I’ve been digging into what it takes to make my script profile more tamper proof on my personal workstation(s) and have started using a code signing self-signed certificate to sign my scripts. I then set the execution policy to AllSigned and ensure that my profile script and any modules it calls are digitally signed with this certificate.
To automate this entire process I’ve put together a script to generate the code signing certificate and then do the following:
- Export it to disk as a password protected PFX file
- Export into memory as a cer file (public key only).
- Delete from the Cert:\CurrentUser\My certificate store
- Re-Import just the public key into the Cert:\CurrentUser\TrustedPublisher store
- Copy the certificate from Cert:\CurrentUser\TrustedPublisher to the Cert:\CurrentUser\Root
The script is found here if anyone cares to tear it apart (run with the -Secure flag to create the scenario described above): https://github.com/zloeber/PowerShellProfile/blob/master/Scripts/New-CodeSigningCertificate.ps1
My question is, am I missing anything from a security point of view? Every example I’ve seen with makcert.exe goes through a process of creating a trusted root authority and then using it to create the code signing certificate. I’ve bypassed this two-tier approach entirely and it seems to work well enough for me.