I am working on a project where we deploy software remotely using configuration management, part of which provides PowerShell scripts for Windows servers, which are then executed to complete parts of our configuration and / or configuration.
The current deployment method writes scripts to disk, but does not close the file descriptor. This was done in order to make the script more "safe", preventing any other process from interfering with the file before executing it. To run the script, PowerShell must read it from stdin, since it does not run the script if it cannot gain exclusive access. The call looks something like this:
powershell.exe -Command - < C:\temp\some_name.ps1
This has a number of disadvantages, first of all, that I can not pass parameters to the script. Also, reading large scripts from stdin becomes funky with bad characters, line returns, etc.
I would like to call scripts in a more traditional method like
powershell.exe -File C:\temp\some_name.ps1 -Param value ...
but also keep yourself in the spirit of nothing to prevent the script from executing. For this purpose, I want to sign a powershell script and run powershell with the "AllSigned" execution policy.
The problem is that I cannot really sign the script on the target server, since it has the same problem as PowerShell running the script ... I need to release an exclusive lock to allow PowerShell to sign the file, but it can to be faked.
Then I decided that if I can sign the script on a server that delivers it to the target machine, which will work much better. However, our configuration management software servers are all Linux, and I was stumped trying to find a way to sign PowerShell scripts on Linux. Mono supports Authenticode, but out of the box it is only for exes and dll. I tried digging into PowerShell.Net functions, but found that they use Cryptui.dll, which is Windows specific.
At this point, I understand that in any case, I can get a signature added to the scripts, otherwise I will have to give up another way to run scripts that are actually not native. If possible, I would like to compute the signature in memory in the string representation of the script, but I will take a file-based method if that's all I can get.