PowerShell with a Purpose Blog

What To Do / Not to Do in PowerShell: Part 9

You probably know that Windows PowerShell supports code-signing, a means of protecting users and ourselves against theunintentional execution of untrusted scripts. Heaven knows, half of y'all have probably set your shell's ExecutionPolicy to "Unrestricted," and are touching up your makeup even know for your appearance on CNN: "Gosh durn it, that Microsoft stuff just whacked my whole 'vironment, it did! We're a-switchin' to the Google!"

Another choice would be the RemoteSigned execution policy which, frankly, I don't care for. It basically only requires a signature for scripts that (a) live on a remote computer or (b) were downloaded through IE or Outlook. Not much extra security for me, there.

My choice is AllSigned, which requires all scripts to carry a signature. Yep, it's a bit less convenient, but I like the security it offers me. It forces me to stop, look at a script, and then sign it myself if it isn't already signed.

But I ask: Why aren't more of you signing your scripts? PoshCode.org is replete with unsigned scripts. Even Microsoft's own Scripting Guy doesn't sign his code? Whassup with that?

Okay, to be fair, signing does require a Class 3 Authenticode code-signing certificate. You can get one from anyone that sells normal Web SSL certificates, although a Class 3 will cost a bit more. They're also only issued to organizations, not individuals, so you'll have to wait a bit while they verify your company's identity. But the up side is that any script signed by you can be traced back to you. That's right, if you put some malicious dreck up in the Intertubes, and it damages my computer, I can use your signature to track you down and apply a liberal dose of baseball bat.

As a bonus, if anyone (even me) modifies your script, it breaks the signature. You script won't run. So you don't have to take responsibility for someone messing with your script, and then framing you as the bad guy. Sweet, right?

PowerShell will even let you make a self-signed certificate that will work only on your local machine. It's free, and it's perfect for just signing your own scripts. Read the "about_signing" help topic for info.

With a certificate installed, just use Set-AuthenticodeSignature to sign any script. Or, if you're using a commercial script editor - PowerShell Plus, PrimalScript, and so on - you can configure them to sign your scripts, or even to sign them every time you hit "Save." Convenient! Transparent! More secure! 

C'mon, start signing. It won't kill you.

PS: VBScript supported this, too. Nobody used it. Look where that got us.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish