How to Sign a PowerShell Script (And Run It)

choubertsprojects

VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

PowerShell is a scripting language that was developed by Microsoft to provide an easy-to-use command line interface for Windows and other operating systems. PowerShell can be used in various ways, including automation; the most popular use case being automating system administration tasks such as managing file servers. As with any new technology, there are some unique aspects of working with PowerShell which you may encounter while spec’ing out your scripts or trying to run them on a production server..

The “sign powershell script with domain ca” is a command that allows you to sign a PowerShell script. This will allow the script to run on any machine without having to install the .NET Framework.

How to Sign a PowerShell Script (And Run It)

Do you need to make sure that no one alters your scripts and passes them off as the originals? If that’s the case, you’ll want to understand how to sign PowerShell scripts. The publisher’s identity is added to the script by signing, allowing users to determine whether or not to trust the script’s source.

Learn how to sign PowerShell scripts in this article to guarantee that only trustworthy scripts are launched in your environment.

Prerequisites

You’ll need the following items to follow the examples in this tutorial.

  • A computer with the latest version of the Windows operating system installed. Version 20H2 of Windows 10 is used in this article.
  • PowerShell 5.1 or PowerShell 6+ on Windows. PowerShell v7.1.3 will be used in the examples in this tutorial.
  • A PowerShell script that may be used to sign documents. You may name your script and save it in whatever folder you choose. This post will utilize the C:ATAmyscript.ps1 sample script, which has the following code.

“Script Execution – OK,” Write-Host

Obtaining a Certificate of Code Signing

You must first get a code signing certificate before you can begin signing PowerShell scripts. Code signing certificates are also known as Authenticode certificates in the Microsoft industry.

One sort of digital certificate is a code signing certificate, which is used to sign files. The addition of a code signing certificate to a file or code offers verification that the file originated from the publisher who signed it.

The location where you get a code signing certificate is determined by where you want to deploy or distribute your signed scripts. Cost is, of course, a major consideration.

  • Global / Public – A certificate issued by a globally reputable Certificate Authority is required (CA). GeoTrust and DigiCert are two examples of such CAs. These vouchers are not available for free. A DigiCert Authenticode certificate, for example, costs $474 per year as of this writing.
  • Internal / Local Intranet – You can request and download a signing certificate from your internal certificate authority (CA) server if you have one.
  • Personal / Development — A self-signed certificate should suffice for personal testing or development purposes. This is the sort of signing certificate we’ll be using in this tutorial.

Making a Self-Signed Code Signing Certificate

To sign a PowerShell script, you’ll need a code signing certificate, as you learned in the previous section. In this lesson, you’ll just be performing personal testing, so a self-signed certificate would sufficient. Where do you obtain it, though?

Self-signed means that your local computer will issue a code signing certificate to itself, as the name indicates. Follow these procedures to create a self-signed certificate.

1. On your PC, run PowerShell as an administrator.

2. Paste the command below into PowerShell and execute it. To generate a new code signing certificate, use the New-SelfSignedCertificate cmdlet. ATA Authenticode is the name of the certificate stored in the Personal certificate store on the local machine.

Only the current user’s personal certificate store (cert:CurrentUserMy) or the local machine’s personal certificate store are supported by the New-SelfSignedCertificate cmdlet (cert:LocalMachineMy). Cert:LocalMachineMy certificates are accessible throughout the whole machine.

The certificate object is also saved to the $authenticode variable for use in the following step.

# Create a self-signed Authenticode certificate in the personal certificate store on the local machine. $authenticode = New-SelfSignedCertificate -Subject “ATA Authenticode” -CertStore $authenticode = New-SelfSignedCertificate -Subject “ATA Authenticode” -CertStore -Type CodeSigningCert -Location Cert:LocalMachineMy

3. Next, add the self-signed certificate to the computer’s Trusted Root Certification Authority and Trusted Publishers certificate stores to make your computer trust the new certificate you’ve produced. To do so, copy and execute the code below in PowerShell.

# Place the self-signed Authenticode certificate in the root certificate store of the machine. ## Make a representation of the LocalMachineRoot certificate store. ## Open the root certificate store for reading and writing using $rootStore = [System.Security.Cryptography.X509Certificates.X509Store]::new(“Root”,”LocalMachine”) $rootStore. Open(“ReadWrite”) ## Add the certificate from the $authenticode variable to the $authenticode variable. $rootStore. Add($authenticode) ## Remove the root certificate store from the system. $rootStore.Close() # Place the self-signed Authenticode certificate in the trusted publishers certificate store on the machine. ## Create an object to represent the certificate store for the LocalMachineTrustedPublisher. ## Open the TrustedPublisher certificate store for reading and writing with $publisherStore = [System.Security.Cryptography.X509Certificates.X509Store]::new(“TrustedPublisher”,”LocalMachine”) ## $publisherStore. ## Add the certificate saved in the $authenticode variable using Open(“ReadWrite”). $publisherStore. Close the TrustedPublisher certificate storage using Add($authenticode). $publisherStore.Close()

There are three main reasons why self-signed certificates should be installed in three distinct certificate stores.

  • The code signing certificate will be the certificate you generated in the Personal certificate store.
  • If you copy the same certificate to the Trusted Publishers store, your computer will trust the publisher who signed the script. To verify a script’s signature, PowerShell looks for the certificate in this store.
  • Finally, adding the self-signed certificate to the Trusted Root Certification Authorities guarantees that the certificates in the Personal and Trusted Publishers stores are trusted by your local machine.

4. Run the PowerShell instructions below to verify that the certificate with the topic ATA Authenticode is in the Personal, Root, and Trusted Publisher certificate stores.

# Verify that the computer’s Personal certificate store has the self-signed Authenticode certificate. Where-Object

Do you need to make sure that no one alters your scripts and passes them off as the originals? If that’s the case, you’ll want to understand how to sign PowerShell scripts. The publisher’s identity is added to the script by signing, allowing users to determine whether or not to trust the script’s source.

Learn how to sign PowerShell scripts in this article to guarantee that only trustworthy scripts are launched in your environment.

Prerequisites

You’ll need the following items to follow the examples in this tutorial.

  • A computer with the latest version of the Windows operating system installed. Version 20H2 of Windows 10 is used in this article.
  • PowerShell 5.1 or PowerShell 6+ on Windows. PowerShell v7.1.3 will be used in the examples in this tutorial.
  • A PowerShell script that may be used to sign documents. You may name your script and save it in whatever folder you choose. This post will utilize the C:ATAmyscript.ps1 sample script, which has the following code.

“Script Execution – OK,” Write-Host

Obtaining a Certificate of Code Signing

You must first get a code signing certificate before you can begin signing PowerShell scripts. Code signing certificates are also known as Authenticode certificates in the Microsoft industry.

One sort of digital certificate is a code signing certificate, which is used to sign files. The addition of a code signing certificate to a file or code offers verification that the file originated from the publisher who signed it.

The location where you get a code signing certificate is determined by where you want to deploy or distribute your signed scripts. Cost is, of course, a major consideration.

  • Global / Public – A certificate issued by a globally reputable Certificate Authority is required (CA). GeoTrust and DigiCert are two examples of such CAs. These vouchers are not available for free. A DigiCert Authenticode certificate, for example, costs $474 per year as of this writing.
  • Internal / Local Intranet – You can request and download a signing certificate from your internal certificate authority (CA) server if you have one.
  • Personal / Development — A self-signed certificate should suffice for personal testing or development purposes. This is the sort of signing certificate we’ll be using in this tutorial.

Making a Self-Signed Code Signing Certificate

To sign a PowerShell script, you’ll need a code signing certificate, as you learned in the previous section. In this lesson, you’ll just be performing personal testing, so a self-signed certificate would sufficient. Where do you obtain it, though?

Self-signed means that your local computer will issue a code signing certificate to itself, as the name indicates. Follow these procedures to create a self-signed certificate.

1. On your PC, run PowerShell as an administrator.

2. Paste the command below into PowerShell and execute it. To generate a new code signing certificate, use the New-SelfSignedCertificate cmdlet. ATA Authenticode is the name of the certificate stored in the Personal certificate store on the local machine.

Only the current user’s personal certificate store (cert:CurrentUserMy) or the local machine’s personal certificate store are supported by the New-SelfSignedCertificate cmdlet (cert:LocalMachineMy). Cert:LocalMachineMy certificates are accessible throughout the whole machine.

The certificate object is also saved to the $authenticode variable for use in the following step.

# Create a self-signed Authenticode certificate in the personal certificate store on the local machine. $authenticode = New-SelfSignedCertificate -Subject “ATA Authenticode” -CertStore $authenticode = New-SelfSignedCertificate -Subject “ATA Authenticode” -CertStore -Type CodeSigningCert -Location Cert:LocalMachineMy

3. Next, add the self-signed certificate to the computer’s Trusted Root Certification Authority and Trusted Publishers certificate stores to make your computer trust the new certificate you’ve produced. To do so, copy and execute the code below in PowerShell.

