Windows 10: How to sign Powershell profile w/ self-signed certificate? Solved

Page 1 of 2 12 LastLast

  1. Posts : 19
    Windows 10 Pro x64 ( v. 1709)
       1 Week Ago #1

    How to sign Powershell profile w/ self-signed certificate?


    I currently have my execution-policy set to AllSigned. I don't want to change it or bypass that restriction.

    When I created my profile script--or whatever it's called--I wanted to do so in order to set permanent aliases.

    For whatever reason, Microsoft has made it an ever increasingly difficult endeavor just to create permanent aliases.

    The problem now is that it won't run the script because it isn't digitally signed.

    I attempted to make a self-signed certificate to sign the blasted thing but I never got anywhere.

    I've looked at a few guides online but they all assume I'm in a server environment or something (which means the steps keep changing or involve unnecessary steps).

    In the end, I wound up with a code-signing cert and the thing is in my current-user cert store.

    I'm trying to get this to work on my Windows 10 Pro desktop but I haven't a clue as to what I'm actually supposed to be doing.

    Is it even possible to get what I'm asking for?

    P.S. - I have no experience with either Powershell or certificates. The only reason I know what I've mentioned so far is because I spent 2-3 minutes glossing over the help files. My knowledge of PKI has me understanding that you need a private key to sign something, but I can't even get the certificate to validate my own key so it's kind of getting me flustered at this point.
      My ComputerSystem Spec


  2. Posts : 13,757
    Windows 10 Pro
       1 Week Ago #2

    See Option Two in this tutorial to allow local scripts to run without signing: Change PowerShell Script Execution Policy in Windows 10 Windows 10 Tutorials

    Screenshot from said tutorial:



    Kari
      My ComputerSystem Spec


  3. Posts : 19
    Windows 10 Pro x64 ( v. 1709)
    Thread Starter
       1 Week Ago #3

    ?


    That Random Guy said: View Post
    I currently have my execution-policy set to AllSigned. I don't want to change it or bypass that restriction.
    That's what I said.

    Kari said: View Post
    See Option Two in this tutorial to allow local scripts to run without signing:
    And that's what you said.

    Is there any way to run the script without bypassing the execution-policy restriction? I'd rather not change it.
      My ComputerSystem Spec


  4. Posts : 13,757
    Windows 10 Pro
       1 Week Ago #4

    That Random Guy said: View Post
    That's what I said.

    And that's what you said.

    Is there any way to run the script without bypassing the execution-policy restriction? I'd rather not change it.
    You seem not to understand what different execution polices are and do? RemoteSigned is exactly as AllSigned, only exception being that your own local scripts will not need to be signed.

    it is of course up to you to choose between the easy way which does what you want, or the more difficult way and try to find a valid method to sign your own scripts.

    You can even keep AllSigned for all other user accounts and only allow your own user account to run your local scripts:

    Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

    With -Scope CurrentUser you can set different execution policy for each user, including built-in admin.

    Kari
      My ComputerSystem Spec


  5. Posts : 19
    Windows 10 Pro x64 ( v. 1709)
    Thread Starter
       1 Week Ago #5

    @Kari

    I get what the RemoteSigned execution policy does but I want to sign my script and keep the AllSigned restriction.

    Is that even possible? I'd like to think it does but every tutorial I come across keeps telling me a different story.

    I'll keep trying on my end but I'll eventually have to put up something.
      My ComputerSystem Spec


  6. Posts : 2,721
    Windows 10 Pro x64 v1803 Build 17134.1 (Branch: RS4 Release Preview)
       1 Week Ago #6

    That Random Guy said: View Post
    @Kari

    I get what the RemoteSigned execution policy does but I want to sign my script and keep the AllSigned restriction.

    Is that even possible? I'd like to think it does but every tutorial I come across keeps telling me a different story.

    I'll keep trying on my end but I'll eventually have to put up something.
    It is possible! Hold on to your hat...this will take a while to explain...

    ...to be continued...

    STATUS UPDATE: Writing step by step tutorial with pictures and verifying that everything I say works. Will post here once it's done.
    Last edited by slicendice; 1 Week Ago at 15:49.
      My ComputersSystem Spec


  7. Posts : 2,721
    Windows 10 Pro x64 v1803 Build 17134.1 (Branch: RS4 Release Preview)
       1 Week Ago #7

    How to self-sign your own PowerShell scripts


    How to self-sign your own PowerShell scripts

    Introduction

    Since security has become more and more of a concern around the globe and more and more people have started to develop all kinds of applications and scripts, this tutorial will explain how you can sign scripts you have developed, and also briefly explain what PowerShell execution policies are and how to change it so that only signed scripts and binaries can be run on your machine.


    A word about PowerShell execution policies

    There are four different execution policy levels, and I will explain them briefly here.

