I am who I say I am because my CA says so
Overview
This article describes the use of self-signed code signing certificates on Microsoft Windows operating systems.
See https://www.microsoft.com/security/blog/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/
Kleopatra UI
See https://www.deepdotweb.com/2015/02/21/pgp-tutorial-for-windows-kleopatra-gpg4win/
Create self-signed cert on Windows
Based on http://www.hanselman.com/blog/SigningPowerShellScripts.aspx
-
On Windows machines, in directory “C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin" invoke the makecert.exe GUI.
-
Setup a Certificate Authority (CA):
makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
-
Type in a Password twice for the Subject Key.
-
Type it in again.
See the cert under “Trusted root CA”.
-
Generates a personal certificate from the above certificate authority:
makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer
-
Type in a password for the Issuer Signature.
See the cert under Personal.
-
Invoke mmc.exe, and add the Certificates snap-in for “My user account” to view certificates.
-
Verify the certificate is known within PowerShell:
Get-ChildItem cert:\CurrentUser\My -codesign
-
Delete in your working directory temporary files root.pvk and root.cer.
The certificate info is stored with that of others, in “C:\Documents and Settings[username]\Application Data\Microsoft\SystemCertificates\My".
-
Sign a script, replacing “c:\foo.ps1” with the full path to your script:
Set-AuthenticodeSignature c:\foo.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesign)[0]
-
Use a text editor to view the script, which now has a signature block that begins with:
# SIG # Begin signature block"
Export for running elsewhere
PROTIP: When sending a script, also send along its Powershell certificates in the
Trusted Root Certification Authorities container.
Also send the Trusted Publishers file to prevent the first-time prompt from appearing.
-
Right-click and select Export for the Certificate Export Wizard GUI.
-
Leave “DER encoded binary X.509 (.CER)” selected and click Next.
-
Specify the file name after a full path and click Next.
PROTIP: It helps if everyone in an organization makes use of a company-standard folder.
-
Click Finish.
-
Click OK to the “The export was successful” pop-up.
Verify a signed script can be used
-
Set
Set-ExecutionPolicy AllSigned
More on DevOps
This is one of a series on DevOps:
- DevOps_2.0
- ci-cd (Continuous Integration and Continuous Delivery)
- User Stories for DevOps
- Git and GitHub vs File Archival
- Git Commands and Statuses
- Git Commit, Tag, Push
- Git Utilities
- Data Security GitHub
- GitHub API
- Choices for DevOps Technologies
- Pulumi Infrastructure as Code (IaC)
- Java DevOps Workflow
- AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
- AWS server deployment options
- Cloud services comparisons (across vendors)
- Cloud regions (across vendors)
- Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
- Azure Certifications
- Azure Cloud Powershell
- Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)
- Azure Networking
- Azure Storage
- Azure Compute
- Digital Ocean
- Packer automation to build Vagrant images
- Terraform multi-cloud provisioning automation
-
Hashicorp Vault and Consul to generate and hold secrets
- Powershell Ecosystem
- Powershell on MacOS
- Jenkins Server Setup
- Jenkins Plug-ins
- Jenkins Freestyle jobs
- Docker (Glossary, Ecosystem, Certification)
- Make Makefile for Docker
- Docker Setup and run Bash shell script
- Bash coding
- Docker Setup
- Dockerize apps
- Ansible
- Kubernetes Operators
- Threat Modeling
- API Management Microsoft
- Scenarios for load
- Chaos Engineering