EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Powershell script signing

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#25921
Posted: 08/02/2013 07:52:45
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Hello,

Is there a way to perform Authenticode signing on powershell scripts using sbb ?

I'm running into some trouble with scripts being deployed inside our server infrastructure and one way to work around it would be for the scripts to be signed. Since these are auto-generated scripts, it's impractical to just manually sign them. I'd like to add that functionality to my system but cannot find any reference in MSDN about how the script are execatly signed (only the not-so-stellar instructions on how to sign them, missing half the important details for that part as well).

Does anyone have more experience on that subject ?
#25922
Posted: 08/02/2013 08:17:19
by Ken Ivanov (EldoS Corp.)

Hello Stephane,

According to screen shots published with various blogs on the Powershell script signing topic, the signature blob is a PKCS#7 structure similar to those used in standard (binary) Authenticode signatures. As SBB is capable of creating PKCS#7 signatures, the main question here is how exactly to calculate the hash over the script, and I am afraid we can't go any further without seeing an algorithm specification (text data is normally canonicalized before hashing, and there are hundreds of ways of doing that canonicalization).
#25923
Posted: 08/02/2013 08:21:56
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Hello Ken,

Thanks for your answer, that's pretty much what I thought: I hoped someone had looked into this before but it looks like I won't be so lucky.

I have already tried to create a PKCS#7 signature using MessageSigner on the text (as binary), convert it to base64, add the various decorations to the signature and appending that to the end of the file: no luck (and no meaningful error message either).

Well, if anyone has some more information about this, I'm interested.


Thanks again,
Regards,
Stephane
#25924
Posted: 08/02/2013 08:34:48
by Ken Ivanov (EldoS Corp.)

Stephane,

And do you have a sample [correctly] signed script by hand? We could have a quick look at it to confirm or reject if it's PKCS#7-compatible.
#25925
Posted: 08/02/2013 09:32:03
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thanks Ken,

No, I don't have any sample right now: I can't even get powershell to sign a simple script right now.

I'll give you a sample as soon as I have one, though.
#25928
Posted: 08/02/2013 11:11:00
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

There: a script with a valid code signature:

Code
$yourName=Read-Host "What is your name?"

