Discussion
It is possible to benefit from the tamperprotection features of signed scripts without having to pay for an official codesigning certificate. You do this by creating a selfsigned certificate. Scripts signed with a selfsigned certificate will not be recognized as valid on other computers, but still lets you sign scripts on your own computer.
When Example 161 runs, it prompts you for a password. Windows uses this pass word to prevent malicious programs from automatically signing files on your behalf.
Example 161. NewSelfSignedCertificate.ps1
############################################################################## ## ## NewSelfSignedCertificate.ps1 ## ## Generate a new selfsigned certificate. The certificate generated by these ## commands allow you to sign scripts on your own computer for protection ## from tampering. Files signed with this signature are not valid on other ## computers. ## ## ie: ## ## PS >NewSelfSignedCertificate.ps1 ## ##############################################################################
if(not (GetCommand makecert.exe ErrorAction SilentlyContinue)) { $errorMessage = "Could not find makecert.exe. " + "This tool is available as part of Visual Studio, or the Windows SDK."
WriteError $errorMessage return }
$keyPath = JoinPath ([IO.Path]::GetTempPath()) "root.pvk"
## Generate the local certification authority
makecert n "CN=PowerShell Local Certificate Root" a sha1 ` eku 1.3.6.1.5.5.7.3.3 r sv $keyPath root.cer ` ss Root sr localMachine
## Use the local certification authority to generate a selfsigned ## certificate makecert pe n "CN=PowerShell User" ss MY a sha1 `
eku 1.3.6.1.5.5.7.3.3 iv $keyPath ic root.cer
## Remove the private key from the filesystem. RemoveItem $keyPath
Example 161. NewSelfSignedCertificate.ps1 (continued)
## Retrieve the certificate GetChildItem cert:\currentuser\my codesign | WhereObject { $_.Subject match "PowerShell User" }
