Signing and Verifying Script Files with Scripting.Signer object
M. Gallant 06/10/2002
Windows Script 5.6
introduces the capability to digitally sign
win32 script files (wsf, vbs, vbe, js, jse) as well as the previously supported file types
for Authenticode signatures (.exe, .dll, .ocx, .cab, .cat, .ctl types).
Windows XP extends this security infrastructure with
Software Restriction Policy technology.
The Scripting.Signer object provided by wshext.dll allows scripting
of the basic file and string digital-signature processes, and signature
verification. This approach can be used to sign and verify ANY file type
that supports Authenticode signatures. This will empower developers to easily build cryptoAPI and
signature-aware applications and utilities. The basic script appended
at the bottom of this page demonstrates how to digitally sign and verify
the signature on another script file (in this case, vbs
script ShowMyShares.vbs). The SignFile()
method is used to sign any script file using a code signing certificate (in
this case, one with Common Name "Security Development" contained in the default
system keystore). The signed script
is subsequently verified using the VerifyFile() method.
The code-signing certificate used to sign the target script
ShowMyShares.vbs was issued by
an enterprise Certificate Authority (CA). Proper verification of
any digitally signed file requires verification of the issuing CA.
You must import this root CA certificate if you wish to test
the signed script ShowMyShares.vbs provided here for testing and evaluation purposes:
Root CA certificate (ou=NorlockPKI,o=Nortel External)
Sha-1 Fingerprint: 3182 409C C8FC 6F86 2510 1424 37A4 3C6B A891 1068
Some interesting things to try:
- in the signed script ShowMyShares.vbs, add a space anywhere in the script body and verify.
- edit the script back to its exact original form and reverify.
- change the showGUI boolean parameter to True and explore the results.
Script Security Documentation
<![CDATA[
'*******************************************************************
' File: wshsign.vbs (WSH for VBscript)
' Author: (c) M. Gallant 12/03/2000
'
' Demonstrates Windows Script 5.6 b1 digital signing and
' signature verification using Scripting.Signer object.
'
' (1) Digitally signs file "ShowMyShares.vbs" in current script
' directory, using existing certificate in certificate default
' store with cn (Common Name) "Security Development"
' (2) Checks digital signature applied to "ShowMyShares.vbs" file
' in current script directory.
'
' Signing certificate issued by "ou=NorlockPKI,o=Nortel External"
' This root CA certificate available from:
' http://www.nortelnetworks.com/help/certificates/
'********************************************************************
Option Explicit
Dim oScrSig, oFso, sigfile, sigstatus, scriptpath, showGUI
Const ftotest = "ShowMyShares.vbs"
showGUI = False
set oScrSig = WScript.CreateObject("Scripting.Signer")
set oFso = WScript.CreateObject("Scripting.FileSystemObject")
scriptpath = oFso.GetParentFolderName(WSCript.ScriptFullName) & "\"
sigfile = scriptpath & ftotest
oScrSig.SignFile sigfile, "Security Development" ' try to sign the file.
sigstatus = oScrSig.VerifyFile(sigfile, showGUI) ' verify the signature.
If sigstatus then
WScript.Echo "Signature verified for " & ftotest
Else
WScript.Echo "Signature **FAILED** verification for " & ftotest
End If
]]>