Write-Host "Hello $yourName"
# SIG # Begin signature block
# MIIQvQYJKoZIhvcNAQcCoIIQrjCCEKoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR
# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUuxCay86GObV3j54ha5+bP1QK
# loaggg3yMIIGcDCCBFigAwIBAgIBJDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQG
# EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
# Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy
# dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjIwMTQ2WhcNMTcxMDI0MjIw
# MTQ2WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp
# BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
# BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgT2JqZWN0
# IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyiOLIjUemqAbPJ1J
# 0D8MlzgWKbr4fYlbRVjvhHDtfhFN6RQxq0PjTQxRgWzwFQNKJCdU5ftKoM5N4YSj
# Id6ZNavcSa6/McVnhDAQm+8H3HWoD030NVOxbjgD/Ih3HaV3/z9159nnvyxQEckR
# ZfpJB2Kfk6aHqW3JnSvRe+XVZSufDVCe/vtxGSEwKCaNrsLc9pboUoYIC3oyzWoU
# TZ65+c0H4paR8c8eK/mC914mBo6N0dQ512/bkSdaeY9YaQpGtW/h/W/FkbQRT3sC
# pttLVlIjnkuY4r9+zvqhToPjxcfDYEf+XD8VGkAqle8Aa8hQ+M1qGdQjAye8OzbV
# uUOw7wIDAQABo4IB6TCCAeUwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
# AQYwHQYDVR0OBBYEFNBOD0CZbLhLGW87KLjg44gHNKq3MB8GA1UdIwQYMBaAFE4L
# 7xqkQFulF2mHMMo0aEPQQa7yMD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAoYh
# aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6Al
# oCOGIWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0
# cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysG
# AQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29t
# L3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29t
# L2ludGVybWVkaWF0ZS5wZGYwEQYJYIZIAYb4QgEBBAQDAgABMFAGCWCGSAGG+EIB
# DQRDFkFTdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIE9iamVj
# dCBTaWduaW5nIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUFAAOCAgEAcnMLA3Va
# N4OIE9l4QT5OEtZy5PByBit3oHiqQpgVEQo7DHRsjXD5H/IyTivpMikaaeRxIv95
# baRd4hoUcMwDj4JIjC3WA9FoNFV31SMljEZa66G8RQECdMSSufgfDYu1XQ+cUKxh
# D3EtLGGcFGjjML7EQv2Iol741rEsycXwIXcryxeiMbU2TPi7X3elbwQMc4JFlJ4B
# y9FhBzuZB1DV2sN2irGVbC3G/1+S2doPDjL1CaElwRa/T0qkq2vvPxUgryAoCppU
# FKViw5yoGYC+z1GaesWWiP1eFKAL0wI7IgSvLzU3y1Vp7vsYaxOVBqZtebFTWRHt
# XjCsFrrQBngt0d33QbQRI5mwgzEp7XJ9xu5d6RVWM4TPRUsd+DDZpBHm9mszvi9g
# VFb2ZG7qRRXCSqys4+u/NLBPbXi/m/lU00cODQTlC/euwjk9HQtRrXQ/zqsBJS6U
# J+eLGw1qOfj+HVBl/ZQpfoLk7IoWlRQvRL1s7oirEaqPZUIWY/grXq9r6jDKAp3L
# ZdKQpPOnnogtqlU4f7/kLjEJhrrc98mrOWmVMK/BuFRAfQ5oDUMnVmCzAzLMjKfG
# cVW/iMew41yfhgKbwpfzm3LBr1Zv+pEBgcgW6onRLSAn3XHM0eNtz+AkxH6rRf6B
# 2mYhLEEGLapH8R1AMAo4BbVFOZR5kXcMCwowggd6MIIGYqADAgECAgIGPzANBgkq
# hkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0
# ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx
# ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUg
# T2JqZWN0IENBMB4XDTEyMDUyMjEwNDE0NFoXDTE0MDUyMzE2MTYxN1owgdExGTAX
# BgNVBA0TEGExbXhTdUtXSzBkaUh2a1MxCzAJBgNVBAYTAkNIMQ8wDQYDVQQIEwZH
# ZW5ldmExEDAOBgNVBAcTB0FjYWNpYXMxMTAvBgNVBAoTKEdJVCBHZXN0aW9uIGV0
# IEluZm9ybWF0aXF1ZSBwb3VyIFRvdXMgU0ExMTAvBgNVBAMTKEdJVCBHZXN0aW9u
# IGV0IEluZm9ybWF0aXF1ZSBwb3VyIFRvdXMgU0ExHjAcBgkqhkiG9w0BCQEWD2Nv
# ZGVzaWduQGdpdC5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKyz
# ZOnI7ZUbYkIpUz9zppUSaSvChGE748yoHrpmi5F22g04NNIZySInGT0jFdwA/MmF
# hPbZ1eKw7Io2jsLK/QQf17Dpjq6NAQ1rxBRN2ckjyDjdX+fMKncZmGrcE9rwtvWD
# rz5ZVCFnM8FrD5bWjDmqGpwaTurE/0spJETKNwUu39XkbckTXGclNZCAPBZrl/LL
# dMuKN6fUql2OgzO+3XSD17MJNEC+GxdcPnhrkjYdVBNXJv5dEOqxfUJE5Fl3RGuR
# LkOaVBNewIfOALEnvX9/j6JLBBrY/hiffVfWFiTRUnYS62ngdBzN3zuXJsNc1u9p
# bTiUu+O9P9RY+HT8ELMCAwEAAaOCA50wggOZMAkGA1UdEwQCMAAwDgYDVR0PAQH/
# BAQDAgeAMC4GA1UdJQEB/wQkMCIGCCsGAQUFBwMDBgorBgEEAYI3AgEWBgorBgEE
# AYI3CgMNMB0GA1UdDgQWBBS8mmAneDstrtR5iH7A0BCRwtkb0DAfBgNVHSMEGDAW
# gBTQTg9AmWy4SxlvOyi44OOIBzSqtzCCAiEGA1UdIASCAhgwggIUMIICEAYLKwYB
# BAGBtTcBAgIwggH/MC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNv
# bS9wb2xpY3kucGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNv
# bS9pbnRlcm1lZGlhdGUucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBD
# ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3
# YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxpZGF0aW9uIHJl
# cXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv
# bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRo
# ZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjCBnAYIKwYBBQUHAgIwgY8wJxYg
# U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBAhpkTGlhYmlsaXR5
# IGFuZCB3YXJyYW50aWVzIGFyZSBsaW1pdGVkISBTZWUgc2VjdGlvbiAiTGVnYWwg
# YW5kIExpbWl0YXRpb25zIiBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LjA2BgNV
# HR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnRjMi1jcmwu
# Y3JsMIGJBggrBgEFBQcBAQR9MHswNwYIKwYBBQUHMAGGK2h0dHA6Ly9vY3NwLnN0
# YXJ0c3NsLmNvbS9zdWIvY2xhc3MyL2NvZGUvY2EwQAYIKwYBBQUHMAKGNGh0dHA6
# Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY29kZS5jYS5jcnQw
# IwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEB
# BQUAA4IBAQBrYR704AUcr9peZRF9VFZu9JSHYfFBOamUkMUIWLfB3SU76jJfDxsB
# LJA69wx0b9EtUOVtdmga40Avya46WAxH8LOS1wbhd2k+1loYtCUdJ7AAcp714d/a
# 9QXlfUXzuYEYwjmDll/jzunnF1XnulsNJlRhqTvLvuYgTPhjYzAbKtZuUkE5TQG2
# 82Vu2ccRsDjXBIGDFI9BJgZN9TcqzFS4Wv19q/rCL4j+8jBSQcp9IfDZCh2TKJFW
# +PWxRPy0zEoJEmEeq8JrG9sOYOMHxu4oO35T0N7v4PGeaYfyTM0lublIYTYrsxn4
# td+CiJRgF9Fx+QhtAayNKkqUvGTG6iWbMYICNTCCAjECAQEwgZMwgYwxCzAJBgNV
# BAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUg
# RGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBD
# bGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIE9iamVjdCBDQQICBj8wCQYFKw4D
# AhoFAKB4MBgGCisGAQQBgjcCAQwxCjAIoAKAAKECgAAwGQYJKoZIhvcNAQkDMQwG
# CisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARYwIwYJKoZI
# hvcNAQkEMRYEFMmJE6cwGz+kyO1GaGpUBW1rvtoRMA0GCSqGSIb3DQEBAQUABIIB
# AF85OO8OmIuou8DLGymYkVn4lnAbhVjXnzezTkIdw4lvRPit+/JBi7DtdLlPjtXd
# h4TX/edpEN/SwdX2bjGTc96AYZqtvEDo9QJgnMI00tHlXptyqBHPv+Y338nCi+Zq
# nu4QgXTKvKdXtqEUCLYbY2TO+zJ+sulNXnt1k0QGNnl0DkkP9ewzepZ7+HJCGewI
# Hb+PvtUCH+IUyXcgBGX/3tm/nRp3/kdqmV+O+7zFHIZZ4GZ1/M5fQibtEHaCXUCf
# QVZZnfyq9LPr5yqX4yK6uQqN9JbDz7t2Jmvh1eWbInS1lByt11lo12lx/e5sG96Q
# SIoXL4tFVg7tVAEvJ9Er1fQ=
# SIG # End signature block
#36921
Posted: 06/08/2016 07:18:44
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

I'm bumping that old topic of mine because it never received an answer and I'm in need of signing PS scripts again.

Regards,
Stephane
#36931
Posted: 06/08/2016 10:33:22
by Eugene Mayevski (EldoS Corp.)

What kind of answer would you like to get? The sample you've posted is quite trivial and you should be able to deal with it in a very simple way using TElMessageSigner and TElMEssageVerifier classes. The signature block is base64-encoded, wrapped with the signature lines and placed at the end of the script. That's the thing you can handle in your code easily.


Sincerely yours
Eugene Mayevski
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 1356 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!