How to Sign a PowerShell script

This page explains how to sign a PowerShell script using a CERN Code Signing certificate.

To test script signing, we need to set an execution policy that requires scripts to be digitally signed.
For more information about execution policies, see Using the Set-ExecutionPolicy Cmdlet (TechNet).
For testing, open an elevated PowerShell prompt and type the following: 

Set-ExecutionPolicy AllSigned

At this point, if you try to run an unsigned script, you will get an error like in this example:

X:\scripts> .\script-to-sign.ps1
X:\scripts\script-to-sign.ps1 : File X:\scripts\script-to-sign.ps1 cannot be loaded. 
The file X:\scripts\script-to-sign.ps1 is not digitally signed.

Signing a script

If you have a code signing certificate installed in your user certificate store, you can use it to sign a PowerShell script.

First of all, you need to get a reference to the code signing certificate.
Certificate stores are exposed as drives in PowerShell, so getting the certificate is very easy. The Get-ChildItem CmdLet even exposes a -CodeSigningCert switch.

After that, you can sign the certificate with the Set-AuthenticodeSignature CmdLet.

X:\scripts> cd Cert:\CurrentUser\My
Cert:\CurrentUser\My> ls

    Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
F2D2B3F0EF8B1448B614792CA5BDF3801BB5037E  CN=Paolo Tedesco, CN=626878, ...
7BC07D4358D9D431B4E525F7A0A9892AC66EE836  CN=IT-OIS Software, CN=itoissw, ...

Cert:\CurrentUser\My> $certificate = (Get-ChildItem -CodeSigningCert)[0]
Cert:\CurrentUser\My> Set-AuthenticodeSignature X:\scripts\script-to-sign.ps1 $certificate

At this point, your script will have a signature block at the end, as in this example:

[CmdletBinding()]
param()
Write-Host "Hello World"
# SIG # Begin signature block
# MIIUSQYJKoZIhvcNAQcCoIIUOjCCFDYCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR
# (snipped, real signature is much longer)
# F3XT44998ly9DMkzEg==
# SIG # End signature block

Running the signed script

Once the script is signed you can run it.

The first time you run the script, you will be prompted to add the publisher among the trusted publishers:

X:\scripts> .\script-to-sign.ps1

Do you want to run software from this untrusted publisher?
File X:\scripts\script-to-sign.ps1 is published by CN=IT-OIS Software, CN=itoissw, OU=Users, OU=Organic 
Units, DC=cern, DC=ch and is not trusted on your system. Only run scripts from trusted publishers.
[V] Never run  [D] Do not run  [R] Run once  [A] Always run  [?] Help (default is "D"): A
Hello World

If you choose the "Always run" option, like in the above example, the code signing certificate will be added to the "Trusted Publishers" in your certificate store, and you will no longer be prompted the next time you execute a script signed with that certificate.

Created: 3/10/2020
Last reviewed: 5/2/2022
Tools:
Send the page Send  |  Printable version Print