0

I've followed the instructions here Create Code Signing Certificate on Windows for signing PowerShell scripts

but it doesn't work as I get this error:

File C:\temp\script.ps1 cannot be loaded. A certificate chain processed, but terminated in a root certificate      
which is not trusted by the trust provider.

I tried just copying the created cert into both my user and the machine trusted publishers with no luck.

Google gives me: https://4sysops.com/archives/sign-your-powershell-scripts-to-increase-security/

and the like but they're all needing to install the Windows 10 SDK.

I'm just trying to run https://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus?page=51 on my Server 2016 WSUS server without polluting it any more than necessary, but I can't change the Group Policy of needing powershell scripts to be AllSigned.

Help?

jmp242
  • 688
  • 3
  • 15
  • https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps – Zoredache Sep 25 '17 at 17:55
  • Here's a self signed way: https://stackoverflow.com/questions/46331902/signing-a-powershell-script-with-self-signed-certificates-and-without-makecert/46373854#46373854 – Tim Haintz Sep 26 '17 at 16:57
  • That got me 95% of the way there, but the Set-AuthenticodeSignature C:\powershell.ps1 $selfsignrootcert part failed with: Error: "The given path's format is not supported." . Changed to Set-AuthenticodeSignature c:\powershell.ps1 @(Get-ChildItem cert:\LocalMachine\My -codesign)[0] and no error! – jmp242 Sep 26 '17 at 18:07
  • @jmp242 the self signed certificate that you create needs to be moved to cert:\LocalMachine\Root . Did you move it? Move-Item "Cert:\LocalMachine\My\$($selfsigncert.Thumbprint)" Cert:\LocalMachine\Root – Tim Haintz Sep 27 '17 at 00:58
  • Sorry, should have been: Move-Item "Cert:\LocalMachine\My\$($selfsigncert.Thumbprint)" Cert:\LocalMachine\Root with no - at the end. – Tim Haintz Sep 27 '17 at 06:29
  • Yes, it worked with the change I said in my last comment. I'd give you answer credit but it's a comment. – jmp242 Sep 27 '17 at 12:21

1 Answers1

1

The code signing stuff is really just to stop end users running malicious untrusted scripts, it's not really intended to stop admins running stuff they've inspected and trust. It's therefore really easy to bypass the restriction for a script you are intentionally running without permanently changing the default setting on the server. This can be done by calling it from a batch file or scheduled task as follows:

powershell.exe -windowstyle hidden -noprofile -executionpolicy bypass -file "C:\powershell script.ps1"

martin81
  • 196
  • 7
  • Helpful, and granted the OP doesn't have a single clear question, but this is more of a workaround than an answer to the question of how to sign a script. – Ben Franske Sep 26 '17 at 20:54
  • 1
    Yes, but that is prevented by the group policy. I tried the -executionpolicy bypass first. – jmp242 Sep 27 '17 at 12:20