none
User certificate validity time and powershell script signing RRS feed

  • Question

  • Hello,

    I recently came across a problem.
    A year ago I signed the first powershell script in our company using the Code Signing Certificate on the user and the Set-AuthenticodeSignature command "script.ps1" @ (Get-ChildItem cert: \ CurrentUser \ My -codesign) [0].
    The script was then sent to the appropriate computers.
    The GPO for computers is Execution Policy: Allow local scripts and remote signed scripts.
    In that month, there was a problem using this script.
    It turned out that the Code Signing Certificate generated for my user had expired, which turned out that all the scripts that I signed could not be started.
    He had to regenerate a new certificate for my user and re-sign all powershell scripts to make them executable.
    I was looking for an answer how to solve this problem so that the scripts signed in the company work even when the user expires the validity of the Code Signing Certificate but I could not trace the solution.
    How to solve this problem ?
    Tuesday, October 22, 2019 1:46 PM

Answers

  • The purpose of script signing is to ensure scripts don't get altered after they are signed, not to prevent them from running. Execution policy is an administrator safety feature, not a security feature.

    Change the policy so that script signing is not required.


    -- Bill Stewart [Bill_Stewart]

    Tuesday, October 22, 2019 1:51 PM
    Moderator
  • A temp code signing cert is only valid for a short time. Create a cert that expires in 5 years or obtain a longer term cert that is not a self-signed cert.

    Bill's method is best but only if the scripts are stored local.  Also the Remote signed should be ignored for scripts running on network shares but when the local net is not trusted then the certs will  fail.  Check with your net admoins/techs to see if the users systems have lost trust of the net.  Also old signing methods will no longer work since MS has tightened the rules.  Search for articles on what encryption schemes are no longer supported.


    \_(ツ)_/

    Tuesday, October 22, 2019 4:04 PM

All replies

  • The purpose of script signing is to ensure scripts don't get altered after they are signed, not to prevent them from running. Execution policy is an administrator safety feature, not a security feature.

    Change the policy so that script signing is not required.


    -- Bill Stewart [Bill_Stewart]

    Tuesday, October 22, 2019 1:51 PM
    Moderator
  • A temp code signing cert is only valid for a short time. Create a cert that expires in 5 years or obtain a longer term cert that is not a self-signed cert.

    Bill's method is best but only if the scripts are stored local.  Also the Remote signed should be ignored for scripts running on network shares but when the local net is not trusted then the certs will  fail.  Check with your net admoins/techs to see if the users systems have lost trust of the net.  Also old signing methods will no longer work since MS has tightened the rules.  Search for articles on what encryption schemes are no longer supported.


    \_(ツ)_/

    Tuesday, October 22, 2019 4:04 PM