# Place the self-signed Authenticode certificate in the root certificate store of the machine. ## Make a representation of the LocalMachineRoot certificate store. ## Open the root certificate store for reading and writing using $rootStore = [System.Security.Cryptography.X509Certificates.X509Store]::new(“Root”,”LocalMachine”) $rootStore. Open(“ReadWrite”) ## Add the certificate from the $authenticode variable to the $authenticode variable. $rootStore. Add($authenticode) ## Remove the root certificate store from the system. $rootStore.Close() # Place the self-signed Authenticode certificate in the trusted publishers certificate store on the machine. ## Create an object to represent the certificate store for the LocalMachineTrustedPublisher. ## Open the TrustedPublisher certificate store for reading and writing with $publisherStore = [System.Security.Cryptography.X509Certificates.X509Store]::new(“TrustedPublisher”,”LocalMachine”) ## $publisherStore. ## Add the certificate saved in the $authenticode variable using Open(“ReadWrite”). $publisherStore. Close the TrustedPublisher certificate storage using Add($authenticode). $publisherStore.Close()

There are three main reasons why self-signed certificates should be installed in three distinct certificate stores.

  • The code signing certificate will be the certificate you generated in the Personal certificate store.
  • If you copy the same certificate to the Trusted Publishers store, your computer will trust the publisher who signed the script. To verify a script’s signature, PowerShell looks for the certificate in this store.
  • Finally, adding the self-signed certificate to the Trusted Root Certification Authorities guarantees that the certificates in the Personal and Trusted Publishers stores are trusted by your local machine.

4. Run the PowerShell instructions below to verify that the certificate with the topic ATA Authenticode is in the Personal, Root, and Trusted Publisher certificate stores.

# Confirm if the self-signed Authenticode certificate exists in the computer’s Personal certificate store Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Confirm if the self-signed Authenticode certificate exists in the computer’s Root certificate store Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Confirm if the self-signed Authenticode certificate exists in the computer’s Trusted Publishers certificate store Get-ChildItem Cert:LocalMachineTrustedPublisher | Where-Object {$_.Subject -eq “CN=ATA Authenticode”}

Confirming the new self-signed certificate's constructionConfirming the new self-signed certificate’s construction

5. Open the Certificates Snap-in and seek for the certificate you produced within the Certificates folder under the Personal, Trusted Root Certification Authorities, and Trusted Publishers certificate stores to examine the certificate in a GUI.

Using the Microsoft Management Console to see certifications (MMC)Using the Microsoft Management Console to see certifications (MMC)

Related: [Tutorial] Managing Certificates with Windows Certificate Manager and PowerShell

Adding a signature to a PowerShell script

You’re ready to utilize your code signing certificate to sign your example PowerShell script now that you’ve produced and installed it in the three certificate stores. The Set-AuthenticodeSignature cmdlet is the major star when it comes to signing scripts.

Run the code below in PowerShell to sign the PowerShell script. The first command obtains the code-signing certificate from the personal certificate store on the local system. The second command encrypts the PowerShell script file with a digital signature.

# Get the code-signing certificate from the local computer’s certificate store with the name *ATA Authenticode* and store it to the $codeCertificate variable. $codeCertificate = Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Sign the PowerShell script # PARAMETERS: # FilePath – Specifies the file path of the PowerShell script to sign, eg. C:ATAmyscript.ps1. # Certificate – Specifies the certificate to use when signing the script. # TimeStampServer – Specifies the trusted timestamp server that adds a timestamp to your script’s digital signature. Adding a timestamp ensures that your code will not expire when the signing certificate expires. Set-AuthenticodeSignature -FilePath C:ATAmyscript.ps1 -Certificate $codeCertificate -TimeStampServer *<http://timestamp.digicert.com>*

Most reputable certificate suppliers provide a timestamp server, which may be found on their websites. The timestamp server for DigiCert is http://timestamp.digicert.com, whereas Comodo’s is http://timestamp.comodoca.com.

You should see something like the screenshot below after signing the script.

Adding a signature to a PowerShell scriptAdding a signature to a PowerShell script

Checking the Digital Signature of a PowerShell Script

So far, you’ve used the self-signed certificate you produced to sign a PowerShell script. But how can you tell whether the script has a digital signature or not?

Getting to Know the Code

One technique to verify a script’s digital signature is to open it in a text editor and look at the code. The signed script, like the one below, contains a signature block at the Conclusion of the code. # SIG # Begin signature block, # SIG # End signature block, # SIG # Begin signature block, # SIG # Begin signature block, # SIG # Begin signature block, # SIG # Begin signature block, # S

Viewing the digital signature in the script's contentViewing the digital signature inside the text of the script

The script will become non-signed if the digital signature block is removed from the code.

Getting into the File Properties of the Script

Opening the script’s file properties in Windows Explorer is another approach to verify the script’s digital signature. To do so, follow these steps:

  1. Navigate to the PowerShell script’s location in Windows Explorer. The script is located at C:ATAmyscript.ps1 in this example.
  2. Right-click the script and choose Properties from the drop-down menu.
  3. Click the Digital Signatures tab on the file’s Properties window, and you should see a digital signature under the Signature list.

Viewing the digital signature in the script's file propertiesIn the script’s file properties, you can see the digital signature.

Get-AuthenticodeSignature is a command that returns the signature of an authenticated node.

Would you believe that you can also verify the signature of a script from inside PowerShell? Most likely not. Get-AuthenticodeSignature is the cmdlet you may use to get the signature of a file.

Run the command below to get the script’s digital signature. The signature of the C:ATAmyscript.ps1 file is obtained using this command. The Select-Object -Property * cmdlet shows all of the signature’s information.

Select-Object -Property * Get-AuthenticodeSignature -FilePath C:ATAmyscript.ps1 | Get-AuthenticodeSignature -FilePath C:ATAmyscript.ps1

You should get something like the snapshot below after executing the command. The SignerCertificate property, as you can see, displays the signing certificate’s data. The TimerStamperCertificate attribute displays the timestamp server’s certificate.

In PowerShell, you may see the digital signature.In PowerShell, you may see the digital signature.

Running a PowerShell Script That Has Been Signed

You’ve now signed a PowerShell script and verified that the digital signature is valid. However, the best way to see whether you’ve followed all of the stages properly is to run the script and validate that it works.

PowerShell provides a safety feature that prevents users from launching scripts by accident. Execution Policies are the name of this security feature. PowerShell may block or enable scripts to execute depending on the execution policy.

PowerShell Execution Policies: Understanding and Managing explains the various execution policies and how they effect script execution.

Follow these procedures to launch a signed PowerShell script.

To guarantee that only signed scripts may execute, set the execution policy to AllSigned. You won’t be able to properly test if your signed script works until you complete this step. To do so, enter the command below in PowerShell as an administrator to launch the Set-ExecutionPolicy cmdlet.

Understanding and Managing PowerShell Execution Policies

AllSigned-Set-ExecutionPolicy

Execute the signed PowerShell script after that.

As you can see in the output below, the script should execute without issues or warnings.

Error-free execution of the signed scriptError-free execution of the signed script

Related:How to Run a PowerShell Script from the Command Line and Other PowerShell Resources

However, if the script was not properly signed or was not signed at all, you may get an error similar to the one shown below. In such case, go through your instructions again and attempt signing the script.

Executing a script that has digital signature flawsExecuting a script that has digital signature flaws

What if your script was finally updated? Will the digital signature be valid in the future? No, that is not the case. Any changes to the signed script will render the script’s digital signature invalid. The changed script will not run and will return an error.

To test a changed signed script, follow these steps.

1. Open the myscript that has been signed. In a code or text editor, paste the PS1 script.

2. Add a character to the code, such as an underscore in this case. Nothing else should be changed.

Making changes to the signed scriptMaking changes to the signed script

3. After making changes to the code, save the script.

4. Finally, run the command below in PowerShell to run the changed script.

Because you changed the signed script, when you run it, you’ll get the error indicated below. To update and correct the script’s digital signature, you’ll need to sign it again.

Using a signed script that has a faulty digital signatureUsing a signed script that has a faulty digital signature

A digital signature does not ensure that the script has not been altered from its original state. Any PowerShell script that contains malicious code could also be digitally signed. When executing scripts from sources you don’t entirely trust, proceed with care.

Conclusion

You learnt why, depending on the execution policies, signing PowerShell scripts may be essential in this post. You also learnt to recognize the difference between a signed and unsigned writing. Finally, you learned how to digitally sign PowerShell scripts as well as test and execute them.

Will you begin signing PowerShell scripts before distributing or deploying them now that you know how to do so?

.Subject -eq “CN=ATA Authenticode” Get-ChildItem Cert:LocalMachineMy | Where-Object

Do you need to make sure that no one alters your scripts and passes them off as the originals? If that’s the case, you’ll want to understand how to sign PowerShell scripts. The publisher’s identity is added to the script by signing, allowing users to determine whether or not to trust the script’s source.

Learn how to sign PowerShell scripts in this article to guarantee that only trustworthy scripts are launched in your environment.

Prerequisites

You’ll need the following items to follow the examples in this tutorial.

