使用自签名证书（没有makecert.exe）对PowerShell脚本进行签名 [英] Signing a PowerShell script with self-signed certificates (and without makecert.exe)

问题描述

我正在尝试使用自签名证书对 .ps1 进行签名（用例适用于我在自己的私人开发站上编写的脚本，因此无需使用-或支付-
a实际CA）。但是，无论我阅读了多少关于证书生成和数字签名的指南，我似乎都无法使其正常工作。

I'm trying to sign a .ps1 using self-signed certificates (the use case is for scripts I write myself on my private dev station, so no need to use - or pay for - a real CA). However, no matter how many guides on the topic of certificates generation and digital signatures I read, I can't seem to get it working.

这就是我所取得的成就远：

Here's what I have accomplished so far:

# Create a certificate to use as trusted root of the signing chain
$root = New-SelfSignedCertificate `
    -Subject "CN=PowerShell Trusted Authority" `
    -FriendlyName "PowerShell Trusted Authority" `
    -KeyUsageProperty Sign `
    -KeyUsage CertSign, CRLSign, DigitalSignature `
    -CertStoreLocation Cert:\LocalMachine\My\ `
    -NotAfter (Get-Date).AddYears(10)

# Create a certificate to use for signing powershell scripts
New-SelfSignedCertificate `
    -Signer $root `
    -Subject "CN=PowerShell Code Signing" `
    -KeyAlgorithm RSA `
    -KeyLength 2048 `
    -Type CodeSigningCert `
    -CertStoreLocation Cert:\LocalMachine\My\

# Move the root cert into Trusted Root CAs
 Move-Item "Cert:\LocalMachine\My\$($root.Thumbprint)" Cert:\LocalMachine\Root

以上所有操作都是通过管理Powershell实例完成的。完成之后，我可以在管理控制台中的预期位置看到这两个证书，并且签名证书的证书路径也将被检出为有效。

All of the above done from an administrative powershell instance. After that is done, I can see both certificates, in the expected locations, in the management console, and the certificate path of the signing cert checks out as valid.

I然后打开常规PS提示符并尝试对脚本进行签名：

I then open a regular PS prompt and attempt to sign the script:

# Obtain a reference to the signing certificate
PS> $cert = Get-ChildItem Cert:\LocalMachine\My\ -CodeSigningCert

# Attempt at signing
PS> Set-AuthenticodeSignature .\Microsoft.PowerShell_profile.ps1 $cert


    Directory: C:\Users\tomas\Documents\WindowsPowerShell


SignerCertificate          Status                Path
-----------------          ------                ----
                           UnknownError          Microsoft.PowerShell_profile.ps1

如您所见，实际签名失败。查看powershell文件，我发现脚本没有附加任何签名。

As you can see, the actual signing fails. Looking at the powershell file, I see that no signature has been appended to the script.

如果我从管理提示进行签名，我似乎会更进一步。 ;签名块已添加到脚本，签名证书的指纹已打印在 Set-AuthenticodeSignature 的输出中，但状态仍为仍然不允许使用UnknownError 和 AllSigned 策略执行。

If I do the signing from an admin prompt, I seem to get a little further; a signature block is added to the script, and the thumbprint of the signing cert is printed in the output from Set-AuthenticodeSignature, but the status is still UnknownError and execution under the AllSigned policy is still not allowed.

# Output some info about the certificate:
PS> $cert | Format-List

Subject      : CN=PowerShell Code Signing
Issuer       : CN=PowerShell Trusted Authority
Thumbprint   : <omitted>
FriendlyName :
NotBefore    : 9/20/2017 10:48:59 PM
NotAfter     : 9/20/2018 11:08:59 PM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, 
                System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}

我尝试了 New-SelfSignedCertificate 的许多变体，特别是生成用于代码签名的证书，但始终并带有相同的状态消息（ UnknownError ）。

I've tried a multitude of variants of New-SelfSignedCertificate incantations, especially to generate the certificate for code signing, but always with the same status message (UnknownError).

我在这里的最终目标是能够拥有 Set-ExecutionPolicy AllSigned 并仍然运行我自己创建的脚本。在使该工作正常进行的过程中，我缺少什么？

My ultimate goal here is to be able to have Set-ExecutionPolicy AllSigned and still run scripts that I've created myself. What am I missing in this process to make that work?

推荐答案

考虑到这一点，您不需要证书链信任，因此您不需要第一份证书。您可以使用第二个证书并将其移到受信任的根文件夹中，它将起作用。使用第一个证书然后创建另一个证书似乎失败，因为'root'是自签名的，然后无法签名另一个证书。

Thinking about this, you don't need a certificate chain trust, therefore, you don't need your first certificate. You can use the second certificate and move it into your Trusted Root folder and it will work. Using the first certificate and then creating another certificate seems to fail because the 'root' is self signed and then can't sign another certificate.

SELF SIGNED CERTIFICATE方法

SELF SIGNED CERTIFICATE method

# Create a certificate to use for signing powershell scripts
$selfsigncert = New-SelfSignedCertificate `
                -Subject "CN=PowerShell Code Signing" `
                -KeyAlgorithm RSA `
                -KeyLength 2048 `
                -Type CodeSigningCert `
                -CertStoreLocation Cert:\LocalMachine\My\

# Move the root cert into Trusted Root CAs
Move-Item "Cert:\LocalMachine\My\$($selfsigncert.Thumbprint)" Cert:\LocalMachine\Root

# Obtain a reference to the code signing cert in Trusted Root
$selfsignrootcert = "Cert:\LocalMachine\Root\$($selfsigncert.Thumbprint)"

# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $selfsignrootcert

如果您可以访问企业根CA，则可以使用问题中使用的方法。

If you have access to an Enterprise Root CA, you can use the method you have used in your question.

企业根CA方法（与您的问题相同）-您需要知道根CA证书指纹

ENTERPRISE ROOT CA method (same method as you have in your question) - you need to know your Root CA certificate thumbprint

# Get Enterprise Root CA thumbprint
$rootcert = get-childitem Cert:\LocalMachine\Root\XXXXXXXXXXXX


# Generate certificate
$fromrootcert = New-SelfSignedCertificate `
                -Signer $rootcert `
                -Subject "CN=PowerShell Code Signing" `
                -KeyAlgorithm RSA `
                -KeyLength 2048 `
                -Type CodeSigningCert `
                -CertStoreLocation Cert:\LocalMachine\My\

# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $fromrootcert

这篇关于使用自签名证书（没有makecert.exe）对PowerShell脚本进行签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！