powershell 签名脚本无法在不同的域中运行

tag-icon tag-icon powershell certificate digital-signatures
powershell 签名脚本无法在不同的域中运行

因此我使用这个不错的教程对 powershell 脚本进行了签名 https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html 我已对一个脚本进行了签名,该脚本在任何地方都能正常运行,甚至在其他域中也是如此。今天,我使用相同的命令和证书对另一个脚本进行了签名,但它只能在同一个域中运行,而不能在其他地方运行!在另一个环境中,我收到此错误:

.\ITMuninstall.ps1 : File C:\temp\ITMuninstall.ps1 cannot be loaded. The contents of file C:\temp\ITMuninstall.ps1 might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run on the specified system.

我刚刚复制了文件,发现文件大小完全相同(以字节为单位),哈希值怎么可能不匹配呢?在我看来,代码中没有特殊字符。

编辑:filehash 检查:在我签名的域中的服务器上它运行良好:

PS Microsoft.PowerShell.Core\FileSystem::\tsclient\h\packages> Get-ExecutionPolicy AllSigned PS Microsoft.PowerShell.Core\FileSystem::\tsclient\h\packages> .\ITMuninstall.ps1 未找到 KNTCMA_Primary 服务。ITM 不存在 PS Microsoft.PowerShell.Core\FileSystem::\tsclient\h\packages> get-filehash .\ITMuninstall.ps1

算法哈希
路径 --------- ---- ---- SHA256 8AD1FDA5C8D90FE3E456B9935F0FAE0CD046F0F803C0BEF88BBEC3C484B6AB33
\tsclient\h\packages\ITMunin...

在不同域中的另一台服务器上,除非我将执行策略从 Allsigned 更改为限制较少,否则我无法运行它(但我无法在任何地方执行此操作):

PS Microsoft.PowerShell.Core\FileSystem::\\tsclient\h\packages> .\ITMuninstall.ps1
.\ITMuninstall.ps1 : File \\tsclient\h\packages\ITMuninstall.ps1 cannot be loaded. The contents of file \\tsclient\h\pa
ckages\ITMuninstall.ps1 might have been changed by an unauthorized user or process, because the hash of the file does n
ot match the hash stored in the digital signature. The script cannot run on the specified system. For more information,
 run Get-Help about_Signing..
At line:1 char:1
+ .\ITMuninstall.ps1
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
PS Microsoft.PowerShell.Core\FileSystem::\\tsclient\h\packages> Get-FileHash .\ITMuninstall.ps1

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          8AD1FDA5C8D90FE3E456B9935F0FAE0CD046F0F803C0BEF88BBEC3C484B6AB33       \\tsclient\h\packages\ITMunin...

将文件从 UNC 路径复制到 c:\temp 无关紧要

答案1

您需要添加域名以存在现有证书

导入证书并备份

Import-Certificate -FilePath "C:\Users\proxb\Desktop\BackupCert.Cer" -CertStoreLocation 'Cert:\LocalMachine\My' -Verbose

连接后,使用您选择的工具,您可以检查更多这里

$Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

相关内容