Hi Luc,
good afternoon
can you please check the following article.
i performed on windows 2016 system to digitally sign one powershell script .
though it worked but am i supposed to get any digital block inside the script.
You should see a block of text at the end of the signed script.
The block will start with
# SIG # Begin signature block
and end with
# SIG # End signature block
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Try the following snippet.
It should show you how a script looks before and after signing.
It uses a self-signed certificate to sign the script.
Write-Host "Hello!"
'@
$code | Set-Content -Path .\test.ps1
Get-Content -Path .\test.ps1
$sCert = @{
Subject = 'MyCert'
Type = 'CodeSigning'
CertStoreLocation = 'Cert:\CurrentUser\My'
}
$cert = New-SelfSignedCertificate @sCert
$sSign = @{
Certificate = $cert
FilePath = '.\test.ps1'
}
Set-AuthenticodeSignature @sSign
Get-Content -Path .\test.ps1
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi Luc ,
I think i am not getting it correctly .
if you could suggest the unknown error .
That is to be expected with a self-signed certificate.
Behind the covers, it would produce the error "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider", which the cmdlet seems to translate to this UnknownError.
In short, the self-signed certificate does not chain to a trusted root certificate.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
i am looking for something that would create block in actual powershell script .is it something possible by any ways .
I'm afraid not, it would be like
You're changing the content of a file, that you want to protect against content change :smileygrin:
You could eventually call an external script that does the signing.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
i mean to say digitally sign by trusted CA .so that the content is ecrypted and whenever someone try to alter the script it compares the content
with encrypted digital signature .
i am not sure what advantages im getting using self signed script if i need to run on remote systems that has execution policy
as remote signed .
You can/should, of course, use a trusted CA, just make sure it has the CodeSigning attribute.
The previous code snippet was just an example to try out signing scripts (since you mentioned you didn't get the signature block in the script).
Btw, there is a difference between signing and encrypting, but you probably know that.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
my understanding so far is if we digitally sign any script with trusted CA it create a start and end block in the script with encrypted content of the script in signaure block .
so one part of signature is actually the encrypyed content of the script .is this not true??
Not in my book, signing and encrypting a script are two different things.
And require different certificate attributes afaik.
See Encryption and Signing for some background info.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks Luc ,
I m checking this .