PowerShell Code Signing Best Practices<\/h2>\n\n\n\nUse The latest PowerShell Version<\/h3>\n\n\n\n
The first and foremost best code signing practice is to use the latest Powershell version. This is for every software you use, not only PowerShell.<\/p>\n\n\n\n
How will you check if the latest version is installed on your device or not? So, there are different methods to identify this, as explained below. <\/strong><\/p>\n\n\n\n When you run the Get-Host command in PowerShell, it tells you information about the program (or “host”) running PowerShell. This includes details like the program’s name, version, and some settings, like language preferences.<\/p>\n\n\n\n However, the version number you see from Get-Host doesn’t always tell you the exact version of PowerShell itself. Instead, it usually shows the version of the program that’s running PowerShell. That\u2019s why sometimes the results are inaccurate.<\/p>\n\n\n\n The version mentioned below is 5.1.19041.1645<\/strong><\/p>\n\n\n\n Run (Get-Host). Version and you will see the similar version as we have got above.<\/p>\n\n\n\n This is one of the most reliable and trusted methods for identifying the PowerShell version.<\/p>\n\n\n\n All you need to do is type $PSVersionTable in the command prompt, press Enter, and you\u2019ll see the below results.<\/p>\n\n\n\n Powershell is a powerful tool for automating administrative tasks and managing systems in Windows. However, if the wrong entities get access to it, they can maliciously modify system settings, install malware, or even delete data.<\/p>\n\n\n\n To avoid such circumstances, it’s vital that only trusted authorities gain access to the PowerShell Console. To limit the access, use role-based access control (RBAC).<\/p>\n\n\n\n It is a built-in feature in PowerShell that allows respective owners to control who can run PowerShell commands. For instance, only the IT department can run PowerShell commands and not other teams.<\/p>\n\n\n\n Logs and monitoring tools are used to address and prevent security incidents. Here’s how!<\/strong><\/p>\n\n\n\n Ensuring the security of private keys is not just enough; in fact, you have to develop and implement some strict measures. Below are some!<\/strong><\/p>\n\n\n\n Using just one key to sing all the scripts is a good idea. Right? But no, it’s not that good!<\/p>\n\n\n\n Of course, it\u2019s cheaper and easier to manage, but you will end up paying much more amount than spending only a few extra to get the extra keys.<\/p>\n\n\n\n What if you use the same key? Read on to find out!<\/strong><\/p>\n\n\n\n An attack or breach on that respective key will invalidate other signatures and good code. The process works as the saying goes: one rotten egg can spoil the whole barrel.<\/p>\n\n\n\n You will be saved a bit if you have applied the timestamps while singing the scripts.<\/p>\n\n\n\n But why take the risk if you are already aware of that? So, choose wisely!<\/p>\n\n\n\n HSM, or Hardware Security Module<\/a>, is a tamper-resistant and FIPS-validated device that protects, processes, and manages cryptographic keys. It allows the usage of keys without having direct access to them.<\/p>\n\n\n\n Recommended:<\/strong> How to Sign the PowerShell Script Code with YubiKey?<\/a><\/p>\n\n\n\n So, always ensure that all the private keys for the code signing certificate are saved on an HSM. Don\u2019t forget to protect the cryptographic HSM with a randomly generated 16-character-long password.<\/p>\n\n\n\n Always get a code signing certificate from a trusted CA<\/a>, like Comodo, DigiCert, Certera or Sectigo, instead of a self-signed one.<\/p>\n\n\n\n A self-signed code signing certificate has an unconfirmed identity. This means that users will receive a warning message whenever you make it available publicly.\u00a0<\/p>\n\n\n\n Recommended:<\/strong> Self-Signed vs. Publicly Trusted CA Code Signing Certificates: which one should you choose? <\/a><\/p>\n\n\n\n On the contrary, code signing certs issued by trusted CAs do not show any warning and get downloaded smoothly.\u00a0<\/p>\n\n\n\n PowerShell is a potent tool, and if cybercriminals hack it, they can seamlessly access systems and data.<\/p>\n\n\n\n To mitigate the risk, PowerShell includes a security feature called \u201cscript signing<\/strong>\u201d, which allows you to sign the script digitally. This process verifies the script’s authenticity and ensures it’s not tampered with.\u00a0<\/p>\n\n\n\n Recommended:<\/strong> Buy PowerShell Code Signing Cert and Sign your Code – Starts at Just $215.99\/yr<\/a><\/p>\n\n\n\n Still, you\u2019ll run the unsigned script; a warning will be displayed. Make sure not to bypass and resolve it as soon as possible.<\/p>\n\n\n\n Ensure that the software is virus-free before it\u2019s signed so you can handle the potential problems at the initial stage only. <\/p>\n\n\n\n Any breach after the code signing will affect the users\u2019 computers or devices, and the signing certificate needs to be revoked. Getting a new one will be pretty much harder due to the validation requirements.<\/p>\n\n\n\n Timestamping<\/a> the digital signature ensures that users can still access it without any warning. It adds the exact time and date when the signature was applied.<\/p>\n\n\n\n To set the timestamp<\/strong>, add -TimeStampServer https:\/\/TIMESTAMP_SERVER at the end of the Set-AuthenticodeSignature command.<\/p>\n\n\n\n Make sure to replace C:\\PS\\powershell_script.ps1 with the script path and https:\/\/TIMESTAMP_SERVER with your CA (certificate authority). (e.g., https:\/\/timestamp.digicert.com)<\/p>\n\n\n\n To check if timestamping was successful, follow the below steps.<\/strong><\/p>\n\n\n\n If the process is done successfully, you will see the below result.<\/p>\n\n\n\n We understand that these are extra steps to configure the signing device but trust us, these are necessary. Failure to do so will render the signatures invalid once the code signing certificate expires.<\/p>\n\n\n\n Now, it\u2019s a fact that despite using protective measures, some mistakes can still happen; after all, we are all human beings.<\/p>\n\n\n\n Here are some tips on revocation if the code signing cert gets compromised.<\/strong><\/p>\n\n\n\n To conclude, you can use the above code signing best practices to secure your scripts further and enjoy peace of mind that these are protected from hackers!<\/p>\n\n\n\n Recommended:<\/strong> How to Sign Digitally PowerShell Script With a Code Signing?<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"The Get-Host Command<\/h4>\n\n\n\n
![\"\"](\"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2024\/06\/get-host-powershell-version.png\")
<\/figure>\n\n\n\nThe $host.Version command<\/h4>\n\n\n\n
The $PSVersionTable command<\/h4>\n\n\n\n
![\"PowerShell](\"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2024\/06\/powershell-psversion-table-1024x425.png\")
<\/figure>\n\n\n\nLimit Access to the PowerShell Console<\/h3>\n\n\n\n
Log Script Signing Actions<\/h3>\n\n\n\n
\n
\n
Implement Signing Keys Policies<\/h3>\n\n\n\n
\n
\n
\n
Avoid Signing all The Scripts With the Same Key<\/h3>\n\n\n\n
Use Hardware Security Module (HSM)<\/h3>\n\n\n\n
Always Prefer a Trusted Code Signing Certificate<\/h3>\n\n\n\n
Avoid Running Unsigned Scripts<\/h3>\n\n\n\n
Scan For Viruses Before Signing<\/h3>\n\n\n\n
Timestamp Everything<\/h3>\n\n\n\n
\n
![\"Digital](\"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2023\/08\/digital-signature-tab-jpg.webp\")
<\/figure>\n\n\n\n\n
The Bottom Line<\/h2>\n\n\n\n