piątek, 25 stycznia 2019

PowerShell - podpisywanie skryptów (self-signed cert)

  

# Genracja CA
# {hex}30030101FF => ASN.1 BasicConstraints: CA:TRUE
# $asn1=([System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension]::new($true, $flase, 0,$true)).RawData
# $asn1 | Format-Hex -Encoding Ascii

$ca_params =@{ 
   "Type"              = "Custom";
   "Subject"           = "CN=Local CA";
   "FriendlyName"      = "Local CA";
   "KeyAlgorithm"      = "RSA";
   "KeyLength"         = 2048;
   "KeyUsage"          = "CertSign";
   "TextExtension"     = @("2.5.29.19={critical}{hex}30030101FF");
   "NotAfter"          = ((Get-Date).AddYears(10)); 
   "CertStoreLocation" = "Cert:\CurrentUser\My";
}

$root=New-SelfSignedCertificate @ca_params 
$root.ToString()

$cert_params =@{ 
   "Signer"            = $root;
   "Type"              = "CodeSigningCert";
   "Subject"           = "CN=Robert Socha";
   "FriendlyName"      = "Robert Socha CS";
   "KeyAlgorithm"      = "RSA";
   "KeyLength"         = 2048;
   "KeyUsage"          = "DigitalSignature";
   "NotAfter"          = ((Get-Date).AddYears(10)); 
   "CertStoreLocation" = "Cert:\CurrentUser\My";
}

# Generacja certyfikatu do podpisywania kodu
$code=New-SelfSignedCertificate @cert_params
$code.ToString()

# Export certifkatu CA do zaufanych
$ca_file = [System.IO.Path]::GetTempFileName()
Export-Certificate -Type CERT -Cert $root -FilePath $ca_file -Force
Import-Certificate -CertStoreLocation Cert:\CurrentUser\Root -FilePath $ca_file

# Export certyfikatu podpisującego do zaufanych dostawców kodu
Export-Certificate -Type CERT -Cert $code -FilePath $ca_file -Force
Import-Certificate -CertStoreLocation Cert:\CurrentUser\TrustedPublisher -FilePath $ca_file
Remove-Item $ca_file

# $code=(Get-ChildItem cert:\CurrentUser\my -CodeSigningCert)[0]

# Skrypt do podpisania
'Write-Host "Hello, World!"' >.\sign_me.ps1

# https:/go.microsoft.com/fwlink/?LinkID=135170
Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope CurrentUser -Force

# Wartość domyślna dla wersji kliencikich Windows
# Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser  -Force

Set-AuthenticodeSignature .\sign_me.ps1 $code

.\sign_me.ps1
GIST

Brak komentarzy: