PowerShell init scrip

[Jackbennett]

I want to have a look at getting powershell to the same usable state CMD+clink is because I think it's just better but anyway;

If you download Cmder, run a build/install script I'm thinking it could generate its own certificate, sign itself as the host user account, then sign the Cmder scripts it needs to run.

That way;

1. We aren't using some global cert we can execute any code through for all time
2. There isn't 1 cert to steal to run any code on all the users machines
3. We keep the user execution policy of remoteSigned which is [the best state][1] for a developer. Maybe even allsigned as anyone whose a powershell dev will set it anyway.

Some Cons;

1. Almost certainly won't be portable.*
2. It's an extra step between download -> run. but it wouldn't have to hinder
3. I guess Cmder might have to include openSSL to make the cert? The git build already comes with it and could use that.

Pros:

1. Doesn't have to effect users who stick to cmd + clink land
2. Fire and forget powershell setup

*Maybe it's ok to sign scripts for Cmder itself the one time it's run. You have to add this cert to the host computer is that acceptable for any computer you can walk up to with a pendrive "run as admin" ?

I would love to wrap the ISE in Conemu but the ISE won't do interactive consoles so that's using git out. It would be sweet if someone could just rip the ISE engine with intellisense and syntax highlighting to use in a console window.

[1]: http://technet.microsoft.com/en-us/library/hh847748.aspx - search for "2012 R2"

[samvasko]

First of all. I think this a amazing and clever idea. But his is section confused me

Restricted
     - Default execution policy in Windows 8, 
       Windows Server 2012, and Windows 8.1.

Does this mean that even signed PS scripts will be refused on win8?

I will follow up on more stuff tomorrow.

[Jackbennett]

Yep. Restricted you can only use the powershell console. .\myscript.ps1 will not execute.
I think signing is just the same as SSL for websites, I've done it in my network for logon scripts so far. Next will be to sign my backup scripts.

I assume this is so you can't sign a script with a stolen cert or one that's from the trusted root publishers and run some of the more "drive by" type exploits people did with report.doc.bat emails.

MS are pretty adamant the execution policy IS NOT a security measure, it's more to stop people shooting themselves in the foot. Maybe this was the deal the MS PS team had to make to get PS shipped by default in windows. They've lowered the policy for server 12 R2 so that's hopefully a sign of things to come. Since you can't manage server core without it.

The concept seems similar to linuxes way of making the user chmod -x shell scripts.

Plus there's the whole alternate data streams thing that Window's knows files are from the internet and has them blocked until you unblock it. But signing might go around that. Needs testing.

[samvasko]

I just renamed the issue

[Maximus5]

BTW, I'm running my "portable" powershell with following batch
https://gist.github.com/Maximus5/8870838
And here is task content
RunPS.cmd -cur_console:P: -ExecutionPolicy RemoteSigned
Of course, PowerShell must be installed on your PC, but profile can be located on your USB stick...

[Maximus5]

if someone could just rip the ISE engine with intellisense and
syntax highlighting to use in a console window.

Have you tried PowerTab or PSReadLine extensions?

[Jackbennett]

This still needs a solid answer but referencing #100 for future work.

[Izzmo]

There is a circular loop on #100 to #136 and back to #100 (this one).

Should one of these tickets still be opened?

[Jackbennett]

Looks like it was more to have the related discussion included as it's not directly a follow on.

Basically I just don't have a good answer for signing. It's kind of a misfeature.

[Izzmo]

Ah, gotchya. Yeah.. seems like someone just needs to inject some money in this project 😃

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contribution.

[stale]

This issue has been automatically closed due to it not having any activity since it was marked as stale. Thank you for your contribution.