使用自签名证书签署PowerShell脚本(并且不使用makecert.exe)

Question

我正在尝试.ps1使用自签名证书签名(用例是我自己在私人开发站写的脚本,所以不需要使用 - 或支付 - 真正的CA).但是,无论我阅读的证书生成和数字签名主题有多少指南,我似乎无法让它工作.

这是我迄今为止所取得的成就:

# Create a certificate to use as trusted root of the signing chain
$root = New-SelfSignedCertificate `
    -Subject "CN=PowerShell Trusted Authority" `
    -FriendlyName "PowerShell Trusted Authority" `
    -KeyUsageProperty Sign `
    -KeyUsage CertSign, CRLSign, DigitalSignature `
    -CertStoreLocation Cert:\LocalMachine\My\ `
    -NotAfter (Get-Date).AddYears(10)

# Create a certificate to use for signing powershell scripts
New-SelfSignedCertificate `
    -Signer $root `
    -Subject "CN=PowerShell Code Signing" `
    -KeyAlgorithm RSA `
    -KeyLength 2048 `
    -Type CodeSigningCert `
    -CertStoreLocation Cert:\LocalMachine\My\

# Move the root cert into Trusted Root CAs
 Move-Item "Cert:\LocalMachine\My\$($root.Thumbprint)" Cert:\LocalMachine\Root

以上所有操作都来自一个管理PowerShell实例.完成此操作后,我可以在管理控制台中的预期位置看到两个证书,并且签名证书的证书路径签出为有效.

然后我打开常规PS提示并尝试签署脚本:

# Obtain a reference to the signing certificate
PS> $cert = Get-ChildItem Cert:\LocalMachine\My\ -CodeSigningCert

# Attempt at signing
PS> Set-AuthenticodeSignature .\Microsoft.PowerShell_profile.ps1 $cert


    Directory: C:\Users\tomas\Documents\WindowsPowerShell


SignerCertificate          Status                Path
-----------------          ------                ----
                           UnknownError          Microsoft.PowerShell_profile.ps1

如您所见,实际签名失败.查看powershell文件,我发现脚本中没有附加任何签名.

如果我从管理员提示符进行签名,我似乎更进一步; 一个签名块被添加到脚本中,签名证书的指纹打印在输出中Set-AuthenticodeSignature,但状态仍然是,UnknownError并且AllSigned仍然不允许在策略下执行.

# Output some info about the certificate:
PS> $cert | Format-List

Subject      : CN=PowerShell Code Signing
Issuer       : CN=PowerShell Trusted Authority
Thumbprint   : <omitted>
FriendlyName :
NotBefore    : 9/20/2017 10:48:59 PM
NotAfter     : 9/20/2018 11:08:59 PM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, 
                System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}

我尝试过多种New-SelfSignedCertificate咒语变体,尤其是为代码签名生成证书,但始终使用相同的状态消息(UnknownError).

我的最终目标是能够拥有Set-ExecutionPolicy AllSigned并且仍然运行我自己创建的脚本.在这个过程中我缺少什么才能做到这一点？

Answer 1

考虑到这一点，您不需要证书链信任，因此，您不需要第一个证书。您可以使用第二个证书并将其移动到受信任的根文件夹中，它将起作用。使用第一个证书然后创建另一个证书似乎失败，因为“根”是自签名的，然后无法签署另一个证书。

自签名证书方法

# Create a certificate to use for signing powershell scripts
$selfsigncert = New-SelfSignedCertificate `
                -Subject "CN=PowerShell Code Signing" `
                -KeyAlgorithm RSA `
                -KeyLength 2048 `
                -Type CodeSigningCert `
                -CertStoreLocation Cert:\LocalMachine\My\

# Move the root cert into Trusted Root CAs
Move-Item "Cert:\LocalMachine\My\$($selfsigncert.Thumbprint)" Cert:\LocalMachine\Root

# Obtain a reference to the code signing cert in Trusted Root
$selfsignrootcert = "Cert:\LocalMachine\Root\$($selfsigncert.Thumbprint)"

# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $selfsignrootcert

如果您有权访问企业根 CA，则可以使用您在问题中使用的方法。

企业根 CA 方法（与您问题中的方法相同）- 您需要知道您的根 CA 证书指纹

# Get Enterprise Root CA thumbprint
$rootcert = get-childitem Cert:\LocalMachine\Root\XXXXXXXXXXXX


# Generate certificate
$fromrootcert = New-SelfSignedCertificate `
                -Signer $rootcert `
                -Subject "CN=PowerShell Code Signing" `
                -KeyAlgorithm RSA `
                -KeyLength 2048 `
                -Type CodeSigningCert `
                -CertStoreLocation Cert:\LocalMachine\My\

# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $fromrootcert