How to Sign a PowerShell Script
Updated: Nov 11, 2024
Signing PowerShell scripts proves their authenticity and provides data integrity; a script's signature helps devices verify that the script is from a trusted publisher and has not been altered. Also, if the PowerShell execution policy on your Windows devices is set to AllSigned or RemoteSigned, then you must sign your scripts. To learn how to change the PowerShell execution policy on your devices using Intune, click the link below:
Table of Contents
High-Level Overview of How a Script Signature Works
When you sign a script, the signature is embedded in text form and is appended at the bottom of the script. The signature provides two key points of security:
Data Integrity: The devices that receive the script will use the public key in the signature to decrypt the signed hash and then compare it to the hash they create. If the hashes match, they know the code has not been altered.
Authentication: The script will be signed using a private key from a private-public key pair. When a device inspects a script's signature, it will check to see if it trusts the publisher. Whether or not a device trusts the publisher depends on whether the device has the publisher's public certificate in its Trusted Publisher certificate store. Check Step 3 below to learn how to ensure your script's signature is trusted by your devices.
Step 1: Create or Request a Code-Signing Certificate
Before you can sign your scripts, you must first have a private key to create the signature. You have a couple of options:
Option 1: Create a Self-Signed Certificate
The commands below will create a self-signed certificate and place it in your User Certificate Personal store. Then, the script will export the certificate with only the public key. You will need this later.
Option 2: Request a Code-Signing Certificate from your CA
If your organization's Certificate Authority (CA) has a code-signing certificate template available, you can request a code-signing certificate. The steps to request this certificate or to enable the template will vary based on your PKI environment. Consult your vendor's documentation to learn how to request a certificate with the code-signing purpose.
If you are using Microsoft Window's AD CS as your CA, then see the links below on how to create a certificate template (if one doesn't exist) and how to request a code-signing certificate:
Step 2: Sign your Script
Option 1: Sign a PowerShell Script Interactively
Once you've created your script, save it, then launch PowerShell or PowerShell ISE. Use the following command to sign your script:
Below is an example of a script's signature after it is signed. If using PowerShell ISE, ensure the script is closed while being signed, then reopen it to view the signature.
Option 2: Sign a PowerShell Script using a Script
To avoid opening the PowerShell application and typing the command above, you can create a script to sign scripts! Once you create the script to sign other scripts, save it as a .ps1 file, then simply double-click it to sign other scripts. To execute the signing script tool by double-clicking it, make sure that PowerShell is set as the default application for .ps1 files.
How does the Script Signing Tool Work?
When you execute the script signing tool, you will be prompted to enter the file path to the script you want to sign. Type the file path and then hit enter. The script tool will then sign the script in the background.
Steps to Create the Signing Script Tool
Open PowerShell ISE and copy/paste the script below.
Save the script and close PowerShell ISE.
Open PowerShell again and copy/paste the command below. Replace the file path with the path to the script you just saved.
Set-AuthenticodeSignature "insert_filepath" @(Get-ChildItem Cert:\CurrentUser\My -CodeSign)[0]Run the command and close PowerShell. The script signing tool should now be signed.
Test the new script signing tool by double-clicking it.
Option 3: Sign Multiple PowerShell Scripts
If you have multiple PowerShell scripts to sign, use the steps below to sign them all simultaneously! Please note each script will have its own, unique signature even though you are signing them at once.
Steps to Sign Multiple Scripts at Once
Ensure all of the script files to be signed are in the same folder.
Open PowerShell ISE and copy/paste the code below.
Replace the insert_folderpath placeholder text with the folder path to the folder that contains the script files.
Run the commands to sign the script files!
Step 3: Deploy your Public-Key Certificate to the Trusted Publishers Store
Using Microsoft Intune, you can deploy the certificate that contains the public key that is related to the private key used to sign the script(s). Once Intune deploys this certificate to the trusted publisher store, devices will trust any script signed with your private key. By following the steps in the link below, you can remove the"Do you want to run software from this untrusted publisher?" message from appearing. Click the link below to learn how:
Cover Picture Provided by Freepik
Comments