none
Signing Scripts

    Question

  • I'm fairly new to PowerShell and I'm struggling with script signing.  I have the following code in my PowerShell profile.

         Set-Location Y:\Scripting\PowerShell

         function sign ($filename) {
           $cert = @(gci cert:\currentuser\my -codesigning)[0]
           Set-AuthenticodeSignature $filename $cert
          }

    The goal is to allow me to sign scripts using the following syntax from any location:

         sign <Script Name>.ps1

    When I run that command I get results like this:

         SignerCertificate                                                    Status    Path
         ------------------                                                     -------    -----
         6ECC6328403812072D553A7DD073589C27A412FA  Valid     getexecpol.ps1

    There are two problems:

    1. I have my execution policy set to AllSigned.  Often, after signing the script and getting the results shown above, when I try to run the script I get a message saying that the script is unsigned.  The certificate does not expire until 12/10/2015 and I've used it successfully to sign scripts that run fine after being signed, so I think the certificate is good.
    2. If I'm not in the same folder as the script being signed then I need to put in the full path to the script, or switch to that folder.  That's not a big deal, but it would be handy if I could make it work from any location without needing the full path.  In an effort to make that happen, I added the path shown in the first line above to the Path environment variable in Windows, but that did not seem to make a difference.

    Basically, I would like to know how I can improve upon my current setup.  How can I make script signing work reliably from any location?

    Thanks for any help that you can offer!

    --Tom

    Tuesday, December 24, 2013 10:31 PM

Answers

  • Thanks for your reply.

    I think that I have figured out my problem.  I was doing something wrong that is a little embarrassing.  In the Windows PowerShell ISE, I would have a the script open during development and when I felt like the script was finished I would use the command line to sign the script, and then I would save the script, which of course saves an unsigned version of the script over the signed version that I had just created.  Brilliant!

    If I save and close the script, and then sign it, I see the digital signature when I re-open the file.  It appears that I can also sign the script from the command line without closing the file, as long as I close and re-open it before making any changes.

    --Tom

    • Marked as answer by thomasm516 Tuesday, December 31, 2013 9:48 PM
    Tuesday, December 31, 2013 9:44 PM

All replies

  • You'd have to write your own code to check whether the $filename path is rooted, and if not, check the current directory followed by checking every folder in the Path variable for a match. (This is basically how the OS uses the path variable when you run an executable, but this doesn't happen automatically for opening files in other ways.)

    Personally, I wouldn't recommend doing that for an action that modifies files (or performs any other Write activity.)  At the very least, make the code prompt the user before modifying any file found via the Path variable. (ie, found script file SignMe.ps1 in directory "C:\Windows\system32".  Proceed with setting Authenticode Signature?  Y/N)

    Wednesday, December 25, 2013 3:41 AM
  • Hi Tom,

    In addition, would you please also post the specific error when you ran the script .ps1 after running Set-AuthenticodeSignature, and from the result you posted, this script should be signed without error.

    To Digitally sign a Powershell script, this article is also helpful for you:

    Signing PowerShell Scripts

    I hope this helps.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Wednesday, December 25, 2013 6:23 AM


    1. I have my execution policy set to AllSigned.  Often, after signing the script and getting the results shown above, when I try to run the script I get a message saying that the script is unsigned.  The certificate does not expire until 12/10/2015 and I've used it successfully to sign 

    As per your post , I think the Script is being signed correctly but just to double-check the Script is signed properly, How about using  Get-AuthenticodeSignature cmdlet to test that ?
    Just a thought..

    Hope it helps


    Knowledge is Power{Shell}.


    Thursday, December 26, 2013 6:26 AM
  • Thanks for the information!

    I keep all my PowerShell scripts in one folder, but with multiple subfolders, and I have very few scripts at this point, so modifying a file found via the Path variable shouldn't be a problem right now.  Nonetheless, your point is taken.  I will work on adding a prompt to the code.

    --Tom

    Tuesday, December 31, 2013 4:39 PM
  • Thanks for your reply.

    I think that I have figured out my problem.  I was doing something wrong that is a little embarrassing.  In the Windows PowerShell ISE, I would have a the script open during development and when I felt like the script was finished I would use the command line to sign the script, and then I would save the script, which of course saves an unsigned version of the script over the signed version that I had just created.  Brilliant!

    If I save and close the script, and then sign it, I see the digital signature when I re-open the file.  It appears that I can also sign the script from the command line without closing the file, as long as I close and re-open it before making any changes.

    --Tom

    • Marked as answer by thomasm516 Tuesday, December 31, 2013 9:48 PM
    Tuesday, December 31, 2013 9:44 PM
  • I think my problem was that I was signing the script using the Windows PowerShell ISE command line, and then saving it, which replaced the signed version with an unsigned version.  DOH!

    Done correctly, Get-AuthenticodeSignature shows that the script is signed.

    --Tom

    Tuesday, December 31, 2013 9:47 PM