Wilson Mar bio photo

Wilson Mar

Hello!

Email me Calendar Skype call

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

I am who I say I am because my CA says so

US (English)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Cyrillic Russian   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

This article describes the use of self-signed code signing certificates on Microsoft Windows operating systems.

Kleopatra UI

See https://www.deepdotweb.com/2015/02/21/pgp-tutorial-for-windows-kleopatra-gpg4win/

Create self-signed cert on Windows

Based on http://www.hanselman.com/blog/SigningPowerShellScripts.aspx

  1. On Windows machines, in directory “C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin" invoke the makecert.exe GUI.

  2. Setup a Certificate Authority (CA):

    
    makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
    
    
    
  3. Type in a Password twice for the Subject Key.

  4. Type it in again.

    See the cert under “Trusted root CA”.

  5. Generates a personal certificate from the above certificate authority:

    
    makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer   
    
  6. Type in a password for the Issuer Signature.

    See the cert under Personal.

  7. Invoke mmc.exe, and add the Certificates snap-in for “My user account” to view certificates.

  8. Verify the certificate is known within PowerShell:

    
    Get-ChildItem cert:\CurrentUser\My -codesign   
    
  9. Delete in your working directory temporary files root.pvk and root.cer.

    The certificate info is stored with that of others, in “C:\Documents and Settings[username]\Application Data\Microsoft\SystemCertificates\My".

  10. Sign a script, replacing “c:\foo.ps1” with the full path to your script:

    Set-AuthenticodeSignature c:\foo.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesign)[0]

  11. Use a text editor to view the script, which now has a signature block that begins with:

    # SIG # Begin signature block"
    

Export for running elsewhere

PROTIP: When sending a script, also send along its Powershell certificates in the Trusted Root Certification Authorities container.
Also send the Trusted Publishers file to prevent the first-time prompt from appearing.

  1. Right-click and select Export for the Certificate Export Wizard GUI.

  2. Leave “DER encoded binary X.509 (.CER)” selected and click Next.

  3. Specify the file name after a full path and click Next.

    PROTIP: It helps if everyone in an organization makes use of a company-standard folder.

  4. Click Finish.

  5. Click OK to the “The export was successful” pop-up.

    Verify a signed script can be used

  6. Set

    Set-ExecutionPolicy AllSigned

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps
  4. Enterprise Software)

  5. Git and GitHub vs File Archival
  6. Git Commands and Statuses
  7. Git Commit, Tag, Push
  8. Git Utilities
  9. Data Security GitHub
  10. GitHub API
  11. TFS vs. GitHub

  12. Choices for DevOps Technologies
  13. Pulumi Infrastructure as Code (IaC)
  14. Java DevOps Workflow
  15. Okta for SSO & MFA

  16. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  17. AWS server deployment options
  18. AWS Load Balancers

  19. Cloud services comparisons (across vendors)
  20. Cloud regions (across vendors)
  21. AWS Virtual Private Cloud

  22. Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
  23. Azure Certifications
  24. Azure Cloud

  25. Azure Cloud Powershell
  26. Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)
  27. Azure KSQL (Kusto Query Language) for Azure Monitor, etc.

  28. Azure Networking
  29. Azure Storage
  30. Azure Compute
  31. Azure Monitoring

  32. Digital Ocean
  33. Cloud Foundry

  34. Packer automation to build Vagrant images
  35. Terraform multi-cloud provisioning automation
  36. Hashicorp Vault and Consul to generate and hold secrets

  37. Powershell Ecosystem
  38. Powershell on MacOS
  39. Powershell Desired System Configuration

  40. Jenkins Server Setup
  41. Jenkins Plug-ins
  42. Jenkins Freestyle jobs
  43. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  44. Docker (Glossary, Ecosystem, Certification)
  45. Make Makefile for Docker
  46. Docker Setup and run Bash shell script
  47. Bash coding
  48. Docker Setup
  49. Dockerize apps
  50. Docker Registry

  51. Maven on MacOSX

  52. Ansible

  53. MySQL Setup

  54. SonarQube & SonarSource static code scan

  55. API Management Microsoft
  56. API Management Amazon

  57. Scenarios for load
  58. Chaos Engineering