    • Restricted
      Can not run any scripts. Default execution policy. Can run PS commands interactive only.
    • AllSigned
      Can run scripts. All scripts and configuration files must be signed by a publisher that you trust. Opens you to the risk of running signed (but possibly malicious) scripts, after confirming that you trust the publisher.
    • RemoteSigned
      Can run scripts. All scripts and configuration files downloaded from communication applications such as Microsoft Outlook, Internet Explorer and Outlook Express, must be signed by a publisher that you trust. Opens you to the risk of running malicious scripts not downloaded from these applications, without any warning prompts.
    • Unrestricted
      Can run scripts. All scripts and configuration files downloaded from communication applications run after confirming that you understand the file originated from the Internet. No digital signature is required. Opens you to the risk of running unsigned, possibly malicious scripts.



    Getting the necessary tools for creating a self-signed certificate

    You will either need to have Visual Studio installed or manually download the Windows SDK. In order to save space and bandwidth, this section will explain how to get the latest SDK, download the minimal required files and only install one package from that download.

    Steps to take for the download and installation:
    1. Using your web-browser navigate to:
    2. Download the latest SDK installer for Windows (as of writing it is 10.0.16299.91 - Released November 2017)
      Click image for larger version. 

Name:	CreateCert001.png 
Views:	0 
Size:	39.5 KB 
ID:	184257
    3. Execute the installer
    4. Select Download the Windows Software Development Kit and take note of the path and click next
      Click image for larger version. 

Name:	CreateCert002.png 
Views:	15 
Size:	31.1 KB 
ID:	184258
    5. On Privacy page, click NO and then next
      Click image for larger version. 

Name:	CreateCert003.png 
Views:	14 
Size:	31.8 KB 
ID:	184259
    6. On Select the features you want to download page unselect everything, and then only select "Windows SDK for UWP managed apps". 2 other boxes will automatically be selected. Click Download.
      Click image for larger version. 

Name:	CreateCert004.png 
Views:	14 
Size:	52.8 KB 
ID:	184260
    7. Once the download completes, navigate to the "Windows Kits" folder where you just downloaded the installers.
    8. Navigate deeper into the folder structure ( \10\WindowsSDK\Installers)
    9. Locate the file "Windows SDK for Windows Store Apps Tools-x86_en-us.msi" and install it. Note, you will not get any prompts when the installer has completed.
      Click image for larger version. 

Name:	CreateCert005.png 
Views:	0 
Size:	17.5 KB 
ID:	184261
    10. Now you should have the required file installed (C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\makecert.exe)
      Click image for larger version. 

Name:	CreateCert006.png 
Views:	0 
Size:	69.9 KB 
ID:	184263



    Creating the Certificate

    Steps to take:
    1. Open up Command Prompt with Elevated privileges.
      Click image for larger version. 

Name:	CreateCert007.png 
Views:	0 
Size:	9.4 KB 
ID:	184264
    2. Create a working directory
      Code:
      md \TEMP
    3. Navigate to the working directory
      Code:
      cd \TEMP
    4. Check path variables and take note of the last character.
      Code:
      set PATH
    5. Create a temporary path to the folder where the required certificate tool ( makecert.exe ) is located.
      If the last character in your path was a semicolon then enter this code:
      Code:
      set PATH=%PATH%C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
      else enter this code:
      Code:
      set PATH=%PATH%;C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
      Click image for larger version. 

Name:	CreateCert008.png 
Views:	0 
Size:	22.7 KB 
ID:	184265
      You can also make the path stick permanently by using setx instead of set.
    6. Verify that makecert.exe works
      Code:
      makecert /?
      Click image for larger version. 

Name:	CreateCert009.png 
Views:	0 
Size:	25.7 KB 
ID:	184266
    7. Open Microsoft Management Console.
      Code:
      mmc.exe
      Click image for larger version. 

Name:	CreateCert010.png 
Views:	0 
Size:	15.9 KB 
ID:	184267
    8. Click Add/Remove Certificate Snap-in from File-menu
      Click image for larger version. 

Name:	CreateCert011.png 
Views:	14 
Size:	31.7 KB 
ID:	184269Click image for larger version. 

Name:	CreateCert012.png 
Views:	14 
Size:	7.1 KB 
ID:	184270Click image for larger version. 

Name:	CreateCert013.png 
Views:	14 
Size:	32.4 KB 
ID:	184271
    9. Now your MMC should look like this
      Click image for larger version. 

Name:	CreateCert014.png 
Views:	0 
Size:	16.8 KB 
ID:	184272
    10. Create a Certificate Authority using CMD
      Code:
      makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
    11. Give it a password
      Click image for larger version. 

Name:	CreateCert015.png 
Views:	14 
Size:	4.5 KB 
ID:	184274
    12. Verify your password
      Click image for larger version. 

Name:	CreateCert016.png 
Views:	14 
Size:	3.5 KB 
ID:	184275
    13. Now your MMC looks like this (may have to refresh by using F5-key)
      Click image for larger version. 

Name:	CreateCert017.png 
Views:	0 
Size:	33.2 KB 
ID:	184277
    14. Create Personal Certificate
      Code:
      makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer
    15. Enter your password
      Click image for larger version. 

Name:	CreateCert018.png 
Views:	15 
Size:	3.5 KB 
ID:	184278
    16. View of your console after entering the 2 commands
      Click image for larger version. 

