{"id":2936,"date":"2020-09-04T14:36:16","date_gmt":"2020-09-04T12:36:16","guid":{"rendered":"https:\/\/laurentvanacker.com\/?p=2936"},"modified":"2022-12-09T09:50:12","modified_gmt":"2022-12-09T08:50:12","slug":"signature-de-scripts-powershell-signing-powershell-script","status":"publish","type":"post","link":"https:\/\/laurentvanacker.com\/index.php\/2020\/09\/04\/signature-de-scripts-powershell-signing-powershell-script\/","title":{"rendered":"Signature de scripts PowerShell \/ Signing PowerShell Scripts"},"content":{"rendered":"<p><a href=\"#en-us\" name=\"fr-fr\">Go to English version<\/a><\/p>\n<p>L&rsquo;article <a href=\"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-1-of-2\/\">https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-1-of-2\/<\/a> (<a href=\"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2\/\">Partie 2<\/a>) explique, de mani\u00e8re d\u00e9taill\u00e9e, la d\u00e9marche et l&rsquo;infrastructure \u00e0 mettre en place pour signer des scripts PowerShell avec une PKI Microsoft.<\/p>\n<p>Si vous souhaitez rapidement monter un lab de test (via <a href=\"https:\/\/github.com\/AutomatedLab\/AutomatedLab\">AutomatedLab<\/a>) je vous propose le script <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Windows%20Powershell\/Code%20Signing\/AutomatedLab\/AutomatedLab%20-%20Code%20Signing.ps1\">suivant<\/a> qui vous suit les recommandations \u00e9voqu\u00e9es dans les articles sus-mentionn\u00e9s.<\/p>\n<p>L\u2019environnement est compos\u00e9 de 4 serveurs :<\/p>\n<ul>\n<li>DC01 : Contr\u00f4leur de domaine (contoso.com)<\/li>\n<li>CA01 : Autorit\u00e9 de certificats<\/li>\n<li>DEV01 : Poste de d\u00e9veloppement PowerShell utilis\u00e9 par le compte \u00ab\u00a0CONTOSO\\DevUser\u00a0\u00bb<\/li>\n<li>CLIENT01 : Poste client utilis\u00e9 par le compte \u00ab\u00a0CONTOSO\\ClientUser\u00a0\u00bb<\/li>\n<\/ul>\n<p>Un mot de passe unique est utilis\u00e9 pour tous les comptes (\u00ab\u00a0P@ssw0rd\u00a0\u00bb sans les guillemets)<\/p>\n<p>Le script se charge de la mise en place de l&rsquo;environnement :<\/p>\n<ul>\n<li>Un certificate de type CodeSigning est \u00e9mis (par CA01) pour le compte \u00ab\u00a0CONTOSO\\DevUser\u00a0\u00bb sur DEV01<\/li>\n<li>Ce certificat est utilis\u00e9 pour signer le script SignedScript.ps1 pr\u00e9sent sur le bureau de \u00ab\u00a0CONTOSO\\DevUser\u00a0\u00bb<\/li>\n<li>Ce script est copi\u00e9 sur le bureau de \u00ab\u00a0CONTOSO\\ClientUser\u00a0\u00bb sur CLIENT01<\/li>\n<\/ul>\n<p>Il ne vous reste plus qu&rsquo;\u00e0 lancer ce script depuis CLIENT01 (en tant que \u00ab\u00a0CONTOSO\\ClientUser\u00a0\u00bb) et de tester.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/laurentvanacker.com\/wp-content\/uploads\/2017\/01\/012717_1333_Fusionnerde1.png\" alt=\"\" \/><\/p>\n<p>The article <a href=\"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-1-of-2\/\">https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-1-of-2\/<\/a> (<a href=\"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2\/\">Part 2<\/a>) explains, in detail, the process and the infrastructure to be set up to sign PowerShell scripts with a Microsoft PKI.<\/p>\n<p>If you want to quickly set up a test lab (via <a href=\"https:\/\/github.com\/AutomatedLab\/AutomatedLab\">AutomatedLab<\/a>) I suggest the following <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Windows%20Powershell\/Code%20Signing\/AutomatedLab\/AutomatedLab%20-%20Code%20Signing.ps1\">script<\/a> which follows the recommendations mentioned in the above-mentioned articles.<\/p>\n<p>The environment is made up of 4 servers:<\/p>\n<ul>\n<li>DC01: Domain Controller (contoso.com)<\/li>\n<li>CA01: Certificate authority<\/li>\n<li>DEV01: PowerShell development machine used by the \u00ab\u00a0CONTOSO \\ DevUser\u00a0\u00bb account<\/li>\n<li>CLIENT01: Client machine used by the \u00ab\u00a0CONTOSO \\ ClientUser\u00a0\u00bb account<\/li>\n<\/ul>\n<p>A unique password is used for all accounts (\u00ab\u00a0P @ ssw0rd\u00a0\u00bb without quotes)<\/p>\n<p>The script takes care of setting up the environment:<\/p>\n<ul>\n<li>A CodeSigning type certificate is issued (by CA01) for the \u00ab\u00a0CONTOSO \\ DevUser\u00a0\u00bb account on DEV01<\/li>\n<li>This certificate is used to sign the SignedScript.ps1 script found on the desktop of \u00ab\u00a0CONTOSO \\ DevUser\u00a0\u00bb<\/li>\n<li>This script is copied to the desktop of \u00ab\u00a0CONTOSO \\ ClientUser\u00a0\u00bb on CLIENT01<\/li>\n<\/ul>\n<p>All you have to do is run this script from CLIENT01 (as \u00ab\u00a0CONTOSO\\ClientUser\u00a0\u00bb) and test.<\/p>\n<p><a href=\"#fr-FR\" name=\"en-us\">Aller \u00e0 la version fran\u00e7aise<\/a><\/p>\n<p>Laurent.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Go to English version L&rsquo;article https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-1-of-2\/ (Partie 2) explique, de mani\u00e8re d\u00e9taill\u00e9e, la d\u00e9marche et l&rsquo;infrastructure \u00e0 mettre en place pour signer des scripts PowerShell [&#8230;]<\/p>\n","protected":false},"author":2,"featured_media":2463,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19,12],"tags":[54,39,41,42],"class_list":["post-2936","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powershell","category-securite-security","tag-automatedlab","tag-powershell","tag-securite","tag-security"],"_links":{"self":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2936","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/comments?post=2936"}],"version-history":[{"count":5,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2936\/revisions"}],"predecessor-version":[{"id":2964,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2936\/revisions\/2964"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/media\/2463"}],"wp:attachment":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/media?parent=2936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/categories?post=2936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/tags?post=2936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}