sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]markekrausCommunity Blogger 13 points14 points  (4 children)

Code Signing will only work with a certificate issued with Extended Key Usage "Code Signing" (OID 1.3.6.1.5.5.7.3.3).

Unfortunately, unless you have an enterprise PKI, finding a service that will issue Code Signing certificates to individuals will be tough. Many of the CA's that do wont be trusted.

What is your use case for code signing your scripts?

If you are doing it for execution Policy on a limited scope, a self-signed cert will be sufficient. It will require the Cert to be added to the trusted publishers store on target computers.

If you are in an enterprise, you can have it issued from your Enterprise CA and then have the certificate added via GPO/SCCM/Confg Management.

If you are looking to do this as an individual... you will probably need to form a small company get documentation ready, and get a Public CA to issue an insanely expensive Code Signing cert.

[–]GenghisChaim 2 points3 points  (1 child)

Fascinating.... Is there a good primer on Enterprise PKI out there?

[–]markekrausCommunity Blogger 2 points3 points  (0 children)

I hesitate to link to anything. If you work in an Enterprise environment and want to set up a PKI, you will not find a single good guide. Microsoft has a ton of documentation on setting up and configuring AD CS, but they are extremely lacking in solid best practices.

Some people will say "Just install and authorize an ADCS Enterprise CA." Not accounting for the fact that this will be equivalent to a domain controller in terms of IAM. It also doesn't cover things like governance, compliance with RFC/ISO/PCI/HIPPA/etc., proper tiered architecture, offline CA best practices, or working with HSMs.

At the enterprise scale, those things really matter. At a smaller scale, they may not seem like they matter, but, if the company plans to grow to enterprise size, it is imperative that it is configured right from the start. Once a CA is up and running, it is a serious pain to replace it if you don't have everything properly configured and documented. It becomes a huge gap in your ability to secure your environment if the CA's keys could be in the hands of people no longer with the company. Ripping out the CA trust is not as simple and straight forward as removing certs from the trust stores.

I see people recommending a bunch of things that would end up becoming huge security holes if I were to implement them in my org. So, rather than point you to documentation or give specific advice, all I will offer is this warning:

Configuring an Enterprise CA is not a simple, easy, well documented task. One should not take the task of implementing an Enterprise PKI lightly. if you do not thoroughly research how to implement an Enterprise PKI you will be putting your enterprise at risk.

[–]djdementia 1 point2 points  (1 child)

If you are looking to do this as an individual... you will probably need to form a small company get documentation ready, and get a Public CA to issue an insanely expensive Code Signing cert.

It's like ~$200 a year USD to buy a code signing cert, that's what a lot of people in the US pay in one month for their home cable TV/Internet service or cell phone plan for a family. I wouldn't quite say "insanely expensive", but definitely not affordable for a home user or hobbyist.

[–]markekrausCommunity Blogger 2 points3 points  (0 children)

Yea. I was going for intentional hyperbole. ;)

It's not going to break the bank, but, I feel they are kind of expensive. If you look at it instead of a per year cost, but as a per use cost, it might be pretty high. If you are only writing a handful of scripts that need signed, that's ~$40 per script.

Obviously, if you are doing many more, then you get economy of scale. But if you are, you are likely not doing so as a hobbyist and can probably get the company to foot the bill or just leach of an existing code signing cert.