Code Signing with OpenSSL and PowerShell

One of the major security features of PowerShell is the support for code signing of scripts, so that you can set an execution policy that requires scripts to be signed before they can be run. Of course, it goes a bit further than that. When a script has been signed by a certificate with a root Certificate Authority (CA) that you don’t already “know” or trust it can’t be run at all until you add the root CA to the system’s certificate store.

Even after you trust a specific authority, you haven’t trusted a script author — so any signed script you run will prompt you whether you want to allow it or not, like so:

[19]: .\test-script.ps1

Do you want to run software from this untrusted publisher?
File C:\Users\Joel\Documents\WindowsPowerShell\test-script.ps1 is published by
E=NoUser@HuddledMasses.org, O=Huddled Masses, L=Rochester, S=New York, C=US
and is not trusted on your system. Only run scripts from trusted publishers.
[V] Never run [D] Do not run [R] Run once [A] Always run [?] Help (default is “D”):

The important thing to note here is that you’re really being asked not about the script, but about the author. If you choose the Never or Always options, the certificate that was used to sign the script is added to the appropriate certificate store (“Untrusted Certificates” or “Trusted Publishers”, respectively). To be clear: this happens for each every new author certificate, regardless of whether it’s signed by a self-signed cert (where you’ve already installed the root certificate in your root store) or a certificate issued by a commercial CA — there’s no loophole, no matter what anyone may have said in the past.

So, you see … the support for code signing is built into the core of PowerShell — and it’s really a shame not to take advantage of it. There are plenty of articles out there about how to sign your scripts, and more, so I’m not going to get into that much — I want to address the question of how hard it is to create the certificates in the first place (and finish by giving you a sample script which will generate and import them to your dev box with a single line command).

Generating Code Signing Certificates with OpenSSL

I’ve been talking up automatic code-signing for awhile now — basically, I think that any script editor that pretends to be a PowerShell script editor should be able to sign scripts at the push of a button, even every time you save the file. On top of that, I think that (like Microsoft’s Speech Macros app) they should be able to generate a self-signed code-signing script for you.

Someone emailed me the other day to ask how I proposed to do this, since MakeCert).aspx isn’t redistributable, and can’t be counted on to be installed… Well, as an answer I wrote a script which I’ll share here, using the open source OpenSSL for Windows to generate the certificates. It’s a bit more complicated than using MakeCert, but still not a huge thing. Basically, it’s six lines of code — each calling the OpenSSL executable.


# Generate the private root CA key and convert it into a self-signed certificate (crt)
OpenSsl genrsa -out "CA.key" -des3 4096
OpenSsl req -new -x509 -days 3650 -key "CA.key" -out "CA.crt"
# Generate the private code-signing key and a certificate signing request (csr)
OpenSsl genrsa -out "signing.key" -des3 4096
OpenSsl req -new -key "signing.key" -out "signing.csr"
# Use the root CA key to process the CSR and sign the code-signing key in one step...
OpenSsl x509 -req -days 365 -in "signing.csr" -CA "CA.crt" -CAcreateserial -CAkey "CA.key" -out "signing.crt"
# Combine the signed certificate and the private key into a single file
OpenSsl pkcs12 -export -out "signing.pfx" -inkey "signing.key" -in "signing.crt"

There are two problems: first, half of those lines actually cause interactive prompts: asking you for your country and state, and email address, various passwords, etc. On top of that, the default OpenSSL.cnf file distributed with Windows doesn’t really give you a way to create certificates that can code sign, so if you went through all of those steps — you still wouldn’t be able to sign scripts ;-)

My solution to both problems is pretty straight-forward: customize the config file and run the req requests in -batch mode. Normally that would mean creating a custom OpenSSL.cnf config file with the specific values necessary — but in this case, I’ve made a PowerShell script to do it.

New-CodeSigningCert.ps1 can generate both the CA certificate and the code-signing certificate, and you can set it up to prompt you as little as possible, however, the point of this isn’t really to provide a solution, but to provide an example for the developers of editors and IDEs — so it’s still a bit rough, and it doesn’t try to guess your user name, email, and organization information from the environment.

