Powershell Script Signing
Security is important in PowerShell.
PowerShell’s security features have been carefully designed
to thwart this email-based malware on Window.
The second role is the set of security-related tasks you are likely to encounter when working with your computer: script signing, certificates, and credentials,
Enable Scripting Through an Execution Policy
- Restricted - The default, allows no scripts to run
- AllSigned - All scripts must be Authenticode-signed to run
- RemoteSigned - Scripts downloaded from a remote location must be signed
- Unrestricted - PowerShell will run any script, works like what you are probably used to now
Creating the Certificate
To sign a PowerShell script, a code-signing certificate will be needed.
Normally these certificates will be provided by your enterprise Private Key Infrastructure (PKI),
and the PKI Administrator should be able to help you with the requesting process.
Code-signing certificates can also be available in market, you can purchase from third party Certificate Authorities (CA) which can be helpful if your scripts are being distributed outside of your corporate environment.
C:\Program Files (x86)\Microsoft Visual Studio 12.0\SDK\v3.5>Makecert -r -pe -n CN="www.powershelltutorial.net" -b 05/10/2010 -e 12/22/2011 -eku 220.127.116.11.18.104.22.168.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
Once you create or received sertificate, the code-signing cert should be added to your Current User | Personal | Certificates certificate store on your computer.
Additionally, the root certificate from the Certificate Authority should be added to the Trusted Publishers store for all computers that are going to execute the Signed scripts.
Sign the Script Now that we have our certificate it's time to create the script and get it signed. echo get-location > my-signed-script.ps1 We now have our one line script created, let's sign it.
If you open up your script file in an editor you'll notice that it now has a large signature block section in it. Use Get-AuthenticodeSignature to see the file's new signature details. >
$cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning) Set-AuthenticodeSignature my-signed-script.ps1 $cert Directory: C:\scripts SignerCertificate Status Path ----------------- ------ ---- 1SSD0O7DE2EA2AA89D5CCB7E5730ED090D92D88E Valid my-signed-script.ps1