69. Signing Scripts¶
Note
The below information is extensively based in information taken from the PowerShell® Notes for Professionals book. I plan to extend this information based on my day to day usage of the language.
69.1: Signing a script¶
Signing a script is done by using the Set-AuthenticodeSignature -cmdlet and a code-signing certificate.
1 2 | #Get the first available personal code-signing certificate for the logged on user $cert = @( Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert)[ 0 ] |
1 2 | #Sign script using certificate Set-AuthenticodeSignature -Certificate $cert -FilePath c:\MyScript.ps1 |
You can also read a certificate from a .pfx-file using:
1 | $cert = Get-PfxCertificate -FilePath "C:\MyCodeSigningCert.pfx" |
The script will be valid until the certificate expires. If you use a timestamp-server during the signing, the script will continue to be valid after the certificate expires. It is also useful to add the trust chain for the certificate (including root authority) to help most computers trust the certificated used to sign the script.
1 | Set-AuthenticodeSignature -Certificate $cert -FilePath c:\MyScript.ps1 -IncludeChain All -TimeStampServer "http://timestamp.verisign.com/scripts/timstamp.dll" |
It's recommended to use a timestamp-server from a trusted certificate provider like Verisign, Comodo, Thawte etc.
69.2: Bypassing execution policy for a single script¶
Often you might need to execute an unsigned script that doesn't comply with the current execution policy. An easy way to do this is by bypassing the execution policy for that single process. Example:
1 | powershell.exe -ExecutionPolicy Bypass -File C:\MyUnsignedScript.ps1 |
Or you can use the shorthand:
1 | powershell.exe -ep Bypass C:\MyUnsignedScript.ps1 |
Other Execution Policies:
- AllSigned : Only scripts signed by a trusted publisher can be run.
- Bypass : No restrictions; all Windows PowerShell scripts can be run.
- Default : Normally RemoteSigned, but is controlled via ActiveDirectory
- RemoteSigned : Downloaded scripts must be signed by a trusted publisher before they can be run.
- Restricted : No scripts can be run. Windows PowerShell can be used only in interactive mode.
- Undefined : NA
- Unrestricted : Similar to bypass
Unrestricted Caveat
If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.
69.3: Changing the execution policy using Set-ExecutionPolicy¶
To change the execution policy for the default scope (LocalMachine), use:
1 | Set-ExecutionPolicy AllSigned |
To change the policy for a specific scope, use:
1 | Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy AllSigned |
You can suppress the prompts by adding the -Force switch.
69.4: Get the current execution policy¶
Getting the effective execution policy for the current session:
1 2 | PS> Get-ExecutionPolicy RemoteSigned |
List all effective execution policies for the current session:
1 | PS> Get-ExecutionPolicy -List |
1 2 3 4 5 6 7 | Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Undefined CurrentUser Undefined LocalMachine RemoteSigned |
List the execution policy for a specific scope, ex. process:
1 2 | PS> Get-ExecutionPolicy -Scope Process Undefined |
69.5: Getting the signature from a signed script¶
Get information about the Authenticode signature from a signed script by using the Get-AuthenticodeSignature cmdlet:
1 | Get-AuthenticodeSignature .\MyScript.ps1 | Format-List * |
69.6: Creating a self-signed code signing certificate for testing¶
When signing personal scripts or when testing code signing it can be useful to create a self-signed code signing certificate.
Beginning with PowerShell 5.0 you can generate a self-signed code signing certificate by using the New-SelfSignedCertificate cmdlet:
1 | New-SelfSignedCertificate -FriendlyName "StackOverflow Example Code Signing" - CertStoreLocation |
1 | Cert:\CurrentUser\My -Subject "SO User" - Type CodeSigningCert |
In earlier versions, you can create a self-signed certificate using the makecert.exe tool found in the .NET Framework SDK and Windows SDK. A self-signed certificate will only be trusted by computers that have installed the certificate. For scripts that will be shared, a certificate from a trusted certificate authority (internal or trusted third-party) are recommended.