PowerShell Steps and Authenticode

0

in our environment all PowerShell must be signed, this is enforced via Carbon Black Protect.

When the content of a signed script is placed into the PowerShell step. the resulting user.ps1 has had the leading blank lines and any final line endings are removed.

The leading blank line is easy to fix in the original file that was signed. but deleting the final CRLF brakes the Authenticode signature.

Please fix!!!

Cancel
login to comment
0

To avoid this, we recommend using the Install Step to run the PS1, this way should allow for your signed script to run, and the scripts we use to execute your PS1 in an Install Step are all signed.

We do have some feature requests internally to provide their own certs to sign scripts in the PowerShell step, however, at this time it is only a request and we have no timeline for acceptance/implementation.

Cancel
login to comment

0

I know your scripts are signed, we have yet to trust the publisher. InfoSec is not to keen on you feeing the content of a text file to Invoke-Expression

Cancel
login to comment

Reply