Forez wrote: ↑23.10.2023, 19:55
TK87 wrote: ↑22.10.2023, 20:33
If you have previously executed the scripts via context menu, there the execution policy got bypassed.
You mean the shell menu of the operating system? So far I never had any script added to it
You said...
I have an A-OK working PowerShell script.
... so how did you confirm that your script was working ok? Somehow you must have executed it before. I guessed that you used the option from the context menu to do this (right click on the .ps1 file and then "Run with Powershell").
So Windows differentiates between downloaded files [and those copied from a e.g. thumbdrvive] based on I-forgot-how-it-is-called-as-I-vaguely-just-remembered-it-exists-at-all feature?
Yes. If you download a program or script from the Internet (this includes mail clients and instant messangers), Windows adds an appropriate file attribute to the file.
These programs or scripts can then only be executed if they are either signed by a verified publisher or the block status has been manually removed.
Since code-signing certificates cost money, many manufacturers of free programs circumvent this problem by making the program only available for download in zipped form. If you unzip the file, Windows will not be able to determine where the program came from.
But how does the system validates a PS1 file? Is it not possible to just open PS1 file in Notepad to maliciously adjust it - and then put it on the Internet posing as Verified publisher?
Signing a script is the same as signing a program. A signature block is attached to the script, which is generated from the SSL certificate and the hash value of the script. You can open and edit the .ps1 file, but as soon as you change even a single character, the signature becomes invalid and the script must be re-signed.
If you want to try it yourself, chocolatey has a signed installscript for example:
https://community.chocolatey.org/install.ps1
Save it and look at the digital signature in the file properties. Then change it and look at it again. The digital signature becomes invalid.
Regards, Thomas