Code signing question
Mike Leone
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
This space reserved for future witticisms ...
Michael B. Smith
If your execution policy is remote signed, then signing is only required for remote scripts. That is, ones you run like
Or that are downloaded from the Internet and have not been unblocked.
If you want signing required locally, then set the execution policy to AllSigned.
--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntpowershell...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2Bgk2AGYmcTHwmRaaHZs4TikxRAYMAEcZBY_nrd3f6f5Pw%40mail.gmail.com.
Mike Leone
If your execution policy is remote signed, then signing is only required for remote scripts. That is, ones you run like
Or that are downloaded from the Internet and have not been unblocked.
If you want signing required locally, then set the execution policy to AllSigned.
--
From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com> On Behalf Of Mike Leone
Sent: Thursday, February 17, 2022 9:40 AM
To: NTPowershell Mailing List <ntpowe...@googlegroups.com>
Subject: [ntpowershell] Code signing question
I'm discovering the joys of code signing, but I have a question. We run our own internal CA, so I issued myself a code signing certificate, and am using it to sign my test scripts. And I have my execution policy set to "RemoteSigned". All good, script executes, life goes on happily.
But here's what I don't understand ... if I change the script, save it but do NOT re-sign the newly changed script, it still executes. In other words, the signature seems to still be valid, even though the script itself has changed since I originally signed it.
That really doesn't seem right to me. I mean, what if some bad guy edited my script, removed all my code, inserted his own, and just re-saved. It appears that it would still execute, since it had a signature.
I'm missing something important in this scenario, but I don't know what. Can someone enlighten me? Shouldn't the script fail authentication, if it's been changed since it was signed? Or did I just do something wrong?
Thanks for your help.
--
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
This space reserved for future witticisms ...--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2Bgk2AGYmcTHwmRaaHZs4TikxRAYMAEcZBY_nrd3f6f5Pw%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/2a74991a15044a9d8e799e3127d6df3b%40smithcons.com.
Mike Leone
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/2a74991a15044a9d8e799e3127d6df3b%40smithcons.com.
Mike Leone
TimeStamperCertificate :
Status : HashMismatch
StatusMessage : The contents of file \\xxx\scripts\Copy-Files-from-OLD-server-to-THIS-server.PS1 might have been
changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital
Path : \\san2\netadmin\software\PHA Scripts\Copy-Files-from-OLD-server-to-THIS-server.PS1
SignatureType : Authenticode
IsOSBinary : False
But, like the senile old coot I am, apparently I somehow inadvertently mis-specified the executionpolicy during testing ...
> get-executionpolicy
Bypass