Trusting Downloaded Scripts

by Apr 4, 2018

Scripts downloaded via Internet have a great potential of being infected with malware, or originate from illegitimate sources. Digital signatures can help add an extra layer of trust and protection.

As an example, we’ll examine the official “Chocolatey” installation script which is available for download here:

When you open this URL in your browser, you’ll see a rather lengthy PowerShell script, and you would now have to carefully examine every single line to ensure it is intact and does no evil things before you can run it.

Fortunately, at the end of the script you see a long comment block. This is a digital signature. To find out whether you can trust this script and whether it is untampered, you must save the code to a file. Then, you can validate the signature:

# save script to file
$url = ''
$outPath = "$env:temp\installChocolatey.ps1"
Invoke-WebRequest -UseBasicParsing -Uri $url -OutFile $outPath

# test signature
Get-AuthenticodeSignature -FilePath $outPath

The result looks similar to this:

    Directory: C:\Users\tobwe\AppData\Local\Temp

SignerCertificate                         Status         Path                       
-----------------                         ------         ----                       
493018BA27EAA09B895BC5660E77F694B84877C7  Valid          installChocolatey.ps1

If the column "Status" reports "Valid", then you know:

  • The file is untampered and in original shape
  • The file was created by the certificate reported in "SignerCertificate"

Of course you do not know who "493018BA27EAA09B895BC5660E77F694B84877C7" is, but you do know that Windows considers this certificate trustworthy, so you are fairly safe to run this script (if you'd like to know who 493018BA27EAA09B895BC5660E77F694B84877C7 really is, check out tomorrow's tip).

Here are other possible values for "Status":

  • HashMismatch: the content of the file was manipulated. This is highly suspicious
  • Unknown: the certificate used for the signature is not trusted. Anyone could have signed this file. The signature is worthless for you.
  • NotSigned: the script has no signature

If "status" reports anything different from "Valid", the signature is worthless for you, and you'd have to manually examine and test the code before you can run it.

If "status" reports "Valid", then you can positively identify the person that created the script, and you can safely assume that it wasn't changed or altered by someone else. A valid signature does not guarantee, though, that a script is completely harmless.

Twitter This Tip! ReTweet this Tip!