Skip to content

69. Signing Scripts

Note

The below information is extensively based in information taken from the PowerShell® Notes for Professionals book. I plan to extend this information based on my day to day usage of the language.

69.1: Signing a script

Signing a script is done by using the Set-AuthenticodeSignature -cmdlet and a code-signing certificate.

1
2
#Get the first available personal code-signing certificate for the logged on user
$cert = @( Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert)[ 0 ]
1
2
#Sign script using certificate
Set-AuthenticodeSignature -Certificate $cert -FilePath c:\MyScript.ps1

You can also read a certificate from a .pfx-file using:

1
$cert = Get-PfxCertificate -FilePath "C:\MyCodeSigningCert.pfx"

The script will be valid until the certificate expires. If you use a timestamp-server during the signing, the script will continue to be valid after the certificate expires. It is also useful to add the trust chain for the certificate (including root authority) to help most computers trust the certificated used to sign the script.

1
Set-AuthenticodeSignature -Certificate $cert -FilePath c:\MyScript.ps1 -IncludeChain All -TimeStampServer "http://timestamp.verisign.com/scripts/timstamp.dll"

It's recommended to use a timestamp-server from a trusted certificate provider like Verisign, Comodo, Thawte etc.

69.2: Bypassing execution policy for a single script

Often you might need to execute an unsigned script that doesn't comply with the current execution policy. An easy way to do this is by bypassing the execution policy for that single process. Example:

1
powershell.exe -ExecutionPolicy Bypass -File C:\MyUnsignedScript.ps1

Or you can use the shorthand:

1
powershell.exe -ep Bypass C:\MyUnsignedScript.ps1

Other Execution Policies:

  • AllSigned : Only scripts signed by a trusted publisher can be run.
  • Bypass : No restrictions; all Windows PowerShell scripts can be run.
  • Default : Normally RemoteSigned, but is controlled via ActiveDirectory
  • RemoteSigned : Downloaded scripts must be signed by a trusted publisher before they can be run.
  • Restricted : No scripts can be run. Windows PowerShell can be used only in interactive mode.
  • Undefined : NA
  • Unrestricted : Similar to bypass

Unrestricted Caveat
If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.

69.3: Changing the execution policy using Set-ExecutionPolicy

To change the execution policy for the default scope (LocalMachine), use:

1
Set-ExecutionPolicy AllSigned

To change the policy for a specific scope, use:

1
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy AllSigned

You can suppress the prompts by adding the -Force switch.

69.4: Get the current execution policy

Getting the effective execution policy for the current session:

1
2
PS> Get-ExecutionPolicy
RemoteSigned

List all effective execution policies for the current session:

1
PS> Get-ExecutionPolicy -List
1
2
3
4
5
6
7
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned

List the execution policy for a specific scope, ex. process:

1
2
PS> Get-ExecutionPolicy -Scope Process
Undefined

69.5: Getting the signature from a signed script

Get information about the Authenticode signature from a signed script by using the Get-AuthenticodeSignature cmdlet:

1
Get-AuthenticodeSignature .\MyScript.ps1 | Format-List *

69.6: Creating a self-signed code signing certificate for testing

When signing personal scripts or when testing code signing it can be useful to create a self-signed code signing certificate.

Beginning with PowerShell 5.0 you can generate a self-signed code signing certificate by using the New-SelfSignedCertificate cmdlet:

1
New-SelfSignedCertificate -FriendlyName "StackOverflow Example Code Signing" - CertStoreLocation
1
Cert:\CurrentUser\My -Subject "SO User" - Type CodeSigningCert

In earlier versions, you can create a self-signed certificate using the makecert.exe tool found in the .NET Framework SDK and Windows SDK. A self-signed certificate will only be trusted by computers that have installed the certificate. For scripts that will be shared, a certificate from a trusted certificate authority (internal or trusted third-party) are recommended.