  • A computer with the latest version of the Windows operating system installed. Version 20H2 of Windows 10 is used in this article.
  • PowerShell 5.1 or PowerShell 6+ on Windows. PowerShell v7.1.3 will be used in the examples in this tutorial.
  • A PowerShell script that may be used to sign documents. You may name your script and save it in whatever folder you choose. This post will utilize the C:ATAmyscript.ps1 sample script, which has the following code.

“Script Execution – OK,” Write-Host

Obtaining a Certificate of Code Signing

You must first get a code signing certificate before you can begin signing PowerShell scripts. Code signing certificates are also known as Authenticode certificates in the Microsoft industry.

One sort of digital certificate is a code signing certificate, which is used to sign files. The addition of a code signing certificate to a file or code offers verification that the file originated from the publisher who signed it.

The location where you get a code signing certificate is determined by where you want to deploy or distribute your signed scripts. Cost is, of course, a major consideration.

  • Global / Public – A certificate issued by a globally reputable Certificate Authority is required (CA). GeoTrust and DigiCert are two examples of such CAs. These vouchers are not available for free. A DigiCert Authenticode certificate, for example, costs $474 per year as of this writing.
  • Internal / Local Intranet – You can request and download a signing certificate from your internal certificate authority (CA) server if you have one.
  • Personal / Development — A self-signed certificate should suffice for personal testing or development purposes. This is the sort of signing certificate we’ll be using in this tutorial.

Making a Self-Signed Code Signing Certificate

To sign a PowerShell script, you’ll need a code signing certificate, as you learned in the previous section. In this lesson, you’ll just be performing personal testing, so a self-signed certificate would sufficient. Where do you obtain it, though?

Self-signed means that your local computer will issue a code signing certificate to itself, as the name indicates. Follow these procedures to create a self-signed certificate.

1. On your PC, run PowerShell as an administrator.

2. Paste the command below into PowerShell and execute it. To generate a new code signing certificate, use the New-SelfSignedCertificate cmdlet. ATA Authenticode is the name of the certificate stored in the Personal certificate store on the local machine.

Only the current user’s personal certificate store (cert:CurrentUserMy) or the local machine’s personal certificate store are supported by the New-SelfSignedCertificate cmdlet (cert:LocalMachineMy). Cert:LocalMachineMy certificates are accessible throughout the whole machine.

The certificate object is also saved to the $authenticode variable for use in the following step.

# Create a self-signed Authenticode certificate in the personal certificate store on the local machine. $authenticode = New-SelfSignedCertificate -Subject “ATA Authenticode” -CertStore $authenticode = New-SelfSignedCertificate -Subject “ATA Authenticode” -CertStore -Type CodeSigningCert -Location Cert:LocalMachineMy

3. Next, add the self-signed certificate to the computer’s Trusted Root Certification Authority and Trusted Publishers certificate stores to make your computer trust the new certificate you’ve produced. To do so, copy and execute the code below in PowerShell.

# Place the self-signed Authenticode certificate in the root certificate store of the machine. ## Make a representation of the LocalMachineRoot certificate store. ## Open the root certificate store for reading and writing using $rootStore = [System.Security.Cryptography.X509Certificates.X509Store]::new(“Root”,”LocalMachine”) $rootStore. Open(“ReadWrite”) ## Add the certificate from the $authenticode variable to the $authenticode variable. $rootStore. Add($authenticode) ## Remove the root certificate store from the system. $rootStore.Close() # Place the self-signed Authenticode certificate in the trusted publishers certificate store on the machine. ## Create an object to represent the certificate store for the LocalMachineTrustedPublisher. ## Open the TrustedPublisher certificate store for reading and writing with $publisherStore = [System.Security.Cryptography.X509Certificates.X509Store]::new(“TrustedPublisher”,”LocalMachine”) ## $publisherStore. ## Add the certificate saved in the $authenticode variable using Open(“ReadWrite”). $publisherStore. Close the TrustedPublisher certificate storage using Add($authenticode). $publisherStore.Close()

There are three main reasons why self-signed certificates should be installed in three distinct certificate stores.

  • The code signing certificate will be the certificate you generated in the Personal certificate store.
  • If you copy the same certificate to the Trusted Publishers store, your computer will trust the publisher who signed the script. To verify a script’s signature, PowerShell looks for the certificate in this store.
  • Finally, adding the self-signed certificate to the Trusted Root Certification Authorities guarantees that the certificates in the Personal and Trusted Publishers stores are trusted by your local machine.

4. Run the PowerShell instructions below to verify that the certificate with the topic ATA Authenticode is in the Personal, Root, and Trusted Publisher certificate stores.

# Confirm if the self-signed Authenticode certificate exists in the computer’s Personal certificate store Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Confirm if the self-signed Authenticode certificate exists in the computer’s Root certificate store Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Confirm if the self-signed Authenticode certificate exists in the computer’s Trusted Publishers certificate store Get-ChildItem Cert:LocalMachineTrustedPublisher | Where-Object {$_.Subject -eq “CN=ATA Authenticode”}

Confirming the new self-signed certificate's constructionConfirming the new self-signed certificate’s construction

5. Open the Certificates Snap-in and seek for the certificate you produced within the Certificates folder under the Personal, Trusted Root Certification Authorities, and Trusted Publishers certificate stores to examine the certificate in a GUI.

Using the Microsoft Management Console to see certifications (MMC)Using the Microsoft Management Console to see certifications (MMC)

Related: [Tutorial] Managing Certificates with Windows Certificate Manager and PowerShell

Adding a signature to a PowerShell script

You’re ready to utilize your code signing certificate to sign your example PowerShell script now that you’ve produced and installed it in the three certificate stores. The Set-AuthenticodeSignature cmdlet is the major star when it comes to signing scripts.

Run the code below in PowerShell to sign the PowerShell script. The first command obtains the code-signing certificate from the personal certificate store on the local system. The second command encrypts the PowerShell script file with a digital signature.

# Get the code-signing certificate from the local computer’s certificate store with the name *ATA Authenticode* and store it to the $codeCertificate variable. $codeCertificate = Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Sign the PowerShell script # PARAMETERS: # FilePath – Specifies the file path of the PowerShell script to sign, eg. C:ATAmyscript.ps1. # Certificate – Specifies the certificate to use when signing the script. # TimeStampServer – Specifies the trusted timestamp server that adds a timestamp to your script’s digital signature. Adding a timestamp ensures that your code will not expire when the signing certificate expires. Set-AuthenticodeSignature -FilePath C:ATAmyscript.ps1 -Certificate $codeCertificate -TimeStampServer *<http://timestamp.digicert.com>*

Most reputable certificate suppliers provide a timestamp server, which may be found on their websites. The timestamp server for DigiCert is http://timestamp.digicert.com, whereas Comodo’s is http://timestamp.comodoca.com.

You should see something like the screenshot below after signing the script.

Adding a signature to a PowerShell scriptAdding a signature to a PowerShell script

Checking the Digital Signature of a PowerShell Script

So far, you’ve used the self-signed certificate you produced to sign a PowerShell script. But how can you tell whether the script has a digital signature or not?

Getting to Know the Code

One technique to verify a script’s digital signature is to open it in a text editor and look at the code. The signed script, like the one below, contains a signature block at the Conclusion of the code. # SIG # Begin signature block, # SIG # End signature block, # SIG # Begin signature block, # SIG # Begin signature block, # SIG # Begin signature block, # SIG # Begin signature block, # S

Viewing the digital signature in the script's contentViewing the digital signature inside the text of the script

The script will become non-signed if the digital signature block is removed from the code.

Getting into the File Properties of the Script

Opening the script’s file properties in Windows Explorer is another approach to verify the script’s digital signature. To do so, follow these steps:

  1. Navigate to the PowerShell script’s location in Windows Explorer. The script is located at C:ATAmyscript.ps1 in this example.
  2. Right-click the script and choose Properties from the drop-down menu.
  3. Click the Digital Signatures tab on the file’s Properties window, and you should see a digital signature under the Signature list.

Viewing the digital signature in the script's file propertiesIn the script’s file properties, you can see the digital signature.

Get-AuthenticodeSignature is a command that returns the signature of an authenticated node.

Would you believe that you can also verify the signature of a script from inside PowerShell? Most likely not. Get-AuthenticodeSignature is the cmdlet you may use to get the signature of a file.

Run the command below to get the script’s digital signature. The signature of the C:ATAmyscript.ps1 file is obtained using this command. The Select-Object -Property * cmdlet shows all of the signature’s information.

Select-Object -Property * Get-AuthenticodeSignature -FilePath C:ATAmyscript.ps1 | Get-AuthenticodeSignature -FilePath C:ATAmyscript.ps1

You should get something like the snapshot below after executing the command. The SignerCertificate property, as you can see, displays the signing certificate’s data. The TimerStamperCertificate attribute displays the timestamp server’s certificate.

In PowerShell, you may see the digital signature.In PowerShell, you may see the digital signature.

Running a PowerShell Script That Has Been Signed

You’ve now signed a PowerShell script and verified that the digital signature is valid. However, the best way to see whether you’ve followed all of the stages properly is to run the script and validate that it works.

PowerShell provides a safety feature that prevents users from launching scripts by accident. Execution Policies are the name of this security feature. PowerShell may block or enable scripts to execute depending on the execution policy.

PowerShell Execution Policies: Understanding and Managing explains the various execution policies and how they effect script execution.

Follow these procedures to launch a signed PowerShell script.

To guarantee that only signed scripts may execute, set the execution policy to AllSigned. You won’t be able to properly test if your signed script works until you complete this step. To do so, enter the command below in PowerShell as an administrator to launch the Set-ExecutionPolicy cmdlet.

Understanding and Managing PowerShell Execution Policies

AllSigned-Set-ExecutionPolicy

Execute the signed PowerShell script after that.

As you can see in the output below, the script should execute without issues or warnings.

Error-free execution of the signed scriptError-free execution of the signed script

Related:How to Run a PowerShell Script from the Command Line and Other PowerShell Resources

However, if the script was not properly signed or was not signed at all, you may get an error similar to the one shown below. In such case, go through your instructions again and attempt signing the script.

Executing a script that has digital signature flawsExecuting a script that has digital signature flaws

What if your script was finally updated? Will the digital signature be valid in the future? No, that is not the case. Any changes to the signed script will render the script’s digital signature invalid. The changed script will not run and will return an error.

To test a changed signed script, follow these steps.

1. Open the myscript that has been signed. In a code or text editor, paste the PS1 script.

2. Add a character to the code, such as an underscore in this case. Nothing else should be changed.

Making changes to the signed scriptMaking changes to the signed script

3. After making changes to the code, save the script.

4. Finally, run the command below in PowerShell to run the changed script.

Because you changed the signed script, when you run it, you’ll get the error indicated below. To update and correct the script’s digital signature, you’ll need to sign it again.

Using a signed script that has a faulty digital signatureUsing a signed script that has a faulty digital signature

A digital signature does not ensure that the script has not been altered from its original state. Any PowerShell script that contains malicious code could also be digitally signed. When executing scripts from sources you don’t entirely trust, proceed with care.

Conclusion

You learnt why, depending on the execution policies, signing PowerShell scripts may be essential in this post. You also learnt to recognize the difference between a signed and unsigned writing. Finally, you learned how to digitally sign PowerShell scripts as well as test and execute them.

Will you begin signing PowerShell scripts before distributing or deploying them now that you know how to do so?

.Subject -eq “CN=ATA Authenticode” # Verify that the computer’s Root certificate store has the self-signed Authenticode certificate. Where-Object

Do you need to make sure that no one alters your scripts and passes them off as the originals? If that’s the case, you’ll want to understand how to sign PowerShell scripts. The publisher’s identity is added to the script by signing, allowing users to determine whether or not to trust the script’s source.

Learn how to sign PowerShell scripts in this article to guarantee that only trustworthy scripts are launched in your environment.

Prerequisites

You’ll need the following items to follow the examples in this tutorial.

  • A computer with the latest version of the Windows operating system installed. Version 20H2 of Windows 10 is used in this article.
  • PowerShell 5.1 or PowerShell 6+ on Windows. PowerShell v7.1.3 will be used in the examples in this tutorial.
  • A PowerShell script that may be used to sign documents. You may name your script and save it in whatever folder you choose. This post will utilize the C:ATAmyscript.ps1 sample script, which has the following code.

“Script Execution – OK,” Write-Host

Obtaining a Certificate of Code Signing

You must first get a code signing certificate before you can begin signing PowerShell scripts. Code signing certificates are also known as Authenticode certificates in the Microsoft industry.

One sort of digital certificate is a code signing certificate, which is used to sign files. The addition of a code signing certificate to a file or code offers verification that the file originated from the publisher who signed it.

The location where you get a code signing certificate is determined by where you want to deploy or distribute your signed scripts. Cost is, of course, a major consideration.

  • Global / Public – A certificate issued by a globally reputable Certificate Authority is required (CA). GeoTrust and DigiCert are two examples of such CAs. These vouchers are not available for free. A DigiCert Authenticode certificate, for example, costs $474 per year as of this writing.
  • Internal / Local Intranet – You can request and download a signing certificate from your internal certificate authority (CA) server if you have one.
  • Personal / Development — A self-signed certificate should suffice for personal testing or development purposes. This is the sort of signing certificate we’ll be using in this tutorial.

Making a Self-Signed Code Signing Certificate

To sign a PowerShell script, you’ll need a code signing certificate, as you learned in the previous section. In this lesson, you’ll just be performing personal testing, so a self-signed certificate would sufficient. Where do you obtain it, though?

Self-signed means that your local computer will issue a code signing certificate to itself, as the name indicates. Follow these procedures to create a self-signed certificate.

1. On your PC, run PowerShell as an administrator.

2. Paste the command below into PowerShell and execute it. To generate a new code signing certificate, use the New-SelfSignedCertificate cmdlet. ATA Authenticode is the name of the certificate stored in the Personal certificate store on the local machine.

Only the current user’s personal certificate store (cert:CurrentUserMy) or the local machine’s personal certificate store are supported by the New-SelfSignedCertificate cmdlet (cert:LocalMachineMy). Cert:LocalMachineMy certificates are accessible throughout the whole machine.

The certificate object is also saved to the $authenticode variable for use in the following step.

# Create a self-signed Authenticode certificate in the personal certificate store on the local machine. $authenticode = New-SelfSignedCertificate -Subject “ATA Authenticode” -CertStore $authenticode = New-SelfSignedCertificate -Subject “ATA Authenticode” -CertStore -Type CodeSigningCert -Location Cert:LocalMachineMy

3. Next, add the self-signed certificate to the computer’s Trusted Root Certification Authority and Trusted Publishers certificate stores to make your computer trust the new certificate you’ve produced. To do so, copy and execute the code below in PowerShell.

# Place the self-signed Authenticode certificate in the root certificate store of the machine. ## Make a representation of the LocalMachineRoot certificate store. ## Open the root certificate store for reading and writing using $rootStore = [System.Security.Cryptography.X509Certificates.X509Store]::new(“Root”,”LocalMachine”) $rootStore. Open(“ReadWrite”) ## Add the certificate from the $authenticode variable to the $authenticode variable. $rootStore. Add($authenticode) ## Remove the root certificate store from the system. $rootStore.Close() # Place the self-signed Authenticode certificate in the trusted publishers certificate store on the machine. ## Create an object to represent the certificate store for the LocalMachineTrustedPublisher. ## Open the TrustedPublisher certificate store for reading and writing with $publisherStore = [System.Security.Cryptography.X509Certificates.X509Store]::new(“TrustedPublisher”,”LocalMachine”) ## $publisherStore. ## Add the certificate saved in the $authenticode variable using Open(“ReadWrite”). $publisherStore. Close the TrustedPublisher certificate storage using Add($authenticode). $publisherStore.Close()

There are three main reasons why self-signed certificates should be installed in three distinct certificate stores.

  • The code signing certificate will be the certificate you generated in the Personal certificate store.
  • If you copy the same certificate to the Trusted Publishers store, your computer will trust the publisher who signed the script. To verify a script’s signature, PowerShell looks for the certificate in this store.
  • Finally, adding the self-signed certificate to the Trusted Root Certification Authorities guarantees that the certificates in the Personal and Trusted Publishers stores are trusted by your local machine.

4. Run the PowerShell instructions below to verify that the certificate with the topic ATA Authenticode is in the Personal, Root, and Trusted Publisher certificate stores.

# Confirm if the self-signed Authenticode certificate exists in the computer’s Personal certificate store Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Confirm if the self-signed Authenticode certificate exists in the computer’s Root certificate store Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Confirm if the self-signed Authenticode certificate exists in the computer’s Trusted Publishers certificate store Get-ChildItem Cert:LocalMachineTrustedPublisher | Where-Object {$_.Subject -eq “CN=ATA Authenticode”}

Confirming the new self-signed certificate's constructionConfirming the new self-signed certificate’s construction

5. Open the Certificates Snap-in and seek for the certificate you produced within the Certificates folder under the Personal, Trusted Root Certification Authorities, and Trusted Publishers certificate stores to examine the certificate in a GUI.

Using the Microsoft Management Console to see certifications (MMC)Using the Microsoft Management Console to see certifications (MMC)

Related: [Tutorial] Managing Certificates with Windows Certificate Manager and PowerShell

Adding a signature to a PowerShell script

You’re ready to utilize your code signing certificate to sign your example PowerShell script now that you’ve produced and installed it in the three certificate stores. The Set-AuthenticodeSignature cmdlet is the major star when it comes to signing scripts.

Run the code below in PowerShell to sign the PowerShell script. The first command obtains the code-signing certificate from the personal certificate store on the local system. The second command encrypts the PowerShell script file with a digital signature.

