PowerShell代码签名

If you are a system administrator, you might have had to run Task Scheduler jobs or delegate tasks to end-users. But have you wondered how you could run these tasks securely? How do you ensure the integrity and quality of the scripts on your system? This is where code signing can help.

如果您是系统管理员，则可能必须运行Task Scheduler作业或将任务委托给最终用户。 但是您是否想知道如何安全地运行这些任务？ 您如何确保系统上脚本的完整性和质量？ 这是代码签名可以提供帮助的地方。

A digital signature is a process that guarantees that a file or message has not been altered after the signature has been calculated. Signing scripts ensures the integrity of a script you run. After you verify that a script is safe to run, you can digitally sign the script to prevent others from tampering with it.

数字签名是一个过程，可确保在计算出签名后不更改文件或消息。 签名脚本可确保您运行的脚本的完整性。 验证脚本可以安全运行后，可以对脚本进行数字签名，以防止其他人对其进行篡改。

Files can be signed with signing certificates. And by adjusting Powershell Execution Policies to allow only signed scripts to run, you maintain control over the integrity of the scripts on your system. Today, let’s dive into how Powershell code signing works and how to sign a script to use!

可以使用签名证书对文件进行签名。 通过调整Powershell执行策略以仅允许运行签名的脚本，您可以控制系统上脚本的完整性。 今天，让我们深入了解Powershell代码签名的工作方式以及如何对要使用的脚本进行签名！

配置签名证书 (Configuring signing certificates)

First, let’s create a certificate template! A certificate template will enable users to request individual certificates to sign their scripts.

首先，让我们创建一个证书模板！ 证书模板将使用户能够请求单个证书来签署其脚本。

创建证书模板 (Creating a certificate template)

First, go to your Control Panel then go to “Administrative Tools > Certification Authority”. Right-click on “Certificate Templates” and click on “Manage”. You should see a list of built-in templates available for use. Right-click on “Code Signing” and select “Duplicate Template”.

首先，转到“控制面板”，然后转到“管理工具>证书颁发机构”。 右键单击“证书模板”，然后单击“管理”。 您应该看到可用的内置模板列表。 右键单击“代码签名”，然后选择“重复模板”。

You should see a window prompting you to set the properties of the new template. In the “General” tab, you will be able to set the name of the template. In the “Compatibility” tab, you’ll be able to set the Certificate Authority and Certificate Recipient. In the “Cryptography” tab, you can configure the details of the cryptographic algorithm used, like Cryptographic Provider, Algorithm name, Key Size, and more.

您应该看到一个窗口，提示您设置新模板的属性。 在“常规”标签中，您可以设置模板的名称。 在“兼容性”标签中，您可以设置证书颁发机构和证书收件人。 在“密码”选项卡中，您可以配置所使用的密码算法的详细信息，例如密码提供程序，算法名称，密钥大小等。

And in the “Security” tab, you can configure which users or groups can create code signing certificates. Users that are allowed to create code signing certificates need to be granted “Enroll” and “Read” permissions.

在“安全性”选项卡中，您可以配置哪些用户或组可以创建代码签名证书。 允许创建代码签名证书的用户需要被授予“注册”和“读取”权限。

If you already have a certificate template configured, you can simply import it for use.

如果已经配置了证书模板，则只需导入即可使用。

ldifde -i -k -f TEMPLATE_FILE

Back in “Administrative Tools > Certification Authority”, right-click the “Certificate Templates” then go to “New > Certificate Template to Issue”.

返回“管理工具>证书颁发机构”，右键单击“证书模板”，然后转到“新建>要颁发的证书模板”。

创建签名证书 (Creating a signing certificate)

On a development machine, you can now create a code signing certificate. First, open the Microsoft Management Console (mmc.msc). Then, go to “File > Add/Remove Snap-in”. From the “Available snap-ins” menu, select “Certificates” and click “Add”, then “Ok”.

在开发机器上，您现在可以创建代码签名证书。 首先，打开Microsoft管理控制台(mmc.msc)。 然后，转到“文件>添加/删除管理单元”。 从“可用的管理单元”菜单中，选择“证书”，然后单击“添加”，然后单击“确定”。

In the original window, right-click on “Personal”, select “All Tasks > Request New Certificate”. Tick the appropriate certificate and click on “Enroll”. A code signing certificate will be created.

在原始窗口中，右键单击“个人”，然后选择“所有任务>请求新证书”。 勾选相应的证书，然后单击“注册”。 将创建一个代码签名证书。

You can import a certificate to use by running this command.

您可以通过运行此命令导入要使用的证书。

Import-Certificate -FilePath "CERT_TO_IMPORT" -CertStoreLocation cert:CERT_LOCATION

You can also export a certificate from a certificate store into a file.

您还可以将证书从证书存储区导出到文件中。

$cert = Get-ChildItem -Path cert:
Export-Certificate -Cert $cert -FilePath FILE_PATH

签名脚本 (Signing scripts)

Now you can sign a script with the code signing certificate! These commands will retrieve a code signing certificate and use it to sign your script.

现在，您可以使用代码签名证书签名脚本了！ 这些命令将检索代码签名证书，并使用它来对脚本进行签名。

$cert=Get-ChildItem -Path Cert:CERT_LOCATION -CodeSigningCert 
Set-AuthenticodeSignature -FilePath SCRIPT_PATH -Certificate $cert

You can now run your signed script.

现在，您可以运行已签名的脚本。

SCRIPT_PATH

如何防止数字签名过期 (How to prevent digital signatures from expiring)

The digital signature in a script is valid until the signing certificate expires. Or, the signature can remain valid if a timestamp server can verify that the script was signed while the signing certificate was valid. Since most signing certificates expire after one year, using a timestamp server ensures that users can use your script for a longer time.

脚本中的数字签名在签名证书过期之前一直有效。 或者，如果时间戳服务器可以在签名证书有效时验证脚本已签名，则签名可以保持有效。 由于大多数签名证书都在一年后过期，因此使用时间戳服务器可确保用户可以更长久地使用您的脚本。

Powershell执行策略 (Powershell execution policies)

PowerShell’s execution policy controls how PowerShell loads configuration files and runs scripts. By setting appropriate execution policies, you can prevent the execution of malicious scripts. In particular, setting the execution policy to “AllSigned” can make sure that only scripts and configuration files that have been signed with a trusted certificate can run on your systems.

PowerShell的执行策略控制PowerShell如何加载配置文件和运行脚本。 通过设置适当的执行策略，可以防止执行恶意脚本。 特别是，将执行策略设置为“ AllSigned”可以确保只有用可信证书签名的脚本和配置文件才能在您的系统上运行。

To find the effective execution policy on your computer, you can use:

要在计算机上找到有效的执行策略，可以使用：

Get-ExecutionPolicy

You can set PowerShell’s execution policy to AllSigned by using this command.

您可以使用此命令将PowerShell的执行策略设置为AllSigned。

Set-ExecutionPolicy AllSigned

结论 (Conclusion)

Signing scripts and restricting Powershell’s execution policy accordingly is a good way to ensure the integrity of the scripts you run. In this post, we went through how you can create a code signing certificate and how you can use that certificate to sign scripts.

签名脚本并相应地限制Powershell的执行策略是确保所运行脚本的完整性的好方法。 在本文中，我们介绍了如何创建代码签名证书以及如何使用该证书对脚本进行签名。

翻译自: https://medium.com/dev-genius/powershell-code-signing-fc6086aeb61e