created certificates via openssl and also via the IIS manager (inetMgr) but none of these are passing muster as a code signing certificate.
I am going to embark upon Microsoft's Authenticode self-signed certificate path now...wish me luck.
Again, thank you very much for your assistance with this.
Mark Ruddock
|
|
|
Developer
Aug 9, 2012 at 7:27 PM
|
For what it's worth, I wrote an extensive post on generating and using OpenSSL self-signed certs for code signing
http://huddledmasses.org/code-signing-with-openssl-and-powershell/
--
Joel "Jaykul" Bennett
http://HuddledMasses.org
http://PowerShellGroup.org
On Thu, Aug 9, 2012 at 1:09 PM, markruddock16 <notifications@codeplex.com> wrote:
From: markruddock16
Thanks very much and I appreciate your patience with my being so new to this and Powershell Modules.
Your script works wonderfully. However, my certificates are not suitable for code signing evidently.
I have created certificates via openssl and also via the IIS manager (inetMgr) but none of these are passing muster as a code signing certificate.
I am going to embark upon Microsoft's Authenticode self-signed certificate path now...wish me luck.
Again, thank you very much for your assistance with this.
Mark Ruddock
|
|
|
|
|
I got it!
It looks like I had the certificates created without the code signing turned on somehow.
It is all functional now, thanks to you Joel.
Much appreciate this,
Mark Ruddock
|
|
|
|
|
Oh, and btw Joel, I read that post about the certificate creation with Openssl.
It is a helpful read.
thx
|
|