Scripts downloaded via Internet have a great potential of being infected with malware, or originate from illegitimate sources. Digital signatures can help add an extra layer of trust and protection.
As an example, we’ll examine the official “Chocolatey” installation script which is available for download here:
When you open this URL in your browser, you’ll see a rather lengthy PowerShell script, and you would now have to carefully examine every single line to ensure it is intact and does no evil things before you can run it.
Fortunately, at the end of the script you see a long comment block. This is a digital signature. To find out whether you can trust this script and whether it is untampered, you must save the code to a file. Then, you can validate the signature:
# save script to file
$url = 'https://chocolatey.org/install.ps1'
$outPath = "$env:temp\installChocolatey.ps1"
Invoke-WebRequest -UseBasicParsing -Uri $url -OutFile $outPath
# test signature
Get-AuthenticodeSignature -FilePath $outPath
The result looks similar to this:
SignerCertificate Status Path
----------------- ------ ----
493018BA27EAA09B895BC5660E77F694B84877C7 Valid installChocolatey.ps1
If the column "Status" reports "Valid", then you know:
Of course you do not know who "493018BA27EAA09B895BC5660E77F694B84877C7" is, but you do know that Windows considers this certificate trustworthy, so you are fairly safe to run this script (if you'd like to know who 493018BA27EAA09B895BC5660E77F694B84877C7 really is, check out tomorrow's tip).
Here are other possible values for "Status":
If "status" reports anything different from "Valid", the signature is worthless for you, and you'd have to manually examine and test the code before you can run it.
If "status" reports "Valid", then you can positively identify the person that created the script, and you can safely assume that it wasn't changed or altered by someone else. A valid signature does not guarantee, though, that a script is completely harmless.
ReTweet this Tip!