top of page
Search

How to Sign a PowerShell Script

Writer's picture: Gareth OxendineGareth Oxendine
Nov 2, 20245 min read

Updated: Feb 1

SUMMARY:

Signing PowerShell scripts proves their authenticity and provides data integrity; a script's signature helps devices verify that the script is from a trusted publisher and has not been altered. Also, if the PowerShell execution policy on your Windows devices is set to AllSigned or RemoteSigned, then you must sign your scripts.

To learn how to change the PowerShell execution policy on your devices using Intune, click the link below:


Table of Contents


High-Level Overview of How a Script Signature Works

When you sign a script, the signature is embedded in text form and is appended at the bottom of the script. The signature provides two key points of security:

  • Data Integrity: The devices that receive the script will use the public key in the signature to decrypt the signed hash and then compare it to the hash they create. If the hashes match, they know the code has not been altered.

  • Authentication: The script will be signed using a private key from a private-public key pair. When a device inspects a script's signature, it will check to see if it trusts the publisher. Whether or not a device trusts the publisher depends on whether the device has the publisher's public certificate in its Trusted Publisher certificate store. Check Step 3 below to learn how to ensure your script's signature is trusted by your devices.


Step 1: Create or Request a Code-Signing Certificate

Before you can sign your scripts, you must first have a private key to create the signature. You have a couple of options:


Option 1: Create a Self-Signed Certificate

The commands below will create a self-signed certificate and place it in your User Certificate Personal store. Then, the script will export the certificate with only the public key. You will need this later.

IMPORTANT:

PowerShell must be run with elevated privileges when creating a self-signed certificate (right-click and select "Run as Administrator").

Option 2: Request a Code-Signing Certificate from your CA

If your organization's Certificate Authority (CA) has a code-signing certificate template available, you can request a code-signing certificate. The steps to request this certificate or to enable the template will vary based on your PKI environment. Consult your vendor's documentation to learn how to request a certificate with the code-signing purpose.


If you are using Microsoft Window's AD CS as your CA, then see the links below on how to create a certificate template (if one doesn't exist) and how to request a code-signing certificate:


Step 2: Sign your Script

NOTE:

Any change made to a script after it has been signed requires the script to be signed again. If there is already a signature in a script, running the command again will replace the signature. See the quote from Microsoft below:


If there is a signature in the file when this cmdlet runs, that signature is removed. --Microsoft

Option 1: Sign a PowerShell Script Interactively

Once you've created your script, save it, then launch PowerShell or PowerShell ISE. Use the following command to sign your script:

IMPORTANT:

The number inside the brackets in the command below tells PowerShell which code-signing certificate to use. If you have multiple code-signing certificates, 0 notates the first one in the list, 1 notates the second one and so on. To see a list of code-signing certificates in your store, use the command below:

Get-ChildItem -Path Cert:\CurrentUser\My\ -CodeSigningCert

Below is an example of a script's signature after it is signed. If using PowerShell ISE, ensure the script is closed while being signed, then reopen it to view the signature.

Viewing the signature of a signed PowerShell Script.























Option 2: Sign a PowerShell Script using a Script

To avoid opening the PowerShell application and typing the command above, you can create a script to sign scripts! Once you create the script to sign other scripts, save it as a .ps1 file, then simply double-click it to sign other scripts. To execute the signing script tool by double-clicking it, make sure that PowerShell is set as the default application for .ps1 files.


How does the Script Signing Tool Work?

When you execute the script signing tool, you will be prompted to enter the file path to the script you want to sign. Type the file path and then hit enter. The script tool will then sign the script in the background.


Steps to Create the Signing Script Tool

  1. Open PowerShell ISE and copy/paste the script below.

  1. The number inside the bracket tells PowerShell which code-signing certificate to use. If you have multiple code-signing certificates, 0 notates the first one in the list, 1 notates the second one, and so on.

  2. To see a list of code-signing certificates in your store, use the command below: 

Get-ChildItem -Path Cert:\CurrentUser\My\ -CodeSigningCert

  1. Save the script and close PowerShell ISE.

    1. You MUST sign the script file before using it, otherwise, the script won't execute depending on your execution policy, or the script will give you the untrusted publisher warning.

  2. Open PowerShell again and copy/paste the command below. Replace insert_filepath with the path of the script you just saved. 

Set-AuthenticodeSignature "insert_filepath" @(Get-ChildItem -Path Cert:\CurrentUser\My -CodeSign)[0]

  1. Run the script and close PowerShell. The script signing tool should now be signed.

  2. Test the new script signing tool by double-clicking it.


Option 3: Sign Multiple PowerShell Scripts

If you have multiple PowerShell scripts to sign, use the steps below to sign them all simultaneously! Please note each script will have its own, unique signature even though you are signing them at once.


Steps to Sign Multiple Scripts at Once

  1. Ensure all of the script files to be signed are in the same folder.

  2. Open PowerShell ISE and copy/paste the code below.

  1. Replace the insert_folderpath placeholder text with the folder path to the folder that contains the script files.

  2. The number inside the bracket tells PowerShell which code-signing certificate to use. If you have multiple code-signing certificates, 0 notates the first one in the list, 1 notates the second one, and so on.

  3. To see a list of code-signing certificates in your store, use the command below: 

Get-ChildItem -Path Cert:\CurrentUser\My\ -CodeSigningCert

  1. Run the script to sign the script files.



Step 3: Deploy your Public-Key Certificate to the Trusted Publishers Store

Using Microsoft Intune, you can deploy the certificate that contains the public key that is related to the private key used to sign the script(s). Once Intune deploys this certificate to the trusted publisher store, devices will trust any script signed with your private key. By following the steps in the link below, you can remove the"Do you want to run software from this untrusted publisher?" message from appearing. Click the link below to learn how:



NOTE:

If you used a Trusted CA to issue the code-signing certificate in Step 1, you will still have to export and deploy the public-key certificate to the Trusted Publisher store of your organization's devices.




Cover Picture Provided by Freepik


 
 
 

Comments

Recent Posts

Click the Heart to Like!

If this post is helpful,please click the heart at the bottom of the page. 

Follow us on LinkedIn!

We'd like to invite you to follow us on LinkedIn! Click the icon to follow.

Never Miss a Post. Subscribe Now!

Want to be notified whenever a new article is posted? Enter your email address and subscribe!

Thanks for submitting!

Donate to the Blog?

We hope the blog was helpful to you! If so, we'll take a donation as a form of thanks! :) 

© 2024 by DMTT. Powered and secured by Wix

$

Thank you for your donation!

bottom of page