How to sign a powershell script

By FoxLearn 10/3/2024 2:08:37 AM   29
To sign a PowerShell script, you can use the Set-AuthenticodeSignature cmdlet, providing it with the script file and a code-signing certificate.

PowerShell scripts are useful for automating tasks on Windows, but running unsigned scripts can result in errors like "PowerShell not digitally signed." To prevent these issues, it's important to sign your scripts with a digital certificate.

How to sign a powershell script?

First, Open your Windows PowerShell

Ensure that your execution policy allows for signed scripts.

Set-ExecutionPolicy RemoteSigned

powerShell execution policy

Execution PolicyDescriptionScope of Impact
RestrictedNo scripts allowed to runDefault on Windows
AllSignedOnly runs scripts signed by a trusted publisherRecommended for most users
RemoteSignedRequires remote scripts (Internet) to be signedFlexible yet secure option
UnrestrictedNo restrictions on script executionNot recommended due to security risks
BypassIgnores all execution policiesShould be used with extreme caution

You need a code signing certificate. This can be obtained from a Certificate Authority (CA) or you can create a self-signed certificate for testing purposes.

New-SelfSignedCertificate -DnsName "FoxLearn" -CertStoreLocation "cert:\CurrentUser\My"

Output:

Thumbprint                                Subject
----------                                       -------
CBD7ACE757B43A09465D4454FCF590D82079D380  CN=FoxLearn

After running the command, you can find your certificate in the certmgr.msc under "Personal" -> "Certificates".

certificate

Retrieve the certificate you just created or obtained.

$cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Subject -match "FoxLearn" }

Use the Set-AuthenticodeSignature cmdlet to sign the script.

Set-AuthenticodeSignature -FilePath "C:\YourPath\script.ps1" -Certificate $cert

You can check if the script is signed correctly with

Get-AuthenticodeSignature "C:\YourPath\script.ps1"

If you use a self-signed certificate, remember that it will not be trusted by default on other systems. You may need to install the certificate into the trusted root certification authorities store on those systems.

You can open PowerShell as an admin and run the command.

#Certificate name
$name = "FoxLearn"

# Create a self-signed certificate
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject "CN=$name" -KeySpec Signature -Type CodeSigningCert
 
#Export the Certificate to "Documents" Folder in your computer
$path = [Environment]::GetFolderPath("MyDocuments")+"\FoxLearn.cer"
Export-Certificate -Cert $cert -FilePath $path
 
#Add Certificate to the "Trusted Root Store"
Get-Item $path | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
  
Write-host "Certificate Thumbprint:" $Certificate.Thumbprint

Signing Your Script

$thumbprint = "CBD7ACE757B43A09465D4454FCF590D82079D380"
$path = "C:\YourPath\script.ps1"
 
#Get the Certificate from Cert Store
$CodeSignCert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object {$_.Thumbprint -eq $thumbprint}
 
#Sign the PS1 file
Set-AuthenticodeSignature -FilePath $path -Certificate $CodeSignCert

To extend the lifespan of your PowerShell script's signature, you can include an optional timestamp when signing it. This ensures that the script remains valid even after the signing certificate expires.

$cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object {$_.Thumbprint -eq $thumbprint}
 
Set-AuthenticodeSignature -FilePath "C:\YourPath\script.ps1" -Certificate $cert -TimestampServer "http://timestamp.digicert.com"

If you open the signed PS1 file, you’ll find the encrypted signature.