Windows 7 x64, PowerShell 4.0.
I am beginner in the working with the digital signatures, therefore I read these articles before:
I need to sign my PowerShell scripts. These scripts are to be accessible by all users of our Windows domain. But at first I want to learn to do it on my computer.
I set execution policy to the AllSigned
value (with admin rights):
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy AllSigned
According Don Jones article I created my own certificate (through the Developer Command Prompt for VS2015 [i.e. through the cmd.exe
], with admin rights):
cd c:\temp
makecert -n "CN=Andrey Bushman" -a md5 -r -sv Andrey.Bushman.pvk -ss Root -sr localMachine Andrey.Bushman.cer
I got the Andrey.Bushman.cer
and Andrey.Bushman.pvk
files in my current directory. The first of them has 1 kb size, and the second of them has 2 kb size. So, I see the private key size is more than size of certificate.
Question #1
Does it mean that my certificate don't include the copy of my private key?
Now I see new item in the certificate store:
PS Cert:\LocalMachine\Root> Get-ChildItem | where -Property Issuer -EQ "CN=Andrey Bushman"
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
CF26A00BB7C8EB2B1EA66CA307C4B5025F636F9A CN=Andrey Bushman
Then Don Jones did it:
makecert -pe -n "CN=MyCertificate" -ss MY
–a sh1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk
–c root.cer
Question #2
Why he did it? Before he did it we already have our certificate in the cert:LocalMachine\Root
storage.
By analogy I did it for my case:
makecert -pe -n "CN=Andrey Bushman" -ss MY -a md5 -iv Andrey.Bushman.pvk -ic Andrey.Bushman.cer
But I get nothing when I launch this:
gci cert:\CurrentUser\My -codesigning
Without the -codesigning
flag I get this:
PS C:\temp> gci cert:\CurrentUser\My
Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
8F0D753ACA7F6631C3D967921BD06E158E1AB1AF CN=Andrey Bushman
Question #3
Why I get nothing when I use the -codesigning
flag?
Ok I try to sign some file and get the problem:
PS C:\temp> $cert = @(gci cert:\CurrentUser\My)[0]
PS C:\temp> Set-AuthenticodeSignature -FilePath .\123.ps1 -Certificate $cert
Set-AuthenticodeSignature : It isn't possible to sign the code. The specified certificate isn't suitable for the code signing
а.
line:1 char:1
+ Set-AuthenticodeSignature -FilePath .\123.ps1 -Certificate $cert
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-AuthenticodeSignature], PSArgumentException
+ FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.SetAuthenticodeSignatureCommand
Question #4
How can I make my certificate suitable for the code signing?
UPD
I can't ask my question here, because I can't register on that site (I have nothing to my email). I wrote the letters to email of support team but they answer never. I tried to do it some years ago and I tried to do it some days ago again, but I get the same result.
Q1: Does it mean that my certificate don't include the copy of my private key?
A1: Yes. Certificates can be swapped around because they don't include the private key. The private key typically only exists on one computer, with a backup copy archived in a secure location. Anyone that gets access to the private key can sign anything they want and it looks just like you did it. (A more complete answer to this question is outside the typical scope of Stack Overflow, but there are many good resources available on PKI.)
Q2: Why he did it?
Q3: Why I get nothing when I use the -codesigning flag?
A2/A3: The first time he ran makecert
, he created the root certificate. A root certificate is specifically for issuing other certificates, which is why it does not show up as a code signing certificate. This second time, he is making the actual certificate. The -eku
option specifies the certificate options to use, which can be anything from a root certificate, code signing certificate, or digital signature, to more advanced things like data encryption or client authentication.
Q4: How can I make my certificate suitable for the code signing?
A4: I don't have a lot of experience with makecert.exe
, as my company has a contract with Cybertrust such that I can generate as many certificates as I need without worrying about the cost for each one. (Yes, it's a nice luxury.) This means I can't answer questions on makecert.exe
, its syntax, or the -eku
options to use.
In many ways, makecert
is doing a lot of things for you behind the scenes, but the basic things you need are the same:
-codesigning
option and will be usable by Set-AuthenticodeSignature
.I would suggest using the makecert
documentation and other digital certificate resources to find the right options, but based on my quick glance at the links you posted, it appears you have the majority of the information you need. Having done digital certificates for many years now, it appears to me that the biggest thing that will help you is to get more familiar with how Public Key Infrastructure (PKI) works, especially with regards to how a certificate chain works and is verified. It takes time to get it all down, and code signing in Powershell is not the easiest place to start, but if you're going to do a lot of it, it's worth the time investment.