# Get the code-signing certificate from the local computer’s certificate store with the name *ATA Authenticode* and store it to the $codeCertificate variable. $codeCertificate = Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Sign the PowerShell script # PARAMETERS: # FilePath – Specifies the file path of the PowerShell script to sign, eg. C:ATAmyscript.ps1. # Certificate – Specifies the certificate to use when signing the script. # TimeStampServer – Specifies the trusted timestamp server that adds a timestamp to your script’s digital signature. Adding a timestamp ensures that your code will not expire when the signing certificate expires. Set-AuthenticodeSignature -FilePath C:ATAmyscript.ps1 -Certificate $codeCertificate -TimeStampServer *<http://timestamp.digicert.com>*

Most reputable certificate suppliers provide a timestamp server, which may be found on their websites. The timestamp server for DigiCert is http://timestamp.digicert.com, whereas Comodo’s is http://timestamp.comodoca.com.

You should see something like the screenshot below after signing the script.

Adding a signature to a PowerShell scriptAdding a signature to a PowerShell script

Checking the Digital Signature of a PowerShell Script

So far, you’ve used the self-signed certificate you produced to sign a PowerShell script. But how can you tell whether the script has a digital signature or not?

Getting to Know the Code

One technique to verify a script’s digital signature is to open it in a text editor and look at the code. The signed script, like the one below, contains a signature block at the Conclusion of the code. # SIG # Begin signature block, # SIG # End signature block, # SIG # Begin signature block, # SIG # Begin signature block, # SIG # Begin signature block, # SIG # Begin signature block, # S

Viewing the digital signature in the script's contentViewing the digital signature inside the text of the script

The script will become non-signed if the digital signature block is removed from the code.

Getting into the File Properties of the Script

Opening the script’s file properties in Windows Explorer is another approach to verify the script’s digital signature. To do so, follow these steps:

  1. Navigate to the PowerShell script’s location in Windows Explorer. The script is located at C:ATAmyscript.ps1 in this example.
  2. Right-click the script and choose Properties from the drop-down menu.
  3. Click the Digital Signatures tab on the file’s Properties window, and you should see a digital signature under the Signature list.

Viewing the digital signature in the script's file propertiesIn the script’s file properties, you can see the digital signature.

Get-AuthenticodeSignature is a command that returns the signature of an authenticated node.

Would you believe that you can also verify the signature of a script from inside PowerShell? Most likely not. Get-AuthenticodeSignature is the cmdlet you may use to get the signature of a file.

Run the command below to get the script’s digital signature. The signature of the C:ATAmyscript.ps1 file is obtained using this command. The Select-Object -Property * cmdlet shows all of the signature’s information.

Select-Object -Property * Get-AuthenticodeSignature -FilePath C:ATAmyscript.ps1 | Get-AuthenticodeSignature -FilePath C:ATAmyscript.ps1

You should get something like the snapshot below after executing the command. The SignerCertificate property, as you can see, displays the signing certificate’s data. The TimerStamperCertificate attribute displays the timestamp server’s certificate.

In PowerShell, you may see the digital signature.In PowerShell, you may see the digital signature.

Running a PowerShell Script That Has Been Signed

You’ve now signed a PowerShell script and verified that the digital signature is valid. However, the best way to see whether you’ve followed all of the stages properly is to run the script and validate that it works.

PowerShell provides a safety feature that prevents users from launching scripts by accident. Execution Policies are the name of this security feature. PowerShell may block or enable scripts to execute depending on the execution policy.

PowerShell Execution Policies: Understanding and Managing explains the various execution policies and how they effect script execution.

Follow these procedures to launch a signed PowerShell script.

To guarantee that only signed scripts may execute, set the execution policy to AllSigned. You won’t be able to properly test if your signed script works until you complete this step. To do so, enter the command below in PowerShell as an administrator to launch the Set-ExecutionPolicy cmdlet.

Understanding and Managing PowerShell Execution Policies

AllSigned-Set-ExecutionPolicy

Execute the signed PowerShell script after that.

As you can see in the output below, the script should execute without issues or warnings.

Error-free execution of the signed scriptError-free execution of the signed script

Related:How to Run a PowerShell Script from the Command Line and Other PowerShell Resources

However, if the script was not properly signed or was not signed at all, you may get an error similar to the one shown below. In such case, go through your instructions again and attempt signing the script.

Executing a script that has digital signature flawsExecuting a script that has digital signature flaws

What if your script was finally updated? Will the digital signature be valid in the future? No, that is not the case. Any changes to the signed script will render the script’s digital signature invalid. The changed script will not run and will return an error.

To test a changed signed script, follow these steps.

1. Open the myscript that has been signed. In a code or text editor, paste the PS1 script.

2. Add a character to the code, such as an underscore in this case. Nothing else should be changed.

Making changes to the signed scriptMaking changes to the signed script

3. After making changes to the code, save the script.

4. Finally, run the command below in PowerShell to run the changed script.

Because you changed the signed script, when you run it, you’ll get the error indicated below. To update and correct the script’s digital signature, you’ll need to sign it again.

Using a signed script that has a faulty digital signatureUsing a signed script that has a faulty digital signature

A digital signature does not ensure that the script has not been altered from its original state. Any PowerShell script that contains malicious code could also be digitally signed. When executing scripts from sources you don’t entirely trust, proceed with care.

Conclusion

You learnt why, depending on the execution policies, signing PowerShell scripts may be essential in this post. You also learnt to recognize the difference between a signed and unsigned writing. Finally, you learned how to digitally sign PowerShell scripts as well as test and execute them.

Will you begin signing PowerShell scripts before distributing or deploying them now that you know how to do so?

.Subject -eq “CN=ATA Authenticode” Get-ChildItem Cert:LocalMachineRoot | Where-Object

Do you need to make sure that no one alters your scripts and passes them off as the originals? If that’s the case, you’ll want to understand how to sign PowerShell scripts. The publisher’s identity is added to the script by signing, allowing users to determine whether or not to trust the script’s source.

Learn how to sign PowerShell scripts in this article to guarantee that only trustworthy scripts are launched in your environment.

Prerequisites

You’ll need the following items to follow the examples in this tutorial.

  • A computer with the latest version of the Windows operating system installed. Version 20H2 of Windows 10 is used in this article.
  • PowerShell 5.1 or PowerShell 6+ on Windows. PowerShell v7.1.3 will be used in the examples in this tutorial.
  • A PowerShell script that may be used to sign documents. You may name your script and save it in whatever folder you choose. This post will utilize the C:ATAmyscript.ps1 sample script, which has the following code.

“Script Execution – OK,” Write-Host

Obtaining a Certificate of Code Signing

You must first get a code signing certificate before you can begin signing PowerShell scripts. Code signing certificates are also known as Authenticode certificates in the Microsoft industry.

One sort of digital certificate is a code signing certificate, which is used to sign files. The addition of a code signing certificate to a file or code offers verification that the file originated from the publisher who signed it.

The location where you get a code signing certificate is determined by where you want to deploy or distribute your signed scripts. Cost is, of course, a major consideration.

  • Global / Public – A certificate issued by a globally reputable Certificate Authority is required (CA). GeoTrust and DigiCert are two examples of such CAs. These vouchers are not available for free. A DigiCert Authenticode certificate, for example, costs $474 per year as of this writing.
  • Internal / Local Intranet – You can request and download a signing certificate from your internal certificate authority (CA) server if you have one.
  • Personal / Development — A self-signed certificate should suffice for personal testing or development purposes. This is the sort of signing certificate we’ll be using in this tutorial.

Making a Self-Signed Code Signing Certificate

To sign a PowerShell script, you’ll need a code signing certificate, as you learned in the previous section. In this lesson, you’ll just be performing personal testing, so a self-signed certificate would sufficient. Where do you obtain it, though?

Self-signed means that your local computer will issue a code signing certificate to itself, as the name indicates. Follow these procedures to create a self-signed certificate.

1. On your PC, run PowerShell as an administrator.

2. Paste the command below into PowerShell and execute it. To generate a new code signing certificate, use the New-SelfSignedCertificate cmdlet. ATA Authenticode is the name of the certificate stored in the Personal certificate store on the local machine.

Only the current user’s personal certificate store (cert:CurrentUserMy) or the local machine’s personal certificate store are supported by the New-SelfSignedCertificate cmdlet (cert:LocalMachineMy). Cert:LocalMachineMy certificates are accessible throughout the whole machine.

The certificate object is also saved to the $authenticode variable for use in the following step.

# Create a self-signed Authenticode certificate in the personal certificate store on the local machine. $authenticode = New-SelfSignedCertificate -Subject “ATA Authenticode” -CertStore $authenticode = New-SelfSignedCertificate -Subject “ATA Authenticode” -CertStore -Type CodeSigningCert -Location Cert:LocalMachineMy

3. Next, add the self-signed certificate to the computer’s Trusted Root Certification Authority and Trusted Publishers certificate stores to make your computer trust the new certificate you’ve produced. To do so, copy and execute the code below in PowerShell.

# Place the self-signed Authenticode certificate in the root certificate store of the machine. ## Make a representation of the LocalMachineRoot certificate store. ## Open the root certificate store for reading and writing using $rootStore = [System.Security.Cryptography.X509Certificates.X509Store]::new(“Root”,”LocalMachine”) $rootStore. Open(“ReadWrite”) ## Add the certificate from the $authenticode variable to the $authenticode variable. $rootStore. Add($authenticode) ## Remove the root certificate store from the system. $rootStore.Close() # Place the self-signed Authenticode certificate in the trusted publishers certificate store on the machine. ## Create an object to represent the certificate store for the LocalMachineTrustedPublisher. ## Open the TrustedPublisher certificate store for reading and writing with $publisherStore = [System.Security.Cryptography.X509Certificates.X509Store]::new(“TrustedPublisher”,”LocalMachine”) ## $publisherStore. ## Add the certificate saved in the $authenticode variable using Open(“ReadWrite”). $publisherStore. Close the TrustedPublisher certificate storage using Add($authenticode). $publisherStore.Close()

There are three main reasons why self-signed certificates should be installed in three distinct certificate stores.

  • The code signing certificate will be the certificate you generated in the Personal certificate store.
  • If you copy the same certificate to the Trusted Publishers store, your computer will trust the publisher who signed the script. To verify a script’s signature, PowerShell looks for the certificate in this store.
  • Finally, adding the self-signed certificate to the Trusted Root Certification Authorities guarantees that the certificates in the Personal and Trusted Publishers stores are trusted by your local machine.

4. Run the PowerShell instructions below to verify that the certificate with the topic ATA Authenticode is in the Personal, Root, and Trusted Publisher certificate stores.

# Confirm if the self-signed Authenticode certificate exists in the computer’s Personal certificate store Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Confirm if the self-signed Authenticode certificate exists in the computer’s Root certificate store Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Confirm if the self-signed Authenticode certificate exists in the computer’s Trusted Publishers certificate store Get-ChildItem Cert:LocalMachineTrustedPublisher | Where-Object {$_.Subject -eq “CN=ATA Authenticode”}

Confirming the new self-signed certificate's constructionConfirming the new self-signed certificate’s construction

5. Open the Certificates Snap-in and seek for the certificate you produced within the Certificates folder under the Personal, Trusted Root Certification Authorities, and Trusted Publishers certificate stores to examine the certificate in a GUI.

Using the Microsoft Management Console to see certifications (MMC)Using the Microsoft Management Console to see certifications (MMC)

Related: [Tutorial] Managing Certificates with Windows Certificate Manager and PowerShell

Adding a signature to a PowerShell script

You’re ready to utilize your code signing certificate to sign your example PowerShell script now that you’ve produced and installed it in the three certificate stores. The Set-AuthenticodeSignature cmdlet is the major star when it comes to signing scripts.

Run the code below in PowerShell to sign the PowerShell script. The first command obtains the code-signing certificate from the personal certificate store on the local system. The second command encrypts the PowerShell script file with a digital signature.

# Get the code-signing certificate from the local computer’s certificate store with the name *ATA Authenticode* and store it to the $codeCertificate variable. $codeCertificate = Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Sign the PowerShell script # PARAMETERS: # FilePath – Specifies the file path of the PowerShell script to sign, eg. C:ATAmyscript.ps1. # Certificate – Specifies the certificate to use when signing the script. # TimeStampServer – Specifies the trusted timestamp server that adds a timestamp to your script’s digital signature. Adding a timestamp ensures that your code will not expire when the signing certificate expires. Set-AuthenticodeSignature -FilePath C:ATAmyscript.ps1 -Certificate $codeCertificate -TimeStampServer *<http://timestamp.digicert.com>*

Most reputable certificate suppliers provide a timestamp server, which may be found on their websites. The timestamp server for DigiCert is http://timestamp.digicert.com, whereas Comodo’s is http://timestamp.comodoca.com.

You should see something like the screenshot below after signing the script.

Adding a signature to a PowerShell scriptAdding a signature to a PowerShell script

Checking the Digital Signature of a PowerShell Script

So far, you’ve used the self-signed certificate you produced to sign a PowerShell script. But how can you tell whether the script has a digital signature or not?

Getting to Know the Code

One technique to verify a script’s digital signature is to open it in a text editor and look at the code. The signed script, like the one below, contains a signature block at the Conclusion of the code. # SIG # Begin signature block, # SIG # End signature block, # SIG # Begin signature block, # SIG # Begin signature block, # SIG # Begin signature block, # SIG # Begin signature block, # S

Viewing the digital signature in the script's contentViewing the digital signature inside the text of the script

The script will become non-signed if the digital signature block is removed from the code.

Getting into the File Properties of the Script

Opening the script’s file properties in Windows Explorer is another approach to verify the script’s digital signature. To do so, follow these steps:

  1. Navigate to the PowerShell script’s location in Windows Explorer. The script is located at C:ATAmyscript.ps1 in this example.
  2. Right-click the script and choose Properties from the drop-down menu.
  3. Click the Digital Signatures tab on the file’s Properties window, and you should see a digital signature under the Signature list.

Viewing the digital signature in the script's file propertiesIn the script’s file properties, you can see the digital signature.

Get-AuthenticodeSignature is a command that returns the signature of an authenticated node.

Would you believe that you can also verify the signature of a script from inside PowerShell? Most likely not. Get-AuthenticodeSignature is the cmdlet you may use to get the signature of a file.

Run the command below to get the script’s digital signature. The signature of the C:ATAmyscript.ps1 file is obtained using this command. The Select-Object -Property * cmdlet shows all of the signature’s information.

Select-Object -Property * Get-AuthenticodeSignature -FilePath C:ATAmyscript.ps1 | Get-AuthenticodeSignature -FilePath C:ATAmyscript.ps1

You should get something like the snapshot below after executing the command. The SignerCertificate property, as you can see, displays the signing certificate’s data. The TimerStamperCertificate attribute displays the timestamp server’s certificate.

In PowerShell, you may see the digital signature.In PowerShell, you may see the digital signature.

Running a PowerShell Script That Has Been Signed

You’ve now signed a PowerShell script and verified that the digital signature is valid. However, the best way to see whether you’ve followed all of the stages properly is to run the script and validate that it works.

PowerShell provides a safety feature that prevents users from launching scripts by accident. Execution Policies are the name of this security feature. PowerShell may block or enable scripts to execute depending on the execution policy.

PowerShell Execution Policies: Understanding and Managing explains the various execution policies and how they effect script execution.

Follow these procedures to launch a signed PowerShell script.

To guarantee that only signed scripts may execute, set the execution policy to AllSigned. You won’t be able to properly test if your signed script works until you complete this step. To do so, enter the command below in PowerShell as an administrator to launch the Set-ExecutionPolicy cmdlet.

Understanding and Managing PowerShell Execution Policies

AllSigned-Set-ExecutionPolicy

Execute the signed PowerShell script after that.

As you can see in the output below, the script should execute without issues or warnings.

Error-free execution of the signed scriptError-free execution of the signed script

Related:How to Run a PowerShell Script from the Command Line and Other PowerShell Resources

However, if the script was not properly signed or was not signed at all, you may get an error similar to the one shown below. In such case, go through your instructions again and attempt signing the script.

Executing a script that has digital signature flawsExecuting a script that has digital signature flaws

What if your script was finally updated? Will the digital signature be valid in the future? No, that is not the case. Any changes to the signed script will render the script’s digital signature invalid. The changed script will not run and will return an error.

To test a changed signed script, follow these steps.

1. Open the myscript that has been signed. In a code or text editor, paste the PS1 script.

2. Add a character to the code, such as an underscore in this case. Nothing else should be changed.

Making changes to the signed scriptMaking changes to the signed script

3. After making changes to the code, save the script.

4. Finally, run the command below in PowerShell to run the changed script.

Because you changed the signed script, when you run it, you’ll get the error indicated below. To update and correct the script’s digital signature, you’ll need to sign it again.

Using a signed script that has a faulty digital signatureUsing a signed script that has a faulty digital signature

A digital signature does not ensure that the script has not been altered from its original state. Any PowerShell script that contains malicious code could also be digitally signed. When executing scripts from sources you don’t entirely trust, proceed with care.

Conclusion

You learnt why, depending on the execution policies, signing PowerShell scripts may be essential in this post. You also learnt to recognize the difference between a signed and unsigned writing. Finally, you learned how to digitally sign PowerShell scripts as well as test and execute them.

Will you begin signing PowerShell scripts before distributing or deploying them now that you know how to do so?

.Subject -eq “CN=ATA Authenticode” # Check the computer’s Trusted Publishers certificate store for the self-signed Authenticode certificate. Where-Object

Do you need to make sure that no one alters your scripts and passes them off as the originals? If that’s the case, you’ll want to understand how to sign PowerShell scripts. The publisher’s identity is added to the script by signing, allowing users to determine whether or not to trust the script’s source.

Learn how to sign PowerShell scripts in this article to guarantee that only trustworthy scripts are launched in your environment.

Prerequisites

You’ll need the following items to follow the examples in this tutorial.

  • A computer with the latest version of the Windows operating system installed. Version 20H2 of Windows 10 is used in this article.
  • PowerShell 5.1 or PowerShell 6+ on Windows. PowerShell v7.1.3 will be used in the examples in this tutorial.
  • A PowerShell script that may be used to sign documents. You may name your script and save it in whatever folder you choose. This post will utilize the C:ATAmyscript.ps1 sample script, which has the following code.

