Digitally Signing Scripts

  • Article

Microsoft® Windows® 2000 Scripting Guide

Digital signatures (introduced with WSH 5.6) provide a way for you to verify who authored a script, as well as a way to guarantee that a script has not been altered since it was written and signed. This does not necessarily mean that the script is "safe;" after all, virus writers can obtain digital signatures, too. However, digital signatures do provide two measures of protection:

  • You can specify which script authors are to be trusted and which ones are not. For example, you can specify that only scripts signed using a certificate issued by trusted authorities can be run in your organization. If you list Verisign as the only trusted authority, then only scripts signed with a certificate issued by Verisign will be considered safe and will be able to run. (Of course, if a hacker has obtained a certificate from Verisign, then any scripts he or she writes will be considered safe, whether they actually are or not.)

  • You can be assured that the script has not been changed since the time it was written and signed. If you know that the script ThirdPartyScript.vbs is safe to use within your organization, you can distribute that script with the knowledge that no one can modify the script without violating the digital signature. When a script is signed, a "hash" is derived and used to verify the signature. If the script has been modified in any way, the hash will be invalid, and the script will be reported as having been altered in some way.

When a script is signed, the digital signature is appended to the end of the file as a set of comments. Adding the signature as commented lines ensures that the script can still be run using previous versions of WSH (these versions will see the additional lines as comments rather than as a digital signature). A signature might look like this:

'' SIG '' Begin signature block
'' SIG '' MIIC8AYJKoZIhvcNAQcCoIIC4TCCAt0CAQExDjAMBggq
'' SIG '' hkiG9w0CBQUAMGYGCisGAQQBgjcCAQSgWDBWMDIGCisG
'' SIG '' AQQBgjcCAR4wJAIBAQQQTvApFpkntU2P5azhDxfrqwIB
'' SIG '' AAIBAAIBAAIBAAIBADAgMAwGCCqGSIb3DQIFBQAEEPC2
'' SIG '' QdSn0Xnjl7nT/Xwadl2gggF6MIIBdjCCASCgAwIBAgIQ
'' SIG '' NeMgQmXo1o1F8M6hs6TX1jANBgkqhkiG9w0BAQQFADAW
'' SIG '' MRQwEgYDVQQDEwtSb290IEFnZW5jeTAeFw0wMDEyMjEy
'' SIG '' MzUxMTJaFw0zOTEyMzEyMzU5NTlaMBUxEzARBgNVBAMT
'' SIG '' Ck15IENvbXBhbnkwXDANBgkqhkiG9w0BAQEFAANLADBI
'' SIG '' AkEAx/bBOOqOzdHk2EfxXloUaGo9PtI/HSJ9LQSXkhF7
'' SIG '' neEf4Qy+oyA7NImnOacI+1HDCOAPeKgGJIvaFcZs0BuM
'' SIG '' iQIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCN
'' SIG '' YSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mC
'' SIG '' EAY3bACqAGSKEc+41KpcNfQwDQYJKoZIhvcNAQEEBQAD
'' SIG '' QQA6/fIIDKycSp2DdBT/A3iUSxoiu2BqmEEpVoGKE5yY
'' SIG '' CA3MDWuI29RRvgNJ2oQasb8rZiD5dEexGK3rWEQGV6r+
'' SIG '' MYHhMIHeAgEBMCowFjEUMBIGA1UEAxMLUm9vdCBBZ2Vu
'' SIG '' Y3kCEDXjIEJl6NaNRfDOobOk19YwDAYIKoZIhvcNAgUF
'' SIG '' AKBOMBAGCisGAQQBgjcCAQwxAjAAMBkGCSqGSIb3DQEJ
'' SIG '' AzEMBgorBgEEAYI3AgEEMB8GCSqGSIb3DQEJBDESBBCV
'' SIG '' t6owbn7YLnkAnCqiDdINMA0GCSqGSIb3DQEBAQUABECe
'' SIG '' xmfNlmrIls2kFkyhXOWKicnpOk5iW4twTRNAc4LAkO8M
'' SIG '' uk0ZBCBgR5XC8F7slEMfWCG9R7129EUF4vFhZToK
'' SIG '' End signature block