Monday, May 27, 2013

How to right click sign Powershell and other Scripts

I set up a handy script a while back that allows me to right click a script to sign it. I already had the code signing cert worked out. I just needed an easy way to sign things. Once you have the base scripts in place, its easy to sign .ps1, .vbs, .dll, .exe, and RDP files.

Here is my actual Powershell script that does the heavy lifting:

$cert = gci cert:\currentuser\my -CodeSigningCert | ?{$_.thumbprint -eq "DD46064E89886A185F19FCD64483E35A1898925E" }
Set-AuthenticodeSignature $args[0] $cert -TimestampServer ""
Start-Sleep -s 1

Also have one for VBScript:

Set objSigner = WScript.CreateObject("Scripting.Signer")
objSigner.SignFile WScript.Arguments(0), "Kevin Marquette"

I use those with the fallowing registry keys to enable the right click options:

Windows Registry Editor Version 5.00

@="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-file\" \"N:\\bin\\SignScript.ps1\" \"%1\""

@="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-file\" \"N:\\bin\\SignScript.ps1\" \"%1\""

@="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-file\" \"N:\\bin\\SignScript.ps1\" \"%1\""

@="\"c:\\windows\\System32\\CScript.exe\" N:\\bin\\SignScript.vbs \"%1\""

@="rdpsign /sha1 DD46064E89886A185F19FCD64483E35A1898925E \"%1\""

These expect your code signing cert to be added to the local users cert store within Windows. You can run this Powershell command to make sure you have it in the right place:

gci cert:\currentuser\my -CodeSigningCert

No comments: