Signing with digital certs

Topics: Developer Forum, Project Management Forum, User Forum
Coordinator
Oct 10, 2009 at 7:08 PM

Check this out:

http://www.activewin.com/awin/comments.asp?HeadlineIndex=48088

Could we use the certs from StartCom to sign our PowerShell scripts?  And if so, do we want to?  I like the idea that folks could run our stuff in a tighened exec policy.  In fact, with PSCX 2.0 being module-based instead of MSI based, won't this issue crop up more because our scripts will be marked as "internet-based" ie blocked.  So unless folks have access to something like streams.exe, they wouldn't be able to run them in RemoteSigned (which I think is probably the norm?).  Plus, signing the scripts would allow PSCX to run under the AllSigned exec policy. 

OTOH if folks want to tweak a script, this may put them off.  Of course, if you just remove the signature you could tweak to your heart's content as along as the exec policy is Unrestricted or RemoteSigned (assuming you've unblocked the file).

Developer
Oct 12, 2009 at 5:16 AM

You need at least a Class 2 (validated) cert for code-signing (so not their free certs).  However, they do offer identity and organization validation for only $40/yr each (organization validation requires identity validation first), which is pretty cheap… and the fee is for the verification so you can get all the certificates that you want.

There’s not a lot on the site about code signing at all, but they do say you can submit a CSR through their wizard. https://www.startssl.com/?app=25#60 and I’ve verified that they have Object Code Signing Certificates in their wizard. Given all of the above, I might just go ahead and get one of these myself.

Incidentally, you don’t have to use streams to unblock, you can do it from the file properties dialog. Actually, you can also unblock with the PoshCode script module, and you could borrow the C# code in that script … and create a “remove-block.exe” which would run unsigned, even in PowerShell.  But honestly, if they use an installer, the files won’t be blocked anyway right?

Developer
Oct 15, 2009 at 4:30 AM

Hey, I looked into it a bit, and if you can get yourself verified by a couple of "notaries" in their web-of-trust ... that's enough to let you get a cert.  In fact, it's pretty much enough to let you become a notary (which is useful, since you have to be re-verified every year).  I think I'm going to become one, and make my wife or a coworker become one too ... so we can verify each other in the future.

Anyway, once you're verified (for free) by a notary, it's just the same as being verified the $40 way.

Coordinator
Oct 15, 2009 at 4:49 AM

If we don't sign we may also run into additional problems in PowerShell 2.0 as a consequence of converting to a module-based approach. Apparently in V2, only formatting files found in SystemRoot and ProgramFiles are exempt from signing when user is running with a Restricted execution policy.

Developer
Nov 11, 2009 at 7:30 AM

Hey guys, good news, I paid the $40, and it all worked splendidly. They even called me to complete the verification process within an hour or so (even though it was past midnight at the time) ... and I got my code-signing cert.

Check out http://poshcode.org/get/1470 (it's my "Authenticode.psm1" module) and see what you think of the resulting signature.

Anyway, thought you'd like to know that system worked.

ALSO -- I did become one of their notaries, so everyone bring your passports and drivers licenses (two forms of legal photo ID required -- although when I did it through their website, they let me do it with my expired passport + drivers license) to the MVP Summit ;-)

 

Aug 8, 2012 at 5:27 PM

I need to sign PSCX in order to use it for a US government site and I have a self-signed Certificate with which to sign it.

However, the instruction show how to sign the cmdlets but how to sign the entire Module?

Do I need to sign each cmdlet within PSCX?

If it is possible to sign the entire PSCX Module, does anyone have experience with this?  A how to for this?

Any help will be greatly appreciated.

Mark Ruddock

SAIC

Developer
Aug 8, 2012 at 6:27 PM
The bottom line is: send every file in the module through Set-AuthenticodeSignature. If it can be signed, it will be, otherwise it won't.

My suggestion is to use the Authenticode module from poshcode.org which has a "sign" alias for it's Set-AuthenticodeSignature wrapper ... which adds a -Module parameter so you can usually just: sign -module pscx

As a side note, maybe you should submit a request that the developers sign their releases, I happen to know they could do so at no cost to themselves except time ;-)


--
Joel "Jaykul" Bennett
http://HuddledMasses.org
http://PowerShellGroup.org


On Wed, Aug 8, 2012 at 12:27 PM, markruddock16 <notifications@codeplex.com> wrote:

From: markruddock16

I need to sign PSCX in order to use it for a US government site and I have a self-signed Certificate with which to sign it.

However, the instruction show how to sign the cmdlets but how to sign the entire Module?

Do I need to sign each cmdlet within PSCX?

If it is possible to sign the entire PSCX Module, does anyone have experience with this? A how to for this?

Any help will be greatly appreciated.

Mark Ruddock

SAIC

Read the full discussion online.

