CODEWITHSUNDEEP
powershellsecuritycode-signing
Martin Guth
Martin Guth

Reputation: 253

PowerShell Code Sigining: How to do use a self signed certificate with password protection?

I am new to signing code with PowerShell. I successfully created a self-signed certificate and signed code using the following commands

New-SelfSignedCertificate -certstorelocation cert:\LocalMachine\My -dnsname "xyz" -Type CodeSigningCert
$codecert = (Get-ChildItem cert:\LocalMachine\My\DF0E60B359BBADF625DCF4CA52C947F23713487F -CodeSigningCert)[0]
Set-AuthenticodeSignature .\test.ps1 $codecert

That works so far. However, I am a bit surprised that it offers no protection while using the certificate. If I log in with a different user with no administrative privileges I am able to sign code with this certificate as well.

I tried using the parameter -PIN like this:

$pwd = ConvertTo-SecureString -String "meingeheimespasswort"
 New-SelfSignedCertificate -certstorelocation cert:\LocalMachine\My -dnsname "xyz" -Type CodeSigningCert -PIN $pwd
$codecert = (Get-ChildItem cert:\LocalMachine\My\DF0E60B359BBADF625DCF4CA52C947F23713487F -CodeSigningCert)[0]
Set-AuthenticodeSignature .\test.ps1 $codecert

The last command Set-AuthenticodeSignature then returns status "unknown error". It seems that there is no parameter like -password or -pin. Is that by the design and the reason why self-signed-certificates are said to be used only for testing?

For me, it appears to be a security risk if everybody could just use the existing certificate to sign code.

Thanks in advance for your help

Martin

Upvotes: 0

Views: 693

Answers (1)

Adam
Adam

Reputation: 4168

bluuf is spot on.

You're storing the key in the local machine node of the Windows Certificate Repository, and then you're complaining another user on the local machine can access the certificate. This isn't really a Powershell problem. This is a you need to learn where to put your things problem.

Local machine certificate store: This type of certificate store is local to the computer and is global to all users on the computer.

Current user certificate store: This type of certificate store is local to a user account on the computer.

Reference: Local Machine and Current User Certificate Stores

Secure key and certificate storage is an industry unto itself. If you want to sign your code, you'll need to keep your keys and signing cert safe. The following is a good piece from Thawte:

https://www.thawte.com/code-signing/whitepaper/best-practices-for-code-signing-certificates.pdf

Upvotes: 1

Related Questions