Powershell Script Signing

Security is important in PowerShell. PowerShell's security features have been carefully designed to thwart this email-based malware on Window.
The second role is the set of security-related tasks you are likely to encounter when working with your computer: script signing, certificates, and credentials,
Enable Scripting Through an Execution Policy

  1. Restricted - The default, allows no scripts to run
  2. AllSigned - All scripts must be Authenticode-signed to run
  3. RemoteSigned - Scripts downloaded from a remote location must be signed
  4. Unrestricted - PowerShell will run any script, works like what you are probably used to now
to prevent this error message, use the Set-ExecutionPolicy cmdlet to change the PowerShell execution policy to one of the policies that allow scripts to run:
Set-ExecutionPolicy RemoteSigned

Creating the Certificate To sign a PowerShell script, a code-signing certificate will be needed. Normally these certificates will be provided by your enterprise Private Key Infrastructure (PKI), and the PKI Administrator should be able to help you with the requesting process.
Code-signing certificates can also be available in market, you can purchase from third party Certificate Authorities (CA) which can be helpful if your scripts are being distributed outside of your corporate environment.

Example

    C:\Program Files (x86)\Microsoft Visual Studio 12.0\SDK\v3.5>Makecert -r -pe -n CN="www.powershelltutorial.net" 
    -b 05/10/2010 -e 12/22/2011 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp 
    "Microsoft RSA SChannel Cryptographic Provider" -sy 12
	

Copy and Try it


Once you create or received sertificate, the code-signing cert should be added to your Current User | Personal | Certificates certificate store on your computer.
Additionally, the root certificate from the Certificate Authority should be added to the Trusted Publishers store for all computers that are going to execute the Signed scripts.

Sign the Script Now that we have our certificate it's time to create the script and get it signed. echo get-location > my-signed-script.ps1 We now have our one line script created, let's sign it.

Example

    $cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
    Set-AuthenticodeSignature my-signed-script.ps1 $cert
    Directory: C:\scripts
    SignerCertificate 				Status 	Path
    ----------------- 				------	----
    1SSD0O7DE2EA2AA89D5CCB7E5730ED090D92D88E 	Valid 	my-signed-script.ps1
    
    

Copy and Try it

If you open up your script file in an editor you'll notice that it now has a large signature block section in it. Use Get-AuthenticodeSignature to see the file's new signature details.