Code Signing

Digital signatures are the “packaging” of a script. With a digital signature, anyone can see who has packaged the script, and whether or not the script is untouched.

Scripts without a digital signature provide no clue who the author is, and whether someone else has changed the script, or added malicious code. This is why any production script should have a digital signature. ISESteroids helps you add and verify digital signatures.

Applying Digital Signature

To apply a new digital signature, or update an existing signature, click the signature icon in the status bar, then choose “Apply Signature” or “Apply New Signature”.

Apply Digital Signature

NOTE: Support for Digital Signatures is a feature of ISESteroids Enterprise. To test-drive this feature during trial, make sure you choose the menu item “Level/Enable All Features”.

A list with suitable code signing certificates opens, and you can choose the identity for signing.

Pick Certificate

  • If you currently do not own a code signing certificate, ISESteroids offers to create a self-signed certificate for you. Read more about self-signed certificates below.
  • If the code you are signing is not saved to file yet, you are prompted to save the script. Digitally signed scripts need to be saved to disk in order to work.

ISESteroids adds the digital signature to the file. A digital signature is simply a special comment block attached to the end of your script file.

You can right-click the inserted digital signature to verify it or remove it again.

Verifying Digital Signature

When a script has a digital signature, the signature icon in the status bar tells you the signature status. If the signature is valid, you see a red signature icon. If the signature is broken, a yellow warning overlay appears. And if you signed the script yourself, and the content changed, a pencil overlay indicates that the signature needs to be updated.

Check Signature

To find out more, right-click the digital signature, and choose “Verify Signature”.

This opens a dialog telling you whether or not the signature is valid, and whether it is safe to trust this script. The dialog offers to show signer details. This opens another dialog with the certificate details on it. It tells you the name of the signer, along with certificate details such as trust and validity.

You can open this dialog also by clicking the signature icon in the status bar, and choosing “Show Signer Details”.

If the signer details show the same name for both “Issued to” and “Issued by”, then you know the script was signed with a self-signed certificate (see below for more information on self-signed certificates).

Updating Digital Signature

Whenever you change a digitally signed script, the signature breaks and needs to be re-applied. This is by design because the job of a signature is to verify whether or not a script has changed since it was signed.

When you edit script that you signed yourself, ISESteroids automatically updates the signature each time you save the script, provided the certificate you used for signing is available.

To manually update a signature, or sign a script with a different identity, click the signature icon in the status bar, and choose “Apply New Signature”.

Signing with PFX-Files

By default, when you add a new signature to a script, ISESteroids lets you pick from all suitable installed code signing certificates.

If you want to sign a script with a file-based certificate (a pfx-file), click the signature icon in the status bar, choose “Advanced Options”, and then “Import a Certificate from PFX-File”. This opens a dialog, and you can choose the PFX file to load. Note that most PFX files are password protected, and you will then be prompted to enter the password before you can import the certificate.

Creating Timestamped Signatures

Simple signatures do not use a timestamp server. They are valid only when the certificate is still valid that you used for signing.

Most certificates have an expiration date after which they become invalid. All signatures done with such a certificate would also expire at this moment.

When you use a timestamp server, a trusted authority confirms that the certificate was valid at the time of signing. These types of signature remain valid even if the certificate used for signing is meanwhile expired.

To use a timestamp server, you need Internet connectivity. Click the signature icon in the status bar, choose “Advanced Options”, then check “Use Timestamp Server for Signing”. A dialog opens and offers you to pick the timestamp server you want to use.

Self-Signed Certificates

Self-signed certificates are a cheap and easy way of getting a code signing certificate. Anyone can create self-signed certificates.

Create New Self-Signed Test Certificate

You, for example, can create as many self-signed certificates, and claim to be whoever you want, by clicking the signature icon in the status bar. Then choose “Advanced Options”, and “Create New Self-Signed Test Certificate”.

Create New Certificate

When you check “Create Exportable Certificate”, then the newly created certificate can be exported from your personal certificate store, and saved as PFX file.

Certificates you create with ISESteroids are automatically marked “trusted” on your local computer. Scripts you sign with these certificates will run even if the PowerShell ExecutionPolicy is set to “AllSigned”, and you can use these certificates to test-drive the PowerShell ExecutionPolicy settings if you want.

However, self-signed certificates are not trusted on other machine or by other users. To establish trust, you would need to use the ISESteroids “Risk Control”, or use a digital certificate issued by a trustworthy certificate authority.

Remove Self-Signed Test Certificates

To get rid of previously created self-signed test certificates, click the signature icon in the status bar. Then choose “Advanced Options”, and “Remove Self-Signed Test Certificate”. Pick the certificate you want to remove from a list. ISESteroids permanently removes it from your personal certificate store.

Note that removing certificates is permanent and not undoable. Make sure you remove only certificates that you no longer need.

When to use Self-Signed Certificates

Self-signed certificates are primarily used for testing purposes. Since anyone can create them, and claim to be anyone, they per se are no good for security checks.

Still, self-signed certificates can be a useful alternative to using commercial certificates or certificates issued by your corporate PKI. It is always better to sign a script with a self-signed certificate than to not sign at all. Here is why:

  • While anyone can create self-signed certificates, the combination of issued name and certificate thumbprint is unique. By comparing these two characteristics, you can be confident that the script was indeed signed by the owner of this certificate. ISESteroids uses this for its own builtin trust meachanism.
  • Regardless of who signed a script, digital signatures can help you quickly check whether a script was changed after the signature was applied.

Disabling Automatic Signature Check

By default, ISESteroids checks any file you load for digital signatures, and updates the signature icon accordingly. This way, a quick look into your status bar tells you whether a script is trustworthy or not.

To disable automatic checking, click the signature icon in the status bar, choose “Advanced Options”, then enable “Skip Signature Validity Check”. This effectively turns off the entire support for digital signatures until you re-enable it by unchecking the option.

Disabling certificate checks can slightly  improve editor performance at the cost of reduced security.