Script Signing Made Simple

Home , VBScript

Digitally signing your VBScript and PowerShell scripts is definitely a scripting best practice and is easier than you think. Guide

Writing secure scripts is becoming a First you need to create a self signed cates installed as you’d like, I’m more common requirement for root certificate. This command going to assume you only have one. many organizations. You can con- should get the job done: For most organizations and scripting figure both your VBScript and administrators, that should be suffi- PowerShell environments to only !$0# cient. You should be able to use the execute scripts that have been digi- %/. . same certificate for both VBScript tally signed. Let me show you how %#'# and PowerShell. easy this can be. '")","'"+"+"-")")## " "# # To sign either script type, open a The first thing you need is a digital '&(*# file in PrimalScript 2009. Under the certificate; more specifically, a code Script menu, select “Sign Script”. signing certificate of the Microsoft Enter a password when prompted. That’s it. PrimalScript executes the Authenticode type. This certificate Then create the code signing certifi- language appropriate command to must be trusted by all computers cate with this command: sign the script with your default cer- that will be executing your scripts. tificate. If you scroll to the end of Acquiring such a certificate is be- !$0## your script you should see a com- yond the scope of this article, but if %/. .$. . mented script block. You don’t have you already have an Active Direc- %# to do anything else. If your Power- tory based public key infrastructure, #'# '")","'"+"+"-")")# Shell execution policy is configured this shouldn’t be too difficult. " #" to run digitally signed scripts, this script should execute just fine, as- An alternative for testing purposes Again, enter a password when suming the root certificate is trusted is to use the command line tool prompted. on any computer running your MAKECERT.EXE from the .NET script. Framework SDK. This tool will cre- The certificates will be created and ate a self-signed code-signing cer- automatically installed on your Of course, if you modify the script tificate. The major consideration is computer. Otherwise install your in any way, even adding a single that the certificate is only trusted on code signing certificate onto your space, the digital signature will be your computer which means signed computer by double-clicking on the invalid and you’ll have to re-sign scripts won’t run anywhere else. file. I always let Windows decide your script. This can get tedious, Still, this is a useful tool to test the where to store it. While you can especially if you are creating or script signingprocess. have as many code signing certify modifying many scripts a day. For

SAPIEN Technologies Inc. | 841 Latour Court, Suite D | Napa, CA 94558 | www.sapien.com | 707.252.8700 1

Guide those situations you want to config- However, you can browse to a spe- ure PrimalScript to always sign your cific certificate file for either lan- scripts. guage. The certificate must be in the

PFX file format. Enter the certifi- Open the Options dialog box from cate password when prompted. Pri- the Tools menu. Select Script Secu- malScript will securely store the rity under Script Settings and you associated password should see a dialog box like this.

Since you only have a single code From this point on, every time you signing certificate, there is very lit- modify a script or create a new tle you need to configure here other script and save it, PrimalScript will than checking the boxes to auto- automatically sign the script matically sign scripts when saving. with your certificate. You don’t PrimalScript will use the first code even have to think about it. signing certificate it discovers. More than likely this is the only Jeffery Hicks Signing code signing certificate you have installed. your scripts is a best practice, so why

aren’t you?

SAPIEN Technologies Inc. | 841 Latour Court, Suite D | Napa, CA 94558 | www.sapien.com | 707.252.8700 2