“Script Execution – OK,” Write-Host

Obtaining a Certificate of Code Signing

You must first get a code signing certificate before you can begin signing PowerShell scripts. Code signing certificates are also known as Authenticode certificates in the Microsoft industry.

One sort of digital certificate is a code signing certificate, which is used to sign files. The addition of a code signing certificate to a file or code offers verification that the file originated from the publisher who signed it.

The location where you get a code signing certificate is determined by where you want to deploy or distribute your signed scripts. Cost is, of course, a major consideration.

  • Global / Public – A certificate issued by a globally reputable Certificate Authority is required (CA). GeoTrust and DigiCert are two examples of such CAs. These vouchers are not available for free. A DigiCert Authenticode certificate, for example, costs $474 per year as of this writing.
  • Internal / Local Intranet – You can request and download a signing certificate from your internal certificate authority (CA) server if you have one.
  • Personal / Development — A self-signed certificate should suffice for personal testing or development purposes. This is the sort of signing certificate we’ll be using in this tutorial.

Making a Self-Signed Code Signing Certificate

To sign a PowerShell script, you’ll need a code signing certificate, as you learned in the previous section. In this lesson, you’ll just be performing personal testing, so a self-signed certificate would sufficient. Where do you obtain it, though?

Self-signed means that your local computer will issue a code signing certificate to itself, as the name indicates. Follow these procedures to create a self-signed certificate.

1. On your PC, run PowerShell as an administrator.

2. Paste the command below into PowerShell and execute it. To generate a new code signing certificate, use the New-SelfSignedCertificate cmdlet. ATA Authenticode is the name of the certificate stored in the Personal certificate store on the local machine.

Only the current user’s personal certificate store (cert:CurrentUserMy) or the local machine’s personal certificate store are supported by the New-SelfSignedCertificate cmdlet (cert:LocalMachineMy). Cert:LocalMachineMy certificates are accessible throughout the whole machine.

The certificate object is also saved to the $authenticode variable for use in the following step.

# Create a self-signed Authenticode certificate in the personal certificate store on the local machine. $authenticode = New-SelfSignedCertificate -Subject “ATA Authenticode” -CertStore $authenticode = New-SelfSignedCertificate -Subject “ATA Authenticode” -CertStore -Type CodeSigningCert -Location Cert:LocalMachineMy

3. Next, add the self-signed certificate to the computer’s Trusted Root Certification Authority and Trusted Publishers certificate stores to make your computer trust the new certificate you’ve produced. To do so, copy and execute the code below in PowerShell.

# Place the self-signed Authenticode certificate in the root certificate store of the machine. ## Make a representation of the LocalMachineRoot certificate store. ## Open the root certificate store for reading and writing using $rootStore = [System.Security.Cryptography.X509Certificates.X509Store]::new(“Root”,”LocalMachine”) $rootStore. Open(“ReadWrite”) ## Add the certificate from the $authenticode variable to the $authenticode variable. $rootStore. Add($authenticode) ## Remove the root certificate store from the system. $rootStore.Close() # Place the self-signed Authenticode certificate in the trusted publishers certificate store on the machine. ## Create an object to represent the certificate store for the LocalMachineTrustedPublisher. ## Open the TrustedPublisher certificate store for reading and writing with $publisherStore = [System.Security.Cryptography.X509Certificates.X509Store]::new(“TrustedPublisher”,”LocalMachine”) ## $publisherStore. ## Add the certificate saved in the $authenticode variable using Open(“ReadWrite”). $publisherStore. Close the TrustedPublisher certificate storage using Add($authenticode). $publisherStore.Close()

There are three main reasons why self-signed certificates should be installed in three distinct certificate stores.

  • The code signing certificate will be the certificate you generated in the Personal certificate store.
  • If you copy the same certificate to the Trusted Publishers store, your computer will trust the publisher who signed the script. To verify a script’s signature, PowerShell looks for the certificate in this store.
  • Finally, adding the self-signed certificate to the Trusted Root Certification Authorities guarantees that the certificates in the Personal and Trusted Publishers stores are trusted by your local machine.

4. Run the PowerShell instructions below to verify that the certificate with the topic ATA Authenticode is in the Personal, Root, and Trusted Publisher certificate stores.

# Confirm if the self-signed Authenticode certificate exists in the computer’s Personal certificate store Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Confirm if the self-signed Authenticode certificate exists in the computer’s Root certificate store Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Confirm if the self-signed Authenticode certificate exists in the computer’s Trusted Publishers certificate store Get-ChildItem Cert:LocalMachineTrustedPublisher | Where-Object {$_.Subject -eq “CN=ATA Authenticode”}

Confirming the new self-signed certificate's constructionConfirming the new self-signed certificate’s construction

5. Open the Certificates Snap-in and seek for the certificate you produced within the Certificates folder under the Personal, Trusted Root Certification Authorities, and Trusted Publishers certificate stores to examine the certificate in a GUI.

Using the Microsoft Management Console to see certifications (MMC)Using the Microsoft Management Console to see certifications (MMC)

Related: [Tutorial] Managing Certificates with Windows Certificate Manager and PowerShell

Adding a signature to a PowerShell script

You’re ready to utilize your code signing certificate to sign your example PowerShell script now that you’ve produced and installed it in the three certificate stores. The Set-AuthenticodeSignature cmdlet is the major star when it comes to signing scripts.

Run the code below in PowerShell to sign the PowerShell script. The first command obtains the code-signing certificate from the personal certificate store on the local system. The second command encrypts the PowerShell script file with a digital signature.

# Get the code-signing certificate from the local computer’s certificate store with the name *ATA Authenticode* and store it to the $codeCertificate variable. $codeCertificate = Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Sign the PowerShell script # PARAMETERS: # FilePath – Specifies the file path of the PowerShell script to sign, eg. C:ATAmyscript.ps1. # Certificate – Specifies the certificate to use when signing the script. # TimeStampServer – Specifies the trusted timestamp server that adds a timestamp to your script’s digital signature. Adding a timestamp ensures that your code will not expire when the signing certificate expires. Set-AuthenticodeSignature -FilePath C:ATAmyscript.ps1 -Certificate $codeCertificate -TimeStampServer *<http://timestamp.digicert.com>*

Most reputable certificate suppliers provide a timestamp server, which may be found on their websites. The timestamp server for DigiCert is http://timestamp.digicert.com, whereas Comodo’s is http://timestamp.comodoca.com.

You should see something like the screenshot below after signing the script.

Adding a signature to a PowerShell scriptAdding a signature to a PowerShell script

Checking the Digital Signature of a PowerShell Script

So far, you’ve used the self-signed certificate you produced to sign a PowerShell script. But how can you tell whether the script has a digital signature or not?

Getting to Know the Code

One technique to verify a script’s digital signature is to open it in a text editor and look at the code. The signed script, like the one below, contains a signature block at the Conclusion of the code. # SIG # Begin signature block, # SIG # End signature block, # SIG # Begin signature block, # SIG # Begin signature block, # SIG # Begin signature block, # SIG # Begin signature block, # S

Viewing the digital signature in the script's contentViewing the digital signature inside the text of the script

The script will become non-signed if the digital signature block is removed from the code.

Getting into the File Properties of the Script

Opening the script’s file properties in Windows Explorer is another approach to verify the script’s digital signature. To do so, follow these steps:

  1. Navigate to the PowerShell script’s location in Windows Explorer. The script is located at C:ATAmyscript.ps1 in this example.
  2. Right-click the script and choose Properties from the drop-down menu.
  3. Click the Digital Signatures tab on the file’s Properties window, and you should see a digital signature under the Signature list.

Viewing the digital signature in the script's file propertiesIn the script’s file properties, you can see the digital signature.

Get-AuthenticodeSignature is a command that returns the signature of an authenticated node.

Would you believe that you can also verify the signature of a script from inside PowerShell? Most likely not. Get-AuthenticodeSignature is the cmdlet you may use to get the signature of a file.

Run the command below to get the script’s digital signature. The signature of the C:ATAmyscript.ps1 file is obtained using this command. The Select-Object -Property * cmdlet shows all of the signature’s information.

Select-Object -Property * Get-AuthenticodeSignature -FilePath C:ATAmyscript.ps1 | Get-AuthenticodeSignature -FilePath C:ATAmyscript.ps1

You should get something like the snapshot below after executing the command. The SignerCertificate property, as you can see, displays the signing certificate’s data. The TimerStamperCertificate attribute displays the timestamp server’s certificate.

In PowerShell, you may see the digital signature.In PowerShell, you may see the digital signature.

Running a PowerShell Script That Has Been Signed

You’ve now signed a PowerShell script and verified that the digital signature is valid. However, the best way to see whether you’ve followed all of the stages properly is to run the script and validate that it works.

PowerShell provides a safety feature that prevents users from launching scripts by accident. Execution Policies are the name of this security feature. PowerShell may block or enable scripts to execute depending on the execution policy.

PowerShell Execution Policies: Understanding and Managing explains the various execution policies and how they effect script execution.

Follow these procedures to launch a signed PowerShell script.

To guarantee that only signed scripts may execute, set the execution policy to AllSigned. You won’t be able to properly test if your signed script works until you complete this step. To do so, enter the command below in PowerShell as an administrator to launch the Set-ExecutionPolicy cmdlet.

Understanding and Managing PowerShell Execution Policies

AllSigned-Set-ExecutionPolicy

Execute the signed PowerShell script after that.

As you can see in the output below, the script should execute without issues or warnings.

Error-free execution of the signed scriptError-free execution of the signed script

Related:How to Run a PowerShell Script from the Command Line and Other PowerShell Resources

However, if the script was not properly signed or was not signed at all, you may get an error similar to the one shown below. In such case, go through your instructions again and attempt signing the script.

Executing a script that has digital signature flawsExecuting a script that has digital signature flaws

What if your script was finally updated? Will the digital signature be valid in the future? No, that is not the case. Any changes to the signed script will render the script’s digital signature invalid. The changed script will not run and will return an error.

To test a changed signed script, follow these steps.

1. Open the myscript that has been signed. In a code or text editor, paste the PS1 script.

2. Add a character to the code, such as an underscore in this case. Nothing else should be changed.

Making changes to the signed scriptMaking changes to the signed script

3. After making changes to the code, save the script.

4. Finally, run the command below in PowerShell to run the changed script.

Because you changed the signed script, when you run it, you’ll get the error indicated below. To update and correct the script’s digital signature, you’ll need to sign it again.

Using a signed script that has a faulty digital signatureUsing a signed script that has a faulty digital signature

A digital signature does not ensure that the script has not been altered from its original state. Any PowerShell script that contains malicious code could also be digitally signed. When executing scripts from sources you don’t entirely trust, proceed with care.

Conclusion

You learnt why, depending on the execution policies, signing PowerShell scripts may be essential in this post. You also learnt to recognize the difference between a signed and unsigned writing. Finally, you learned how to digitally sign PowerShell scripts as well as test and execute them.

Will you begin signing PowerShell scripts before distributing or deploying them now that you know how to do so?

.Subject -eq “CN=ATA Authenticode” Get-ChildItem Cert:LocalMachineTrustedPublisher | Get-ChildItem Cert:LocalMachineTrustedPublisher

Confirming the new self-signed certificate's constructionConfirming the new self-signed certificate’s construction

5. Open the Certificates Snap-in and seek for the certificate you produced within the Certificates folder under the Personal, Trusted Root Certification Authorities, and Trusted Publishers certificate stores to examine the certificate in a GUI.

Using the Microsoft Management Console to see certifications (MMC)Using the Microsoft Management Console to see certifications (MMC)

Related: [Tutorial] Managing Certificates with Windows Certificate Manager and PowerShell

Adding a signature to a PowerShell script

You’re ready to utilize your code signing certificate to sign your example PowerShell script now that you’ve produced and installed it in the three certificate stores. The Set-AuthenticodeSignature cmdlet is the major star when it comes to signing scripts.

Run the code below in PowerShell to sign the PowerShell script. The first command obtains the code-signing certificate from the personal certificate store on the local system. The second command encrypts the PowerShell script file with a digital signature.

# Get the code-signing certificate from the local computer’s certificate store with the name *ATA Authenticode* and store it to the $codeCertificate variable. $codeCertificate = Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -eq “CN=ATA Authenticode”} # Sign the PowerShell script # PARAMETERS: # FilePath – Specifies the file path of the PowerShell script to sign, eg. C:ATAmyscript.ps1. # Certificate – Specifies the certificate to use when signing the script. # TimeStampServer – Specifies the trusted timestamp server that adds a timestamp to your script’s digital signature. Adding a timestamp ensures that your code will not expire when the signing certificate expires. Set-AuthenticodeSignature -FilePath C:ATAmyscript.ps1 -Certificate $codeCertificate -TimeStampServer *<http://timestamp.digicert.com>*

Most reputable certificate suppliers provide a timestamp server, which may be found on their websites. The timestamp server for DigiCert is http://timestamp.digicert.com, whereas Comodo’s is http://timestamp.comodoca.com.

You should see something like the screenshot below after signing the script.

Adding a signature to a PowerShell scriptAdding a signature to a PowerShell script

Checking the Digital Signature of a PowerShell Script

So far, you’ve used the self-signed certificate you produced to sign a PowerShell script. But how can you tell whether the script has a digital signature or not?

Getting to Know the Code

One technique to verify a script’s digital signature is to open it in a text editor and look at the code. The signed script, like the one below, contains a signature block at the Conclusion of the code. # SIG # Begin signature block, # SIG # End signature block, # SIG # Begin signature block, # SIG # Begin signature block, # SIG # Begin signature block, # SIG # Begin signature block, # S

Viewing the digital signature in the script's contentViewing the digital signature inside the text of the script

The script will become non-signed if the digital signature block is removed from the code.

Getting into the File Properties of the Script

Opening the script’s file properties in Windows Explorer is another approach to verify the script’s digital signature. To do so, follow these steps:

  1. Navigate to the PowerShell script’s location in Windows Explorer. The script is located at C:ATAmyscript.ps1 in this example.
  2. Right-click the script and choose Properties from the drop-down menu.
  3. Click the Digital Signatures tab on the file’s Properties window, and you should see a digital signature under the Signature list.

Viewing the digital signature in the script's file propertiesIn the script’s file properties, you can see the digital signature.

Get-AuthenticodeSignature is a command that returns the signature of an authenticated node.

Would you believe that you can also verify the signature of a script from inside PowerShell? Most likely not. Get-AuthenticodeSignature is the cmdlet you may use to get the signature of a file.

Run the command below to get the script’s digital signature. The signature of the C:ATAmyscript.ps1 file is obtained using this command. The Select-Object -Property * cmdlet shows all of the signature’s information.

Select-Object -Property * Get-AuthenticodeSignature -FilePath C:ATAmyscript.ps1 | Get-AuthenticodeSignature -FilePath C:ATAmyscript.ps1

You should get something like the snapshot below after executing the command. The SignerCertificate property, as you can see, displays the signing certificate’s data. The TimerStamperCertificate attribute displays the timestamp server’s certificate.

In PowerShell, you may see the digital signature.In PowerShell, you may see the digital signature.

Running a PowerShell Script That Has Been Signed

You’ve now signed a PowerShell script and verified that the digital signature is valid. However, the best way to see whether you’ve followed all of the stages properly is to run the script and validate that it works.

PowerShell provides a safety feature that prevents users from launching scripts by accident. Execution Policies are the name of this security feature. PowerShell may block or enable scripts to execute depending on the execution policy.

PowerShell Execution Policies: Understanding and Managing explains the various execution policies and how they effect script execution.

Follow these procedures to launch a signed PowerShell script.

To guarantee that only signed scripts may execute, set the execution policy to AllSigned. You won’t be able to properly test if your signed script works until you complete this step. To do so, enter the command below in PowerShell as an administrator to launch the Set-ExecutionPolicy cmdlet.

Understanding and Managing PowerShell Execution Policies

AllSigned-Set-ExecutionPolicy

Execute the signed PowerShell script after that.

As you can see in the output below, the script should execute without issues or warnings.

Error-free execution of the signed scriptError-free execution of the signed script

Related:How to Run a PowerShell Script from the Command Line and Other PowerShell Resources

However, if the script was not properly signed or was not signed at all, you may get an error similar to the one shown below. In such case, go through your instructions again and attempt signing the script.

Executing a script that has digital signature flawsExecuting a script that has digital signature flaws

What if your script was finally updated? Will the digital signature be valid in the future? No, that is not the case. Any changes to the signed script will render the script’s digital signature invalid. The changed script will not run and will return an error.

To test a changed signed script, follow these steps.

1. Open the myscript that has been signed. In a code or text editor, paste the PS1 script.

2. Add a character to the code, such as an underscore in this case. Nothing else should be changed.

Making changes to the signed scriptMaking changes to the signed script

3. After making changes to the code, save the script.

4. Finally, run the command below in PowerShell to run the changed script.

Because you changed the signed script, when you run it, you’ll get the error indicated below. To update and correct the script’s digital signature, you’ll need to sign it again.

Using a signed script that has a faulty digital signatureUsing a signed script that has a faulty digital signature

A digital signature does not ensure that the script has not been altered from its original state. Any PowerShell script that contains malicious code could also be digitally signed. When executing scripts from sources you don’t entirely trust, proceed with care.

Conclusion

You learnt why, depending on the execution policies, signing PowerShell scripts may be essential in this post. You also learnt to recognize the difference between a signed and unsigned writing. Finally, you learned how to digitally sign PowerShell scripts as well as test and execute them.

Will you begin signing PowerShell scripts before distributing or deploying them now that you know how to do so?

powershell script not digitally signed” is a problem that has been present for a while. In this blog, I will show you how to sign your PowerShell scripts. You can then run the script from the command line and it will be able to execute.

Related Tags

  • remote sign powershell script
  • sign powershell script with certificate
  • tool to sign powershell script
  • self sign powershell script
  • powershell script signing best practices

Table of Content