0

so I managed to sign a powershell script using this nice tutorial https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html I have one script signed and it works fine everywhere even in other domains. Today I used the same command and cert to sign another script, but it runs only in the same domain and nowhere else! On another environments I get this error:

.\ITMuninstall.ps1 : File C:\temp\ITMuninstall.ps1 cannot be loaded. The contents of file C:\temp\ITMuninstall.ps1 might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run on the specified system.

I have just copied the file and it has exactly the same size in bytes, so how is it possible the hash does not match?? There are no special characters in the code it seems to me.

EDIT: filehash check: on server in the domain where I signed it it runs fine:

PS Microsoft.PowerShell.Core\FileSystem::\tsclient\h\packages> Get-ExecutionPolicy AllSigned PS Microsoft.PowerShell.Core\FileSystem::\tsclient\h\packages> .\ITMuninstall.ps1 KNTCMA_Primary service not found. ITM not present PS Microsoft.PowerShell.Core\FileSystem::\tsclient\h\packages> get-filehash .\ITMuninstall.ps1

Algorithm Hash
Path --------- ---- ---- SHA256 8AD1FDA5C8D90FE3E456B9935F0FAE0CD046F0F803C0BEF88BBEC3C484B6AB33
\tsclient\h\packages\ITMunin...

on another server in different domain I cannot run it unless I change executionpolicy from Allsigned to less restrictive (but I cannot do it everywhere):

PS Microsoft.PowerShell.Core\FileSystem::\\tsclient\h\packages> .\ITMuninstall.ps1
.\ITMuninstall.ps1 : File \\tsclient\h\packages\ITMuninstall.ps1 cannot be loaded. The contents of file \\tsclient\h\pa
ckages\ITMuninstall.ps1 might have been changed by an unauthorized user or process, because the hash of the file does n
ot match the hash stored in the digital signature. The script cannot run on the specified system. For more information,
 run Get-Help about_Signing..
At line:1 char:1
+ .\ITMuninstall.ps1
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
PS Microsoft.PowerShell.Core\FileSystem::\\tsclient\h\packages> Get-FileHash .\ITMuninstall.ps1

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          8AD1FDA5C8D90FE3E456B9935F0FAE0CD046F0F803C0BEF88BBEC3C484B6AB33       \\tsclient\h\packages\ITMunin...

copying the file from the UNC path to c:\temp does not matter

Vitas
  • 157
  • 1
  • 8
  • 24
  • compare hashes over file on both systems using `Get-FileHash` command and check if files are identical. – Crypt32 Oct 27 '20 at 15:48
  • Where did you get your code signing certificate? From a 3rd party CA of from your Windows AD Domain Certificate Authority? Make sure the root CA certificate from the issuer of your code signing cert is in the certificate store of the computer where you want to run your script. – Roderick Bant Nov 07 '20 at 16:45

1 Answers1

0

You need add a domain to exist an existing certificate

import certificates and backup this

Import-Certificate -FilePath "C:\Users\proxb\Desktop\BackupCert.Cer" -CertStoreLocation 'Cert:\LocalMachine\My' -Verbose

after joint, with the tool of your choice, you can check more here

$Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
Glorfindel
  • 1,213
  • 3
  • 15
  • 22
Adrian Romero
  • 101
  • 1