How to Sign a PowerShell Script
How to Sign a PowerShell Script: PowerShell is a powerful command-line shell scripting language that is often used by administrators and experts in managing operating systems. If you’re a power-user looking to understand how to sign a PowerShell script, then you’ve come to the right place.
When it comes to PowerShell scripts, there is a concept known as “execution policies”. It helps in providing a much safer and secured command line experience. These execution policies define the restrictions within which the PowerShell loads the files for execution and configuration.
Table of Contents
Powershell Execution Policy
Basically there are four major execution policies in total; they are Restricted, AllSigned, RemoteSigned and Unrestricted. Let us share a brief about the four execution policies.
1. Restriction: Restriction is the default execution policy that doesn’t run on the scripts and it is only interactive.
2. AllSigned: The AllSigned execution policy will run the scripts. The scripts need to be signed by the publisher and it opens up the risk of running signed yet malicious scripts after it is confirmed with the publisher.
3. RemoteSigned: RemoteSigned will run scripts where all the scripts and the configuration files are obtained from different communication applications like Internet Explorer, Microsoft Outlook and Windows Messenger and they should be signed by a trusted publisher. It will open up the risk of running malicious scripts that are not downloaded from applications without prompting.
4. Unrestricted: Unrestricted will run the scripts and all of them are downloaded from Internet Explorer, Microsoft Outlook, Windows Messenger, Outlook Express and will run after confirmation that the file originated from the Internet. There is no digital signature needed. This will open the risk of unsigned and malicious scripts to be downloaded from this application.
Script Signing Background
To add a digital signature to a PowerShell script, it is important that it is signed with a code signing certificate. There are two types of it: those that are created with Certificate Authority, or CA, and those that are created by a user.
If the scripts are specifically for the internal user, then you will be able to self-sign. Also, you can buy the coding certificate from any other Certificate Authority if you want.
To get a self-assigned certificate, the designated computer becomes the authority for creating the certificate. The benefits of self-signing will include zero cost, enhance creation speed and convenience. The drawback is, the certificate needs to be installed on every device running the scripts. The reason is, other computers will not trust the computer used for creating the certificate.
For creating a self-signed certificate, you shall need the makecert.exe program. You will get this as a part of the Microsoft.Net Framework SDK or the Microsoft Windows Platform SDK. The latest one is known as the .NET Framework 2.0 SDK which you can download here.
Once it is installed, the makecert.exe is found in the “C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\” directory.
How to Sign a PowerShell Script
- The first step is to create the code signing certificate.
From the PowerShell prompt, you need to run the following,
New-SelfSignedCertificate -CertStoreLocation cert:\currentuser\my `
-Subject “CN=Local Code Signing” `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Provider “Microsoft Enhanced RSA and AES Cryptographic Provider” `
-KeyExportPolicy Exportable `
-KeyUsage DigitalSignature `
-Type CodeSigningCert
- The next step is to open the certificate manager for the current user.
Again from the same PowerShell prompt, you have to run,
certmgr /s my
- In the third step, you need to copy the new certificate to the right cert stores.
For this, you need to expand the “Personal” folder and then click on the Certificates. Then right click on the new “Local Code Signing” certificate and then copy.
Then you have to paste it into the “Trusted Root Certification Authorities” and also into the “Trusted Publishers” stores.
- The fourth step is to sign the PowerShell script with the new cert.
From the PowerShell prompt, you can run the two commands,
$cert = @(Get-ChildItem cert:\CurrentUser\My -CodeSigning)[0]
Set-AuthenticodeSignature .\your-script.ps1 $cert
- The fifth step is to rerun the PowerShell script again.
Now you will be able to run the script without getting blocked or any other prompts about “unsigned” script.
Congratulations! You’ve successfully learned how to sign a PowerShell script.
Follow Us On: