All things development, technology, and other interests
How-To: Sign PowerShell Scripts

How-To: Sign PowerShell Scripts

I’m compiling a quick and dirty how-to for signing PowerShell scripts, mainly for my own archives. If it helps any of you then all the better. You can find a full post on how to do it here.

First you need to set the the execution policy accordingly. In this case we’ll use the following command in PowerShell (with admin privileges):

Set-ExecutionPolicy AllSigned

Creating A Certificate

You’ll need a version of Windows SDK installed. The latest is the Microsoft Windows SDK for Windows 7 and .NET Framework. When installed makecert.exe is found in the “C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\” directory.

Run the following from a Command Prompt. It creates a local certificate authority for your computer:

makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku -r -sv root.pvk root.cer -ss Root -sr localMachine

You will be prompted for a password (enter anything you like and confirm, just be sure it is something you can remember) or select “None”.

Next, you’ll be prompted for the password you just set on the last screen input the password and click “OK”.

Now run the following from a Command Prompt. It generates a personal certificate from the above certificate authority:

makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku -iv root.pvk -ic root.cer

Again, enter the password when prompted.

Now, from within PowerShell, verify that the certificate was generated correctly:

Get-ChildItem cert:\CurrentUser\My -codesign

Next, sign the script you need to execute:

Set-AuthenticodeSignature c:\Microsoft.PowerShell_profile.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]

Directory: C:\

SignerCertificate                         Status             Path
-----------------                         ------             ----
F3CEA4232605A4A75BED227630726B0C202FE25C  Valid              Microsoft.PowerShell_profile.ps1

Execute the script:

Do you want to run software from this untrusted publisher?

The file C:\foo.ps1 is published by CN=PowerShell User. This publisher is not trusted on your system. Only run scripts from trusted publishers.

[V] Never run  [D] Do not run  [R] Run once  [A] Always run  [?] Help (default is "D"):

Answer “A” and the script will run with no prompt in the future.

That’s it!  Again you can check out Scott Hanselman’s blog for signing PowerShell scripts in greater detail.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.