I write tools for video game studios occasionally. You can’t double click a ps1 ...

TiredOfLife · 2024-07-27T08:58:01 1722070681

But you can run .ps1 from .bat that you doubleclick.

kachapopopow · 2024-07-27T10:27:02 1722076022

That still has the same issue. Powershell will refuse to run scripts that are not signed by default.

andy81 · 2024-07-27T12:19:07 1722082747

You can use the -ExecutionPolicy argument to get around that.

It's not a security boundary, just something to stop users accidentally opening an email attachment like they will with bat/vbs.

ffsm8 · 2024-07-27T16:23:11 1722097391

Which is pointless if it's only for powershell.... But hey, security theater is kinda the MO of Microsoft if you think about rotating password policies which have a maximum password length etc

naikrovek · 2024-07-27T17:02:46 1722099766

Sign the powershell script. It’s not that large of a hurdle to get a code signing cert, though it certainly isn’t trivial.

lll-o-lll · 2024-07-27T21:23:30 1722115410

Code signing certs must have the key HSM’d these days. It’s a big hurdle.

gloosx · 2024-07-29T08:20:15 1722241215

You have to go through a humilating process to get it as well as pay few hundred $$$ to one of MS street vendors.

naikrovek · 2024-07-29T13:02:36 1722258156

you have to prove who you are, yes. I don't know what you mean in the 2nd half of the sentence.

gloosx · 2024-08-05T09:40:45 1722850845

lemme explain quickly: you have to prove a lot of different things on paper, not just who you are; in reality this is just a money-milking side-hustle business for Microsoft. The process I had to go through had many different steps but in the end it all just relied on a blind trust between me and vetting team from the first step.

naikrovek · 2024-08-05T13:13:33 1722863613

lemme respond quickly: code signing certs are in use by many more than just microsoft. if i want a code signing cert from digicert, microsoft doesn't get any money, digicert does. i can use it for more than just powershell scripts, of course, i can sign anything. they are useful things to have. getting them is a pain in the ass, yes, but it's supposed to be. they want to filter out identity impersonators and do everything they can to issue a cert to a person that is who they say they are. that's the whole point of the cert, so that's why you must show all of that proof.

maccard · 2024-07-27T15:11:06 1722093066

If you are writing a bat wrapper, you might as well write the wrapper in c# at that point (which I do for anything that requires a condition or a loop)

naikrovek · 2024-07-27T17:01:28 1722099688

The threshold you’ve chosen is crazy low, for me.

A condition or a loop? You’re writing everything in C# then. Everything worth writing, anyway.

maccard · 2024-07-27T22:17:51 1722118671

Pretty much, yep. The batch file is just for pre providing arguments and checking awkward error codes from robocopy