1
00:00:00,140 --> 00:00:02,730
So let's talk about understanding script signing.

2
00:00:02,730 --> 00:00:06,090
Now that we've kind of got our head around the bits that we need to do,

3
00:00:06,090 --> 00:00:08,960
so we open the editor, we start to write some code,

4
00:00:08,960 --> 00:00:10,190
and we comment everything,

5
00:00:10,190 --> 00:00:14,240
but let's say we're going to issue this to somebody else,

6
00:00:14,240 --> 00:00:16,140
then we need to look at signing.

7
00:00:16,140 --> 00:00:19,840
So why would you digitally sign a PowerShell script?

8
00:00:19,840 --> 00:00:23,310
Well, first off, this allows you to separate custom developed,

9
00:00:23,310 --> 00:00:26,640
tested, and personal scripts.

10
00:00:26,640 --> 00:00:29,510
It also means that your scripts are not malicious, and

11
00:00:29,510 --> 00:00:31,210
we'll touch on that in a second.

12
00:00:31,210 --> 00:00:33,570
It's not 100% true.

13
00:00:33,570 --> 00:00:38,750
It can also validate the script is doing versus its intended purpose.

14
00:00:38,750 --> 00:00:43,760
So the reason for signing them is so that somebody can look at it and say,

15
00:00:43,760 --> 00:00:43,930
well,

16
00:00:43,930 --> 00:00:47,070
it's been signed with a signature, so someone took a little bit of

17
00:00:47,070 --> 00:00:49,940
an extra step to make sure that that was okay.

18
00:00:49,940 --> 00:00:53,520
It doesn't necessarily guarantee that the script is not malicious,

19
00:00:53,520 --> 00:00:56,290
and it doesn't necessarily guarantee that the script

20
00:00:56,290 --> 00:00:58,140
is doing something it shouldn't be.

21
00:00:58,140 --> 00:01:02,640
But normally, for a digitally signed PowerShell script,

22
00:01:02,640 --> 00:01:04,280
it's been checked and validated,

23
00:01:04,280 --> 00:01:09,180
so they're a lot more trusted. So let's understand this a little bit more.

24
00:01:09,180 --> 00:01:09,990
To do this,

25
00:01:09,990 --> 00:01:13,760
you first must sign a script with a code signing

26
00:01:13,760 --> 00:01:16,010
certificate. So not just any certificate.

27
00:01:16,010 --> 00:01:18,840
It has to be a code signing certificate.

28
00:01:18,840 --> 00:01:21,690
There are two types of certificates that are suitable for this.

29
00:01:21,690 --> 00:01:26,940
One is a public certificate, which you would go and purchase from a vendor,

30
00:01:26,940 --> 00:01:31,950
and then one is a self‑signed that you would either create locally or you would

31
00:01:31,950 --> 00:01:35,840
issue from a certificate authority within the organization.

32
00:01:35,840 --> 00:01:39,040
And you can use self‑signed certificates to sign

33
00:01:39,040 --> 00:01:42,040
scripts that you write for yourself.

34
00:01:42,040 --> 00:01:42,630
Obviously,

35
00:01:42,630 --> 00:01:46,520
using a self‑signed one is a little bit harder to distribute to other people

36
00:01:46,520 --> 00:01:50,440
because they would have to trust that self‑signed certificate.

37
00:01:50,440 --> 00:01:54,510
So two different certificate types. The public one is one that you

38
00:01:54,510 --> 00:01:59,410
can share the script with other computers as they normally trust the

39
00:01:59,410 --> 00:02:02,640
certificate authorities by default, because it will come from a

40
00:02:02,640 --> 00:02:07,750
public one of those. Of course, locally ones, they are self‑signed,

41
00:02:07,750 --> 00:02:14,370
and it won't execute on other computers unless they trust that self‑signed

42
00:02:14,370 --> 00:02:17,910
certificate too, which is a bit more complicated if you're building a script

43
00:02:17,910 --> 00:02:20,400
that you want to distribute to the world, and you say,

44
00:02:20,400 --> 00:02:22,500
hey, just use my certificate.

45
00:02:22,500 --> 00:02:24,740
You can trust me.

46
00:02:24,740 --> 00:02:27,440
So how do we create a self‑signed certificate?

47
00:02:27,440 --> 00:02:30,360
Well, first off, I've got the PowerShell script,

48
00:02:30,360 --> 00:02:32,970
so C:\Documents\Code\Script.ps1.

49
00:02:32,970 --> 00:02:34,840
I've spent all the time building it.

50
00:02:34,840 --> 00:02:37,720
I can actually use a PowerShell command to do this. So I can

51
00:02:37,720 --> 00:02:41,750
say New‑SelfSignedCertificate, give it a DNS name, where the

52
00:02:41,750 --> 00:02:43,230
certificate store location is,

53
00:02:43,230 --> 00:02:46,440
which is going to be your personal, so CurrentUser\My, the

54
00:02:46,440 --> 00:02:51,280
type, which needs to be CodeSigningCert, and then the subject

55
00:02:51,280 --> 00:02:53,640
we wish to assign to that one.

56
00:02:53,640 --> 00:02:58,290
I can then retrieve that code signing certificate by simply going

57
00:02:58,290 --> 00:03:02,840
Get‑ChildItem in that location, and get me the CodeSigningCert.

58
00:03:02,840 --> 00:03:05,930
Now, of course I'm doing it this way, and it's going to get the first one.

59
00:03:05,930 --> 00:03:08,770
Hopefully, the first one is the one that you created.

60
00:03:08,770 --> 00:03:13,090
But if you have multiple, you might need to change the indexer. Then,

61
00:03:13,090 --> 00:03:13,460
of course,

62
00:03:13,460 --> 00:03:17,180
you set the code signing certificate for the PowerShell script, and you can use

63
00:03:17,180 --> 00:03:22,600
a PowerShell command for this too. You can say Set‑AuthenticodeSignature, the

64
00:03:22,600 --> 00:03:27,040
script path to the certificate that you've created.

65
00:03:27,040 --> 00:03:27,690
And then, of course,

66
00:03:27,690 --> 00:03:29,750
you can validate that by saying Get the

67
00:03:29,750 --> 00:03:37,000
AuthenticodeSignature for the script and just format it to a table so I can see what that looks like.