I’m compiling a quick and dirty how-to for signing PowerShell scripts, mainly for my own archives. If it helps any of you then all the better. You can find a full post on how to do it here.
First you need to set the the execution policy accordingly. In this case we’ll use the following command in PowerShell (with admin privileges):
Set-ExecutionPolicy AllSigned
Creating A Certificate
You’ll need a version of Windows SDK installed. The latest is the Microsoft Windows SDK for Windows 7 and .NET Framework. When installed makecert.exe is found in the “C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\” directory.
Run the following from a Command Prompt. It creates a local certificate authority for your computer:
makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
You will be prompted for a password (enter anything you like and confirm, just be sure it is something you can remember) or select “None”.
Next, you’ll be prompted for the password you just set on the last screen input the password and click “OK”.
Now run the following from a Command Prompt. It generates a personal certificate from the above certificate authority:
makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer
Again, enter the password when prompted.
Now, from within PowerShell, verify that the certificate was generated correctly:
Get-ChildItem cert:\CurrentUser\My -codesign
Next, sign the script you need to execute:
Set-AuthenticodeSignature c:\Microsoft.PowerShell_profile.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0] Directory: C:\ SignerCertificate Status Path ----------------- ------ ---- F3CEA4232605A4A75BED227630726B0C202FE25C Valid Microsoft.PowerShell_profile.ps1
Execute the script:
.\Microsoft.PowerShell_profile.ps1 Do you want to run software from this untrusted publisher? The file C:\foo.ps1 is published by CN=PowerShell User. This publisher is not trusted on your system. Only run scripts from trusted publishers. [V] Never run [D] Do not run [R] Run once [A] Always run [?] Help (default is "D"):
Answer “A” and the script will run with no prompt in the future.
That’s it! Again you can check out Scott Hanselman’s blog for signing PowerShell scripts in greater detail.