开发者

Automatically sign powershell script using Get-PfxCertificate

开发者 https://www.devze.com 2022-12-20 20:39 出处:网络
I have to sign remote scripts with a certificate from the remote machine from which I have a .pfx file.

I have to sign remote scripts with a certificate from the remote machine from which I have a .pfx file.

I would like to automate the scripting by supplying the password to the Get-PfxCertificate programmatically.

So the question is:

Is it possible to somehow su开发者_运维问答pply programmatically the required password to

Get-PfxCertificate?


$CertPath = "my.pfx"
$CertPass = "mypw"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPass)
Set-AuthenticodeSignature -Certificate $Cert -TimeStampServer http://timestamp.verisign.com/scripts/timstamp.dll -FilePath $OutputFilename

Make sure you have the proper permissions otherwise you won't be able to create an instance of the X509Certificate2 object.


I did a bit of checking around on this and couldn't find a clean way to provide the password programmatically. I suspect it is meant to be this way for security reasons. Either that or the PowerShell development team just blew it by not including a Credential parameter for this cmdlet. The only other option I can think of is to use someting like SendKeys to send the individual password character key presses to the PowerShell console at the right time via a background job (blech - just threw up in my mouth a little). :-)


Another way of doing this is by loading your certificate directly from your certificate store using PS Providers. Use Get-PSProviders to determine available PSProviders on your machine. Once you have cert provider loaded, you can now get the certificate using Get-ChildItem

Launch certmgr.msc from run to launch the certificate store
Assuming that your certificate is stored under Personal folder in your cert store
and has "Company Name" set in the subject property of the certificate, and there is only certificate in that folder with Company Name in the subject - you can get the certificate like so

$my_cert = Get-ChildItem cert:\CurrentUser\My | ? {$_.Subject -match "Company Name"}

$my_cert will be your certificate object that you can pass directly to Set-AuthenticodeSignature cmdlet

Set-AuthenticodeSignature -Certificate $my_cert -FilePath fqn_to_dll.dll -Timestampserver "http://timestampurl"

post signing, you can retrieve the sign status by querying on the Status property for "Valid" or not like

$result = Set-AuthenticodeSignature -Certificate $my_cert -FilePath fqn_to_dll.dll -Timestampserver "http://timestampurl" | Select Status
if(-Not ($result -eq "Valid")){
    Write-Output "Error Signing file: Status: $($result.Status)"    
}
0

精彩评论

暂无评论...
验证码 换一张
取 消