Unix users don’t use this. Maybe some java developers do. But no Unix sysadmins. Never.
On Windows, things are getting more secure every release, especially if you pay attention to those details.
In Unix, if I have a script called “getdate” which shows me the date, I can copy it to another machine.
$ cat ./getdate date $ ./getdate Mon Aug 20 13:05:40 CEST 2018
$ scp getdate srv02: $ ssh srv02 ./getdate Mon Aug 20 13:06:18 CEST 2018
Works on other servers.
This is a huge risk because anybody could modify anycode and you’ll never know.
Back to powershell.
On powershell, you can define policies.
Or disable policy because you do not want to sign your code.
> Set-ExecutionPolicy remotesigned
and if you are not admin
> Set-ExecutionPolicy -scope currentuser unrestricted
Until one day you find :
> Get-ExecutionPolicy -Scope MachinePolicy AllSigned
Code signing. You go to your security admin, send him a certification request for code signing, import it in mmc, then sign your code. Your secadmin can show you how to the request with mmc. Or google it. It is not specific to powershell at all. It can be done with openssl as well I suppose.
> gc getdate.ps1 get-date > .\getdate.ps1 .\getdate.ps1 : File C:\temp\getdate.ps1 cannot be loaded. The file C:\temp\getdate.ps1 is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com At line:1 char:1 + .\getdate.ps1 + ~~~~~~~~~~~~~ + CategoryInfo : SecurityError: (:) , PSSecurityException + FullyQualifiedErrorId : UnauthorizedAccess > Set-AuthenticodeSignature getdate.ps1 (dir Cert:\CurrentUser\My\A232D77888B55318) > gc getdate.ps1 get-date # SIG # Begin signature block # MIITSQYJKoZIhvcNAQcCoIITOjC # 9q4xO/0AczlLX5Zjjn3ByPNrAkkv # 1GTsSZ9LkPUItDIpJZMk8nTzY4nI # DUi0+XirQLiHiSB1hlhN/lVyMlyb # vOdiHnCv9GMTMGsZbSjh/Q4lDIrX # HIpaQH6BcIy8NAnnHw212dhqrJr7 # TqCHE8CYsvBFBs+9ZfD4zhUys1d # SIG # End signature block > .\getdate.ps1 Monday, August 20, 2018 1:22:00 PM > Get-AuthenticodeSignature getdate.ps1 Directory: D:\temp SignerCertificate Status Path ----------------- ------ ----------- A232D77888B55318B Valid getdate.ps1
If now I copy it to another server
I may get an error or a warning (depending on the policy)
> ./getdate.ps1 Do you want to run software from this untrusted publisher? File C:\temp\getdate.ps1 is published by CN=srv01.example.com, OU=Example and is not trusted on your system. Only run scripts from trusted publishers. [V] Never run [D] Do not run [R] Run once [A] Always run [?] Help (default is "D"): R Montag, 20. August 2018 13:29:43 >
if the code change, you get an Unauthorized access
> gc getdate.ps1 get-date -format U # SIG # Begin signature block # MIITSQYJKoZIhvcNAQcCoIITOjC # 9q4xO/0AczlLX5Zjjn3ByPNrAkkv # 1GTsSZ9LkPUItDIpJZMk8nTzY4nI # DUi0+XirQLiHiSB1hlhN/lVyMlyb # vOdiHnCv9GMTMGsZbSjh/Q4lDIrX # HIpaQH6BcIy8NAnnHw212dhqrJr7 # TqCHE8CYsvBFBs+9ZfD4zhUys1d # SIG # End signature block > ./getdate.ps1 ./getdate.ps1 : File C:\temp\getdate.ps1 cannot be loaded. The contents of file C:\temp\getdate.ps1 might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run on the specified system. For more information, run Get-Help about_Signing.. At line:1 char:1 + ./getdate.ps1 + ~~~~~~~~~~~~~ + CategoryInfo : SecurityError: (:) , PSSecurityException + FullyQualifiedErrorId : UnauthorizedAccess >
If you change code, you need to resign
> Set-AuthenticodeSignature getdate.ps1 (dir Cert:\CurrentUser\My\A232D77888B55318BE97E2AD7758EA0F0EA6C75B) > .\getdate.ps1 2018-08-20 13:35:00Z