Wilson Mar bio photo

Wilson Mar

Hello. Hire me!

Email me Calendar Skype call 310 320-7878

LinkedIn Twitter Gitter Google+ Instagram Youtube

Github Stackoverflow Pinterest

I am who I say I am because my CA says so


Overview

This article describes the use of self-signed code signing certificates on Microsoft Windows operating systems.

Kleopatra UI

See https://www.deepdotweb.com/2015/02/21/pgp-tutorial-for-windows-kleopatra-gpg4win/

Create self-signed cert on Windows

Based on http://www.hanselman.com/blog/SigningPowerShellScripts.aspx

  1. On Windows machines, in directory “C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin" invoke the makecert.exe GUI.

  2. Setup a Certificate Authority (CA):

    
    makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
    
    
    
  3. Type in a Password twice for the Subject Key.

  4. Type it in again.

    See the cert under “Trusted root CA”.

  5. Generates a personal certificate from the above certificate authority:

    
    makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer   
    
  6. Type in a password for the Issuer Signature.

    See the cert under Personal.

  7. Invoke mmc.exe, and add the Certificates snap-in for “My user account” to view certificates.

  8. Verify the certificate is known within PowerShell:

    
    Get-ChildItem cert:\CurrentUser\My -codesign   
    
  9. Delete in your working directory temporary files root.pvk and root.cer.

    The certificate info is stored with that of others, in “C:\Documents and Settings[username]\Application Data\Microsoft\SystemCertificates\My".

  10. Sign a script, replacing “c:\foo.ps1” with the full path to your script:

    Set-AuthenticodeSignature c:\foo.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesign)[0]

  11. Use a text editor to view the script, which now has a signature block that begins with:

    # SIG # Begin signature block"
    

Export for running elsewhere

PROTIP: When sending a script, also send along its Powershell certificates in the Trusted Root Certification Authorities container.
Also send the Trusted Publishers file to prevent the first-time prompt from appearing.

  1. Right-click and select Export for the Certificate Export Wizard GUI.

  2. Leave “DER encoded binary X.509 (.CER)” selected and click Next.

  3. Specify the file name after a full path and click Next.

    PROTIP: It helps if everyone in an organization makes use of a company-standard folder.

  4. Click Finish.

  5. Click OK to the “The export was successful” pop-up.

    Verify a signed script can be used

  6. Set

    Set-ExecutionPolicy AllSigned

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps

  4. Git and GitHub vs File Archival
  5. Git Commands and Statuses
  6. Git Commit, Tag, Push
  7. Git Utilities
  8. Data Security GitHub
  9. GitHub API
  10. TFS vs. GitHub

  11. Choices for DevOps Technologies
  12. Java DevOps Workflow
  13. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  14. AWS server deployment options

  15. Cloud regions
  16. AWS Virtual Private Cloud
  17. Azure Cloud Onramp
  18. Azure Cloud
  19. Azure Cloud Powershell
  20. Bash Windows using Microsoft’s WSL (Windows Subystem for Linux)

  21. Digital Ocean
  22. Cloud Foundry

  23. Packer automation to build Vagrant images
  24. Terraform multi-cloud provisioning automation

  25. Powershell Ecosystem
  26. Powershell on MacOS
  27. Powershell Desired System Configuration

  28. Jenkins Server Setup
  29. Jenkins Plug-ins
  30. Jenkins Freestyle jobs
  31. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  32. Dockerize apps
  33. Docker Setup
  34. Docker Build

  35. Maven on MacOSX

  36. Ansible

  37. MySQL Setup

  38. SonarQube static code scan

  39. API Management Microsoft
  40. API Management Amazon

  41. Scenarios for load