How-To : Sign Powershell Scripts

If you have Powershell code it is a good idea to sign this code for security and to confirm it has not been tampered with, to complete this first you need to get a valid "code signing certificate" this usually is an external authority (this can also be an internet certificate authority as well if you have one)

When the generate the certificate you need to ensure the "Enhanced Key Usage" option includes "Code Signing" as below:

When you have this certificate leave it in the Personal store, now you need to select that certificate and add it to the variable $cert with this:

$cert = Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert

Then lets echo $cert to ensure we have a valid certificate selected and valid with:

$cert

Then we need to set this as the signing certificate for our Powershell with this, using the variable:

Set-AuthenticodeSignature -FilePath <script>.ps1 -Certificate $cert

That should look like this:

When this command as completed if you check the properties you will notice is not has a "Digital Certificates" option:

You now have a signed Powershell script which is a good thing for everyone.

Still not working?

If you have signed your script with an internal certificate authority, you are essentially trusting your own code from your own servers, if you have completed this with the internal certificate authority, don’t forget you need to trust that publisher via a group policy

If you miss the step, you will get an error exactly like this:

Do you want to run software from this untrusted publisher?

File C:\Scripts\GPO-Deploy.ps1 is published by CN=lee@croucher.cloud and is not trusted on your system. Only run

scripts from trusted publishers.

[V] Never run  [D] Do not run  [R] Run once  [A] Always run  [?] Help (default is "D"): 

This informs you that the script is signed, but it’s not trusted by the local computer.