我正在尝试使用自签名证书签署.ps1(用例是我自己在私人开发站写的脚本,因此无需使用 - 或付费 -
真正的CA)。但是,无论我阅读的证书生成和数字签名主题有多少指南,我似乎无法让它发挥作用。
这是我迄今为止所取得的成就:
# Create a certificate to use as trusted root of the signing chain
$root = New-SelfSignedCertificate `
-Subject "CN=PowerShell Trusted Authority" `
-FriendlyName "PowerShell Trusted Authority" `
-KeyUsageProperty Sign `
-KeyUsage CertSign, CRLSign, DigitalSignature `
-CertStoreLocation Cert:\LocalMachine\My\ `
-NotAfter (Get-Date).AddYears(10)
# Create a certificate to use for signing powershell scripts
New-SelfSignedCertificate `
-Signer $root `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Move the root cert into Trusted Root CAs
Move-Item "Cert:\LocalMachine\My\$($root.Thumbprint)" Cert:\LocalMachine\Root
以上所有内容均来自管理PowerShell实例。完成后,我可以在管理控制台中的预期位置看到两个证书,并且签名证书的证书路径签出为有效。
然后我打开常规PS提示并尝试签署脚本:
# Obtain a reference to the signing certificate
PS> $cert = Get-ChildItem Cert:\LocalMachine\My\ -CodeSigningCert
# Attempt at signing
PS> Set-AuthenticodeSignature .\Microsoft.PowerShell_profile.ps1 $cert
Directory: C:\Users\tomas\Documents\WindowsPowerShell
SignerCertificate Status Path
----------------- ------ ----
UnknownError Microsoft.PowerShell_profile.ps1
如您所见,实际签名失败。查看powershell文件,我发现脚本中没有附加任何签名。
如果我从管理员提示符进行签名,我似乎更进一步;签名块添加到脚本中,签名证书的指纹打印在Set-AuthenticodeSignature的输出中,但状态仍为UnknownError,并且AllSigned策略下的执行仍然是不允许。
# Output some info about the certificate:
PS> $cert | Format-List
Subject : CN=PowerShell Code Signing
Issuer : CN=PowerShell Trusted Authority
Thumbprint : <omitted>
FriendlyName :
NotBefore : 9/20/2017 10:48:59 PM
NotAfter : 9/20/2018 11:08:59 PM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
我尝试了多种New-SelfSignedCertificate咒语变体,尤其是为代码签名生成证书,但始终使用相同的状态消息(UnknownError)。
我的最终目标是能够拥有Set-ExecutionPolicy AllSigned并且仍然运行我自己创建的脚本。在这个过程中我缺少什么来做这项工作?
答案 0 :(得分:2)
考虑到这一点,您不需要证书链信任,因此,您不需要第一个证书。您可以使用第二个证书并将其移动到受信任的根文件夹中,它将起作用。使用第一个证书然后创建另一个证书似乎失败了,因为“root”是自签名的,然后无法签署另一个证书。
SELF SIGNED CERTIFICATE方法
# Create a certificate to use for signing powershell scripts
$selfsigncert = New-SelfSignedCertificate `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Move the root cert into Trusted Root CAs
Move-Item "Cert:\LocalMachine\My\$($selfsigncert.Thumbprint)" Cert:\LocalMachine\Root
# Obtain a reference to the code signing cert in Trusted Root
$selfsignrootcert = "Cert:\LocalMachine\Root\$($selfsigncert.Thumbprint)"
# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $selfsignrootcert
如果您有权访问企业根CA,则可以使用您在问题中使用的方法。
ENTERPRISE ROOT CA方法(与您的问题中的方法相同) - 您需要知道根CA证书指纹
# Get Enterprise Root CA thumbprint
$rootcert = get-childitem Cert:\LocalMachine\Root\XXXXXXXXXXXX
# Generate certificate
$fromrootcert = New-SelfSignedCertificate `
-Signer $rootcert `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $fromrootcert
答案 1 :(得分:-1)
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Type CodeSigningCert -Subject "Code Signing"
Move-Item -Path $cert.PSPath -Destination "Cert:\CurrentUser\Root"
Set-AuthenticodeSignature -FilePath c:\go.ps1 -Certificate $cert
来源 https://blogs.u2u.be/u2u/post/creating-a-self-signed-code-signing-certificate-from-powershell