search
Categories
Sponsors
VirtualMetric Hyper-V Monitoring, Hyper-V Reporting
Archive
Blogroll

Badges
MCSE
Community

Cozumpark Bilisim Portali
How to sign Powershell scripts with GlobalSign Code Signing Certificate?
Posted in Windows Powershell | No Comment | 4,848 views | 30/11/2011 20:57

You can’t run unsigned Powershell scripts on servers if execution policy is not set as “Unrestricted”. You need to sign your scripts to run without modifying security policies. If you are a software developer, signing your scripts makes you reliable publisher for users.

By providing assurance that software is produced and signed by a “known publisher”, the practice of code signing can increase customer trust and lead to increased conversions and downloads.

But wait, you can’t sign a Powershell script with a Web certificate. So basically 20$ certificate from AlphaSSL or similar won’t work. For Windows, you need to have Code Signing Certificate. I’ll talk about GlobalSign code signing certificate and code signing process.

If you are a individual developer (like me) you can go with that option. If you purchase individual developer certificate, you’ll get a certificate for your name (like Yusuf Ozturk). Let’s read it from GlobalSign:

Software Vendors and Organizations can digitally sign and timestamp the software they distribute over the Internet, ensuring that the end user knows the software is legitimate and has not been tampered with since being published.

Individual Developers, i.e. those developers not associated with larger organizations, can also buy and use Code Signing certificates. The full name of the developer is attached to the certificate, so customers will see the message “This software has been published by John Doe”.

So what you need to get a code signing certificate?

1. Money $$ – It’s not as cheap as web server certificate.
2. A copy of VALID FORM OF IDENTIFICATION (Driver’s License, Passport or Entry Visa)
3. A copy of most recent TELEPHONE BILL. In my case I’ve used my Vodafone bill.
4. A copy of most current UTILITY BILL (Electricity, Gas, or Water ONLY) – required if address on Driver’s License does not match address in application

I’ve used my Passport and Vodafone bill to confirm my address. You can send them via mail or fax.

After your application, if you meet the requirements, a GlobalSign personal call you to confirm your request. Then they will send you download link of your certificate. You will download your certificate in .pfx format. After that you are ready to sign your Powershell scripts. You can use following codes to sign your certificate.

$cert = Get-PfxCertificate .\CodeSignCertificate.pfx
Set-AuthenticodeSignature -FilePath .\YourPowershellScript.ps1 -certificate $cert -IncludeChain All -TimeStampServer "http://timestamp.globalsign.com/scripts/timstamp.dll"

You will notice that extra lines of hash will be appended to your Powershell script.

So you have a secure Powershell script :) If someone changes or manipulates your script, end user will be noticed about that by getting security warning. I hope this will help you to make your scripts trusted.



Leave a Reply