Name:	CreateCert020.png 
Views:	0 
Size:	12.4 KB 
ID:	184280
    17. Now your MMC looks like this (may have to refresh by using F5-key)
      Click image for larger version. 

Name:	CreateCert019.png 
Views:	0 
Size:	27.0 KB 
ID:	184279



    Verifying that we can sign PS scripts

    Steps to take:
    1. Open elevated PowerShell ISE
    2. Checking that we can access our certificate
      Code:
      Get-ChildItem cert:\CurrentUser\My -codesign
      Click image for larger version. 

Name:	CreateCert021.png 
Views:	15 
Size:	23.6 KB 
ID:	184281
    3. Changing execution policy to AllSigned
      Code:
      Set-ExecutionPolicy AllSigned
    4. Answer Yes at the prompt
      Click image for larger version. 

Name:	CreateCert022.png 
Views:	15 
Size:	11.7 KB 
ID:	184282
    5. Verifying that everything got set properly
      Code:
      Get-ExecutionPolicy
      Click image for larger version. 

Name:	CreateCert023.png 
Views:	15 
Size:	16.0 KB 
ID:	184283
    6. Navigate to our working folder
      Code:
      cd \TEMP
    7. Next we create a script that we will test, sign and test again
    8. In PSISE select File>New
    9. Enter the following code and press enter
      Code:
      Write-Host "Hello Certified Script"
    10. Save the script as HelloCert.ps1
      Click image for larger version. 

Name:	CreateCert024.png 
Views:	15 
Size:	16.1 KB 
ID:	184284
    11. Test the script (notice you will get an error)
      Code:
      '\HelloCert.ps1
      Click image for larger version. 

Name:	CreateCert025.png 
Views:	0 
Size:	20.9 KB 
ID:	184285
    12. Sign the script
      Code:
      Set-AuthenticodeSignature HelloCert.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesign)[0]
      Click image for larger version. 

Name:	CreateCert026.png 
Views:	0 
Size:	11.5 KB 
ID:	184286
    13. Close the current HelloCert.ps1 you were earlier editing and open the file again (note the difference)
      Click image for larger version. 

Name:	CreateCert027.png 
Views:	14 
Size:	110.5 KB 
ID:	184287
    14. Run the script
      Code:
      .\HelloCert.ps1
      Click image for larger version. 

Name:	CreateCert029.png 
Views:	15 
Size:	3.1 KB 
ID:	184290
    15. Press Always run to add the certificate to Trusted Publishers
      Click image for larger version. 

Name:	CreateCert028.png 
Views:	14 
Size:	9.8 KB 
ID:	184288
      Click image for larger version. 

Name:	CreateCert030.png 
Views:	0 
Size:	27.9 KB 
ID:	184289
    16. All should work now as expected and you have maximum security enabled that still allows you to run scripts.


    CONGRATULATIONS! You are now officially a PS-script signing guru!
    Last edited by slicendice; 1 Week Ago at 10:09. Reason: Added deprecation information
      My ComputersSystem Spec

  •    1 Week Ago #8

    Nice work, SliceNDice! Can't wait for the "next thrilling installment."
    --Ed--
      My ComputersSystem Spec


  • Posts : 2,721
    Windows 10 Pro x64 v1803 Build 17134.1 (Branch: RS4 Release Preview)
       1 Week Ago #9

    EdTittel said: View Post
    Nice work, SliceNDice! Can't wait for the "next thrilling installment."
    --Ed--
    Thanks a lot!
      My ComputersSystem Spec


  • Posts : 19
    Windows 10 Pro x64 ( v. 1709)
    Thread Starter
       1 Week Ago #10

    @slicendice

    Yep, that would do it. Ditto on the work well done--you cooked 'em!

    I initially wanted to avoid using makecert and just use Powershell but all of my other attempts failed, so....

    Thank-you!
      My ComputerSystem Spec


  •  
    Page 1 of 2 12 LastLast

    Related Threads
    As i say i am wirter and like to sing my documents whith digital sing żAre a free alternative to sing documents?
    How to Fix 'You've been signed in with a temporary profile' Error in Windows 10 A user profile is a collection of settings that make the computer look and work the way you want it to for a user account. It is stored in the user's C:\Users\<user...
    Hi, everyone... I'm trying to find a registry hack or something to address the change Microsoft made going from Windows 8.x to Windows 10. Here is a quick run-down of what Microsoft changed: My wife and I have 4 children. One of our PCs...
    The user profile service failed the sign-in user profile cannot be loaded in Windows 10. I created a local account in Windows 10 and when I login I get that error. My laptop came preinstalled with Windows 10 and was not upgraded. There is...
    Solved You've been signed in with temporary profile error in User Accounts and Family Safety
    I upgraded to windows 10 about a month ago, from windows 7 home edition (64 bit). I didn't have problems for a few weeks, everything worked correctly. I connected my user with my MS account and that worked as well. The problem started, when...

    Tags for this Thread

    Our Sites
    Site Links
    About Us
    Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

    © Designer Media Ltd
    All times are GMT -5. The time now is 18:07.
    Find Us