JS7 JobScheduler

Space shortcuts

Page tree

Introduction

SOS digitally signs PowerShell scripts that are offered for download. The signature is included inside the script, usually from from a number of comments that follow the script code.

  • Users can verify a script's signature to prove
    • that the script in fact was created and signed by SOS,
    • that the script's signature is valid.
  • Use the built-in Get-AuthenticodeSignature PowerShell cmdlet for Windows to verify the signature of a given PowerShell script, for example New-JS7WorkflowFromExcel.ps1 available for download from the JS7 - How to import jobs and workflows from Excel article.
    • At the time of writing the Get-AuthenticodeSignature cmdlet is not available for Unix.
    • For PowerShell cmdlets offered by the JS7 - Download page users can apply instructions offered by the JS7 - Verifying releases article for Unix and Windows platforms.

Verifying Signatures

Find the following example how to verify a PowerShell script's signature:

Get-AuthenticodeSignature C:\download\New-JS7WorkflowFromExcel.ps1 | Format-List


SignerCertificate      : [Subject]
                           CN=SOS Software- und Organisations-Service GmbH, O=SOS Software- und Organisations-Service GmbH, S=Berlin, C=DE,
                         OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=DE, SERIALNUMBER=HRB 21015

                         [Issuer]
                           CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB

                         [Serial Number]
                           4B0F8D82F0B376B297B6EADA4EA6D4EC

                         [Not Before]
                           30.05.2023 02:00:00

                         [Not After]
                           30.05.2026 01:59:59

                         [Thumbprint]
                           2B03EA68F103E80D83228ABCF88A3B448CC8B257

TimeStamperCertificate : [Subject]
                           CN="Sectigo RSA Time Stamping Signer #4", O=Sectigo Limited, S=Manchester, C=GB

                         [Issuer]
                           CN=Sectigo RSA Time Stamping CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB

                         [Serial Number]
                           394C25E17CA06D27A865E23BD91D22D4

                         [Not Before]
                           03.05.2023 02:00:00

                         [Not After]
                           03.08.2034 01:59:59

                         [Thumbprint]
                           AE62AF750A0CBD47D6461F7568E2BC8CE7CA4F94

Status                 : Valid
StatusMessage          : Signature verified.
Path                   : C:\download\New-JS7WorkflowFromExcel.ps1
SignatureType          : Authenticode
IsOSBinary             : False


Explanation:

  • The above output tells you that the Signature is valid and has been verified.
  • The SignerCertificate with the [subject] provides the distinguished name of the SOS Code Signing Certificate. The [issuer] indicates the certificate authority that issued the code signing certificate. The output provided with [Not Before] and [Not After] indicates the validity period of the certificate.
  • The TimeStamperCertificate proves that the PowerShell script was signed using a time stamp server with a valid certificate at the point in time of signing.
  • Should the PowerShell script be downloaded after expiration of the code signing certificate, i.e. after 2026-05-30, then the signature is no longer valid. However, the time stamp server's response tells you that the certificate was valid at the point in time of signing. If the signature is expired but still matches the unchanged PowerShell script then there is no harm in trusting such scripts.

The certificate chain is available from the following certificates:

Further Resources


  • No labels