#Code Signing

A couple questions on code signing:

1. any reason to pick one over the other (digicert, sertigo, etc.)? The prices vary and I am unclear what I get with one over the other...so im wondering if anyone here has any experience in this area

2. signing the code will remove the "untrusted repository" message when installing modules from powershell gallery yes?

3. signing the code will also not trip over the ExecutionPolicy as well correct?

4. is it worth the trouble to sign code that will be published on the gallery?

Thank you in advanced!

1 - Some reps may have better customer support, typically the main ones are mostly fine
2 - No, the trusted repository is based on the PSRepository settings for the user. The PSGallery is untrusted by default and for good reasons
3 - The user still needs to explicitly trust your certificate but it allows them to run it if signing is enforced without them having to sign it themselves
4 - Probably not, way too many hurdles unless you really want to provide a better guarantee that the files were written by yourself.

Keep in mind signatures don't convey trust/security of the code. It is used to prove the code was written by an entity. It is still up to the user whether they trust that entity or not

what about from a "best practice" stance?...to me it looks like signing the code is not worth the trouble...but thats just my opinion and I am curious what the general public thinks\

for 3rd party modules from individuals I would say it's just not worth the trouble

If you have a business or a very popular module then maybe it's worth it

fair point...okay youve convinced me, thank you

If the user still has to manually one-off mark your cert trusted then what’s the point of the CA? Might as well just self-sign.

From a technical perspective the authenticode check that Windows does mandates it. Te trusted publisher stuff sits on top. On an identity side, anyone can generate a cert with any subject, the CA is the entity that Windows trusts to say the subject is verified.

I remembered a post by Chrissy LeMaire back than on the dbatools. Might be interesting to read: https://blog.netnerds.net/2022/06/signing-powershell-modules-github-actions/

How about from a informationsecurity standpoint? Wouldn't it mask the code if a customer has audit turned on? Not talking about apikeys but a internt faced sftp or such

code signing isn't encryption, it masks nothing

Okey good to know, how would one obfuscate the actual code? I understand the contradiction but from an MSP standpoint we want to go be a ghost for customer and their tools

You don’t, it’s too easy and simple to log the code run in powershell so your obfuscation efforts lead to nowhere

And trying to obfuscate thints will probably increase the chances defender or other AVs start to flag your code.

True, then next step could be looking into ansible. Or maybe you know how a runner runs the playbook?

Ansible runs a special script that reads the module and arguments through the input. It just invokes that like a normal script so nothing too special there. The code being run is still logged through scriptblock logging inside powershell. Ultimately relying on obfuscation doesn’t really get you far with powershell due to its nature. If you are relying on people not knowing the code that was run then you might need to rethink the approach

(FYI some info on obfuscation and triggering anti-virus is here https://docs.poshtools.com/powershell-pro-tools-documentation/packaging/anti-virus)

If the reason you want to obfuscate is to hide secrets or whatnot, then you're defintely going about it wrong. If you want to hide intellectual property, well, that's kinda what a license is for.