To add a post to this discussion, reply to this email (Pscx@discussions.codeplex.com)

To start a new discussion for this project, email Pscx@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com


Aug 8, 2012 at 7:48 PM

Awesome, thanks and yes, please, all us developers out there, please get your cmdlets and Modules signed!

By doing this, it is the only way that anyone else may safely run them in a secured environment, and I am not just talking the 3 letter acronym kind of secure here.

It is any system that is operating with normal and needful safeguards and that is mostly everywhere.

Self-signing won't cut it for most situations, except maybe where you are both the developer, self-signer and you are running it in your local environment where you can overide and put the certificate in the trusted store.

I appreciate the help on this Jaykul and I will post what I find once I get these all signed with our certificate.

 Best regards all,

 

Mark

 

Aug 8, 2012 at 10:48 PM

Joel,

I am sorry to say that I am too much of a Noob to know how to make your Authenticode.psm1 into a module and then calling its components so that I can do the code signing.  I can get Get-UserCertificate to run and also Get-AuthenticodeSignature too but then I am missing how to sign the particular cmdlet(s)...

I have created numerous self-signed certificates at this stage and I have a pfx file or two that I have imported into CertMgr even but the steps for signing the cmdlets themselves is eluding me.

Could you help me on this.  Perhaps you have a download of your module?  I prob am simply missing it...

Any help you could grant me is greatly appreciated.  We have a mandated execution policy of no lower than remotesigned here so all the code and cmdlets we want touse from PSCX must get signed.

Thanks!

Mark

Developer
Aug 9, 2012 at 6:44 AM
All you have to do is download it from http://poshcode.org/get/1966 and save the file as "Authenticode.psm1" into a folder "Authenticode" in your Documents\WindowsPowerShell\Modules\ folder
Then you can Import-Module Authenticode
Honestly, you can just Import-Module C:\full\path\to\Authenticode.psm1

Then you can Set-AuthenticodeSignature -Module PSCX

--
Joel "Jaykul" Bennett
http://HuddledMasses.org
http://PowerShellGroup.org


On Wed, Aug 8, 2012 at 5:48 PM, markruddock16 <notifications@codeplex.com> wrote:

From: markruddock16

Joel,

I am sorry to say that I am too much of a Noob to know how to make your Authenticode.psm1 into a module and then calling its components so that I can do the code signing. I can get Get-UserCertificate to run and also Get-AuthenticodeSignature too but then I am missing how to sign the particular cmdlet(s)...

I have created numerous self-signed certificates at this stage and I have a pfx file or two that I have imported into CertMgr even but the steps for signing the cmdlets themselves is eluding me.

Could you help me on this. Perhaps you have a download of your module? I prob am simply missing it...

Any help you could grant me is greatly appreciated. We have a mandated execution policy of no lower than remotesigned here so all the code and cmdlets we want touse from PSCX must get signed.

Thanks!

Mark

Read the full discussion online.

To add a post to this discussion, reply to this email (Pscx@discussions.codeplex.com)

To start a new discussion for this project, email Pscx@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com


Aug 9, 2012 at 6:09 PM

Thanks very much and I appreciate your patience with my being so new to this and Powershell Modules.

Your script works wonderfully.  However, my certificates are not suitable for code signing evidently.

I have created certificates via openssl and also via the IIS  manager (inetMgr) but none of these are passing muster as a code signing certificate.

I am going to embark upon Microsoft's Authenticode self-signed certificate path now...wish me luck.

Again, thank you very much for your assistance with this.

Mark Ruddock

Developer
Aug 9, 2012 at 8:27 PM
For what it's worth, I wrote an extensive post on generating and using OpenSSL self-signed certs for code signing
http://huddledmasses.org/code-signing-with-openssl-and-powershell/

--
Joel "Jaykul" Bennett
http://HuddledMasses.org
http://PowerShellGroup.org


On Thu, Aug 9, 2012 at 1:09 PM, markruddock16 <notifications@codeplex.com> wrote:

From: markruddock16

Thanks very much and I appreciate your patience with my being so new to this and Powershell Modules.

Your script works wonderfully. However, my certificates are not suitable for code signing evidently.

I have created certificates via openssl and also via the IIS manager (inetMgr) but none of these are passing muster as a code signing certificate.

I am going to embark upon Microsoft's Authenticode self-signed certificate path now...wish me luck.

Again, thank you very much for your assistance with this.

Mark Ruddock

Read the full discussion online.

To add a post to this discussion, reply to this email (Pscx@discussions.codeplex.com)

To start a new discussion for this project, email Pscx@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com


Aug 9, 2012 at 8:52 PM

I got it! 

It looks like I had the certificates created without the code signing turned on somehow.

It is all functional now, thanks to you Joel.

Much appreciate this,

 

Mark Ruddock

Aug 9, 2012 at 8:54 PM

Oh, and btw Joel, I read that post about the certificate creation with Openssl.  

It is a helpful read. 

thx