Importing Certificates

Importing certificates into the Windows Certificate Store can be done with the graphical “CertMgr.msc”, but also with any of several command-line tools including WinHttpCertCfg.exe from the Windows Server Resource Kit, and CertMgr.exe from the Windows SDK... which of course, aren’t redistributable. Someone really needs to tell Microsoft to get on the ball with this stuff.

[new] I actually realized recently that you can use System.Security.Cryptography.X509certificates.X509Store to load certificates, rather than the old COM object, which makes this even easier. The most basic step is to just import the new CA.crt certificate into the Root Store.


$lm = new-object System.Security.Cryptography.X509certificates.X509Store "root", "LocalMachine"
$lm.Open("ReadWrite")
$lm.Add( (Get-PfxCertificate "$pwd\CA.crt") )
if($?) {
   Write-Host "Successfully imported root certificate to trusted root store" -fore green
}
$lm.Close()

You no longer need to use the CAPICOM.Store COM object even though it’s basically available everywhere now, and is redistributable


# This is the COM way, if you can't get X509Store to work...
$Store = new-object -COM CAPICOM.Store
# Open the LocalMachine Root store in ReadWrite mode
$Store.Open( 1, "Root", 129 )
# Import the crt file
$Store.Load( "$pwd\CA.crt", $Null, 0)

In either case, after that, you can sign PowerShell scripts using the Get-PfxCertificate cmdlet on the pfx file we generated earlier…


$cert = Get-PfxCertificate "signing.pfx"
Set-AuthenticodeSignature -Cert $cert -File Test-Script.ps1
 

Of course, you could also use the CAPICOM.Store method to import the pfx certificate into the CurrentUser’s “My” store. In either case, if you try to execute a signed script, you can choose always from the prompt and the certificate will be imported to the current user’s “trusted publisher” store. Alternatively, you could import the certificate to the local machine’s “trusted publisher” store using the CAPICOM.Store again and now you won’t receive a prompt at all.

Using New-CodeSigningCert

I’ve attached uploaded the New-CodeSigningCert script to PoshCode.org, which includes all the features mentioned so far. It’s about 111 lines of code, and 41 lines of the config file, plus 69 and 56 lines of comments in each … all wrapped up into a single file so you can hopefully figure it out, learn it, and modify as you see fit.

I had also attached the script packaged with the OpenSSL, [new] but as this post has aged, that seems like not so great an idea, since you really want the newer releases with bug fixes, particularly if you have a 64bit machine … the script needs to be stored in the same folder with OpenSSL.exe, and you can just unpack OpenSSL (there’s no need for an installer), but I just can’t be trusted to keep my local copy here up to date, sorry. :’(

Once you’ve got it installed, and have customized the default parameters in the script, you should be able to easily generate scripts for multiple developers, and/or import those certificates to thousands of computers using PowerShell Remoting ;)


## Because I have hard-coded the company information
## I can use this to generate certs for all my devs (using the same CA root)
$CertsFolder = "\Server\PoshCerts\CodeSigningCerts"

\Server\PoshCerts\New-CodeSigningCert.ps1 $CertsFolder "FirstName Last" User1@Domain.com -CAPassword MyCleverRootPassword -CodeSignPassword SimplePassword
\Server\PoshCerts\New-CodeSigningCert.ps1 $CertsFolder "First LastName" User2@Domain.com -CAPassword MyCleverRootPassword -CodeSignPassword AnotherPassword
\Server\PoshCerts\New-CodeSigningCert.ps1 $CertsFolder "User LastName" User3@Domain.com -CAPassword MyCleverRootPassword -CodeSignPassword LastPassword

## And then I can import the scripts on end-user PCs:
"FirstName Last","First LastName","User LastName" | % {
   \Server\PoshCerts\New-CodeSigningCert.ps1 $CertsFolder -import
}

Similar Posts: