Templates/ScriptSigner.ps1
|
<#
.Synopsis Sign scripts .DESCRIPTION Sign target script(s) using existing certificate. If existing certificate is missing a new is generated. .PARAMETER Path Target path for file to sign or folder name to sign all ps1 files. .PARAMETER Recurse If Path is a folder the signijng will be done recursive .Notes Author: Jack Olsson Changes: 2018-07-11 First draft #> [CmdletBinding(SupportsShouldProcess = $True)] param ( [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName=$true)] [string]$Path, [switch]$Recurse ) #region Init $scriptPath = Split-Path -Parent $MyInvocation.MyCommand.Definition if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` [Security.Principal.WindowsBuiltInRole] "Administrator")) { Write-Warning "You do not have Administrator rights to run this script!`nPlease re-run this script as an Administrator!" Break } #endregion #region local functions function New-CodeSigningCert { <# .SYNOPSIS Get a certificate! .DESCRIPTION #> [CmdletBinding()] param() Write-Verbose "Create a certificate to use for signing powershell scripts" $selfsigncert = New-SelfSignedCertificate ` -Subject "CN=PowerShell Code Signing" ` -FriendlyName "Local self-signed code signing certificate" ` -KeyAlgorithm RSA ` -KeyLength 2048 ` -Type CodeSigningCert ` -CertStoreLocation Cert:\LocalMachine\My\ Write-Verbose "Move the root cert into Trusted Root CAs" Move-Item "Cert:\LocalMachine\My\$($selfsigncert.Thumbprint)" Cert:\LocalMachine\Root Write-Verbose "Obtain a reference to the code signing cert in Trusted Root" $cert = (Get-ChildItem -Path "Cert:\LocalMachine\Root\$($selfsigncert.Thumbprint)") $cert } #end region Write-Output "Start Execution" Write-Verbose "Enumerate Cert:\LocalMachine\Root" Get-ChildItem -Path Cert:\LocalMachine\Root -CodeSigningCert | ForEach { if ($_.Verify()) { Write-Verbose "Found existing certificate Cert:\LocalMachine\Root\$($_.Thumbprint)" $cert = $_ } } if ($cert -eq $null) { Write-Verbose "No valid certificate found. Generating a new one." if ($pscmdlet.ShouldProcess("N/A", "New-CodeSigningCert")) { $cert = New-CodeSigningCert Write-Verbose "Copy cert into Trusted publishers" Export-Certificate -Cert $cert -FilePath ".\$($selfsigncert.Thumbprint).cer" Import-Certificate -FilePath ".\$($selfsigncert.Thumbprint).cer" -CertStoreLocation Cert:\LocalMachine\TrustedPublisher Remove-Item -Path ".\$($selfsigncert.Thumbprint).cer" -Force } } Get-ChildItem -Path $Path -Filter "*.ps1" -Recurse:$Recurse.IsPresent | ForEach { if ($pscmdlet.ShouldProcess($_.FullName, "Set-AuthenticodeSignature")) { $result = Set-AuthenticodeSignature $_.FullName -Certificate $cert Write-Output "$($result.Status);$($_.FullName)" } } Write-Output "End Execution" |