How to Sign the PowerShell Script Code with YubiKey?

Code Signing Certificate from YubiKey to Sign Powershell

Ensure the security and integrity of software code as a developer and IT professional. One crucial aspect of code security lies in code signing, a process that validates the authenticity and integrity of scripts and applications.

For PowerShell users, code signing is vital in establishing trust and preventing unauthorized tampering. However, the traditional approach of using a code signing certificate, like the one issued by DigiCert, can often be cumbersome and restrictive.

This article will explore enhancing your PowerShell code security by integrating a YubiKey into your code signing workflow.

We will delve into the benefits of using a YubiKey, its compatibility with different environments, and the steps involved in setting up and using this powerful tool for code signing.

Get ready to unlock a new level of convenience, efficiency, and trust in your PowerShell scripting endeavors, regardless of location or internet accessibility.

Why must you Use the Yubikey for your PowerShell Code Signing?

Consider the scenario where you work on PowerShell scripts in different environments, such as when visiting clients or working remotely.

The inconvenience of having to move your code to a specific location where your code signing certificate is accessible to sign it can be a significant obstacle.

Moreover, relying on online platforms like Visual Studio Team Services (VSTS) for automated script signing introduces dependencies on internet connectivity and VSTS availability.

Fortunately, there is a solution that simplifies the code-signing process and empowers you to sign PowerShell scripts effortlessly, irrespective of your location.

By leveraging the power of a YubiKey, a versatile hardware authentication device, you can streamline the code signing workflow and eliminate the need for constant certificate transfers or online dependencies.

What is a YubiKey Hardware?

A YubiKey, resembling a sleek and compact USB device, has gained popularity as an effective second-factor authentication tool. Many users have embraced its reliability and convenience for enhancing security measures.

However, what remains largely unexplored is the potential of using a YubiKey for code signing. This unassuming device can revolutionize the way we approach code signing.

Configuring the YubiKey with appropriate certificates transforms into a smartcard-like solution that securely stores your private keys.

This means that with a simple plug-in, your YubiKey becomes a portable repository for your signing certificate. Consider a scenario where you had your YubiKey reset, assigned new pin codes, and securely stored your signing certificate on it.

Now, you can connect it to any computer and instantly access your certificate, eliminating worrying about storing your private key separately.

Step-wise Guide to Sign the Code with YubiKey

Utilizing a YubiKey for code signing ensures the secure storage of your certificate and offers seamless access across multiple computers.

Once you have imported your certificate into the YubiKey, you can insert the key into any computer, and the certificate will become readily available in the current user’s certificate store. Let’s explore how this process looks and examine the output when enumerating the store.

To begin, we can use the PowerShell command “Get-ChildItem” along with the specified path “cert:\currentuser\my” to access the current user’s certificate store.

However, to filter the results and retrieve only the certificates valid for code signing, we can employ the “-CodeSigning” parameter. This parameter restricts the output only to display certificates applicable for code signing purposes.

By executing the following command:

Get-ChildItem -Path "cert:\currentuser\my" -CodeSigning

We can retrieve a concise and focused list of certificates intended for code signing to identify the valid certificates to sign our code quickly.

We narrowed the search scope by utilizing the “-CodeSigning” parameter to ensure that only relevant certificates are returned. This approach streamlines the process and eliminates unnecessary clutter, making managing and selecting the appropriate certificate for code signing easier.

How to Sign in to YubiKey?

Code signing plays a vital role in ensuring the integrity and authenticity of your PowerShell module. In the case of the “DSACL” module containing functions for Active Directory ACLs, signing the module before sharing it on the PowerShell gallery is imperative.

There are two approaches to signing a module: signing individual files and using catalog signing, both of which we will explore here.

To begin, we need to obtain a reference to the code signing certificate. If you possess only one code signing certificate on your computer, you can store the output from the “Get-ChildItem” command in a variable.

However, if you have multiple certificates, a preferred method involves using “Out-GridView” to select the desired certificate interactively.

The following example demonstrates this process:

$Cert = Get-ChildItem -Path 'cert:\currentuser\my' -CodeSigning | Out-GridView -PassThru

With the certificate reference in place, we can sign the script files. This signature serves as validation for PowerShell when loading the module.

The “Set-AuthenticodeSignature” command is utilized for this purpose. A timestamp server is employed to ensure the validity of the signature even after the certificate expiration.

This server appends a timestamp to the signature, allowing validation of the certificate’s validity at the time of signing.

To sign only the module and manifest files, execute the following command within the directory where the files reside:

Get-ChildItem -Path '*.ps*' | Set-AuthenticodeSignature -Certificate $Cert -TimestampServer ''

The next step involves creating a catalog file containing each file’s hash sums, ensuring the integrity of the module.

When installing the module using “Install-Module” PowerShellGet utilizes this catalog file.

In this case, we opt for catalog version 1, which employs the SHA1 algorithm. This choice maintains compatibility with Windows 7.

To create the catalog file, use the following command within the same directory as the files to be signed:

New-FileCatalog -CatalogVersion 1 -CatalogFilePath .\ -Path $PWD.Path

The resulting “” file will contain the hashes for all the files in the directory. Any modifications, additions, or removals to the files will render the catalog file invalid.

Safeguard the integrity of the catalog file using the code signing certificate with the following command:

Set-AuthenticodeSignature -Certificate $Cert -TimestampServer '' -FilePath .\

With these steps completed, PowerShell can now validate the signatures on each PowerShell file, including the module file, module manifest, and catalog signing file.

Performing these checks enables PowerShellGet to verify both the signature on the catalog file and its validity. With these comprehensive security measures in place, you can have confidence that your code remains unaltered.

And there you have it! With your PowerShell module signed and secured, you can confidently share it while maintaining its integrity.

Happy signing, and may your PowerShell endeavors continue to thrive with enhanced security measures!

Digitally Sign your PowerShell Script with Token Based Code Signing Certificate!

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.