Windows PowerShell is based on the runtime (CLR) of the .NET framework and is shipped with Windows as part of the Windows Management Framework (WMF). Powershell scripts can thus be used to read and edit all essential parts of a Windows operating system, assuming the respective rights.
Since Powershell is also used by malware, the operating systems usually prohibit the execution of scripts downloaded from the Internet or unsigned scripts in general.
A digital signature is the result of a cryptographic process that uses a secret signing key to calculate a value from any data: the signature. This value makes it possible to use the publicly known key to verify two important properties of information security management:
the so-called non-repudiation and
the integrity, that is, the integrity of the content.
Here in this context, it means that before executing a script, the operating system checks whether the signature matches the content of the scripts and whether the signature was made with a key that can be trusted.
If the signature is not correct, for example, a malicious actor could have manipulated the contents of the script.
Run the following code in Powershell as a normal user. A certificate is stored in its own certificate store.
Using Powershell, the certificate could now be moved to the trusted root certificate store. It is easier to do this using certmgr.msc.
Do not use certlm.msc as it is for the local machine and not the user.
Now move the certificate you just created from “My Certificates” to the “Trusted Root Certification Authorities” store.
Creating a Signature Script
## sign_file.ps## Signs the named file with the first codesigning certificate from the user's root certificate storeparam([string]$file=$(throw"Please specify a filename."))Set-AuthenticodeSignature$file@(Get-ChildItemCert:\CurrentUser\Root-CodeSigningCert)
Now we need to sign the signature script itself before we can use it: