How to Digitally Sign a PowerShell Script - A Step-by-Step Guide

Written by Alex Marin · October 4th, 2024 · 3min read

PowerShell scripts are an effective tool for automating tasks, but with great power comes a need for security.

Signing your PowerShell scripts with a digital certificate is essential for ensuring they have not been tampered with and establishing trust with those who use them.

This guide will walk you through the steps of signing a PowerShell script, whether you use a self-signed certificate for internal use or a publicly trusted certificate for wider distribution.

Obtaining Your Certificate

To sign a PowerShell script, you'll need a code signing certificate.

You have two options:

  • Purchase a Certificate from a Trusted Certificate Authority (CA)
  • Create a Self-Signed Certificate with PowerShell.

While purchasing a certificate from a CA is the preferred method for public-facing scripts, self-signed certificates can be used internally.

The main difference is that self-signed certificates are not trusted by default in most environments, which can result in security warnings.

If you prefer a self-signed certificate, you can create one with the following PowerShell command:

New-SelfSignedCertificate -DnsName "YourDomain" -CertStoreLocation "Cert:\LocalMachine\My"

This command generates a self-signed certificate for signing your scripts.

If you intend to distribute your scripts outside of your organization, it's best to invest in a CA certificate to avoid trust issues.

For internal use, you can generate a PFX certificate, and distribute it across your infrastructure, ensuring all scripts are signed with the same certificate.

Preparing PowerShell and Selecting Your Certificate

Once you have your certificate, the next step is to set up PowerShell.

1. Open PowerShell as an Administrator

Search for "PowerShell" in the Start menu, then right-click the Windows PowerShell app and select "Run as Administrator."

2. List Available Code Signing Certificates

You’ll need to select the correct one for signing if you have multiple certificates. You can list all available code signing certificates with this command:

Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert
Get a code signing certificate in PowerShell

3. Select the Desired Certificate

After determining the correct certificate, you can assign it to a variable. For example:

$cert = (Get-ChildItem -Path Cert:\LocalMachine\My -CodeSigningCert)[0]

The [0] in the brackets selects the first certificate in the list. If you want to use the second certificate, you can modify the code to point to [1]. Remember, the first item starts with [0] and not with [1].

Signing the PowerShell Script

With your certificate selected, you can now sign your script. To apply the signature, run the 'Set-AuthenticodeSignature' cmdlet.

Set-AuthenticodeSignature -FilePath "C:\path\to\your\script.ps1" -Certificate $cert
Apply digital signature over the PowerShell script

This command signs the script using the certificate you've chosen. To increase security, particularly if your certificate is about to expire, you can include a timestamp in the signature using:

Set-AuthenticodeSignature -FilePath "C:\path\to\your\script.ps1" -Certificate $cert -TimeStampServer "https://timestamp.digicert.com"

The timestamp ensures that the script’s signature remains valid even after the certificate expires.

Verifying the Script Signature

After signing the script, verify that the signature was applied correctly.

1. Check in a Text Editor

Open the script in a text editor and look for a signature block at the bottom, enclosed by '# SIG #'.

Check the PowerShell certificate

2. Check in File Properties

To view the signature details, right-click the script file in Windows Explorer, select "Properties," and then navigate to the "Digital Signatures" tab.

For those who prefer working within PowerShell, use the following command to verify the signature:

Get-AuthenticodeSignature -FilePath "C:\path\to\your\script.ps1"

This command will display the details of the script’s digital signature, confirming that it was signed correctly.

Verify the digital signature in PowerShell

Conclusion

Signing your PowerShell scripts is a crucial step in ensuring their integrity and security.

Whether using a self-signed certificate for internal automation or a publicly trusted certificate for wider distribution, following these steps will help you protect your scripts from tampering and instill trust in your users.

Written by
See author's page
Alex Marin

Application Packaging and SCCM Deployments specialist, solutions finder, Technical Writer at Advanced Installer.

Comments: