我正在尝试使用自签名证书签署
.ps1这是我迄今为止所取得的成就:
# Create a certificate to use as trusted root of the signing chain
$root = New-SelfSignedCertificate `
-Subject "CN=PowerShell Trusted Authority" `
-FriendlyName "PowerShell Trusted Authority" `
-KeyUsageProperty Sign `
-KeyUsage CertSign, CRLSign, DigitalSignature `
-CertStoreLocation Cert:\LocalMachine\My\ `
-NotAfter (Get-Date).AddYears(10)
# Create a certificate to use for signing powershell scripts
New-SelfSignedCertificate `
-Signer $root `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Move the root cert into Trusted Root CAs
Move-Item "Cert:\LocalMachine\My\$($root.Thumbprint)" Cert:\LocalMachine\Root
以上所有操作都是通过管理 powershell 实例完成的。完成后,我可以在管理控制台的预期位置看到两个证书,并且签名证书的证书路径检查为有效。
然后我打开常规 PS 提示并尝试签署脚本:
# Obtain a reference to the signing certificate
PS> $cert = Get-ChildItem Cert:\LocalMachine\My\ -CodeSigningCert
# Attempt at signing
PS> Set-AuthenticodeSignature .\Microsoft.PowerShell_profile.ps1 $cert
Directory: C:\Users\tomas\Documents\WindowsPowerShell
SignerCertificate Status Path
----------------- ------ ----
UnknownError Microsoft.PowerShell_profile.ps1
如您所见,实际签名失败。查看 powershell 文件,我发现脚本中没有附加任何签名。
如果我根据管理员提示进行签名,我似乎会更进一步;脚本中添加了签名块,签名证书的指纹打印在
Set-AuthenticodeSignatureUnknownErrorAllSigned# Output some info about the certificate:
PS> $cert | Format-List
Subject : CN=PowerShell Code Signing
Issuer : CN=PowerShell Trusted Authority
Thumbprint : <omitted>
FriendlyName :
NotBefore : 9/20/2017 10:48:59 PM
NotAfter : 9/20/2018 11:08:59 PM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
我尝试了多种
New-SelfSignedCertificateUnknownError我的最终目标是能够拥有
Set-ExecutionPolicy AllSigned考虑到这一点,您不需要证书链信任,因此,您不需要第一个证书。您可以使用第二个证书并将其移动到受信任的根文件夹中,它将起作用。使用第一个证书然后创建另一个证书似乎失败,因为“根”是自签名的,然后无法签署另一个证书。
自签名证书方法
# Create a certificate to use for signing powershell scripts
$selfsigncert = New-SelfSignedCertificate `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Move the root cert into Trusted Root CAs
Move-Item "Cert:\LocalMachine\My\$($selfsigncert.Thumbprint)" Cert:\LocalMachine\Root
# Obtain a reference to the code signing cert in Trusted Root
$selfsignrootcert = "Cert:\LocalMachine\Root\$($selfsigncert.Thumbprint)"
# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $selfsignrootcert
如果您有权访问企业根 CA,则可以使用您在问题中使用的方法。
企业根 CA 方法(与您问题中的方法相同)-您需要知道您的根 CA 证书指纹
# Get Enterprise Root CA thumbprint
$rootcert = get-childitem Cert:\LocalMachine\Root\XXXXXXXXXXXX
# Generate certificate
$fromrootcert = New-SelfSignedCertificate `
-Signer $rootcert `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $fromrootcert
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Type CodeSigningCert -Subject "Code Signing"
Move-Item -Path $cert.PSPath -Destination "Cert:\CurrentUser\Root"
Set-AuthenticodeSignature -FilePath c:\go.ps1 -Certificate $cert
来源 https://blogs.u2u.be/u2u/post/creating-a-self-signed-code-signing-certificate-from-powershell
我从字面上尝试了第一个答案;前 3 个命令有效,但最后一个命令导致以下错误: Set-AuthenticodeSignature:无法绑定参数“证书”。无法将值“Cert:\LocalMachine\Root B23597B139C09A75DE9BA4F9DA5A4691EDB338B”转换为类型“System.Security.Cryptography.X509Certificates.X509Certificate2”。错误:“Die Syntax für den Dateinamen,Verzeichnisnamen oder die Datenträgerbezeichnung ist falsch。” (请注意,.ps1 路径中的“”之间根本没有错误) 当我添加标志 -filepath 和 -Certificate 时,发生了同样的错误 因此,自签名似乎仅适用于管理员本人。允许其他用户运行 adm 的自签名 .ps1 的唯一解决方案似乎是将 ExecutionPolicy 设置为无限制......