PowerShell Signing Scripts Signing a script


Signing a script is done by using the Set-AuthenticodeSignature-cmdlet and a code-signing certificate.

#Get the first available personal code-signing certificate for the logged on user
$cert = @(Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert)[0]
#Sign script using certificate
Set-AuthenticodeSignature -Certificate $cert -FilePath c:\MyScript.ps1

You can also read a certificate from a .pfx-file using:

$cert = Get-PfxCertificate -FilePath "C:\MyCodeSigningCert.pfx"

The script will be valid until the cetificate expires. If you use a timestamp-server during the signing, the script will continue to be valid after the certificate expires. It is also useful to add the trust chain for the certificate (including root authority) to help most computers trust the certificated used to sign the script.

Set-AuthenticodeSignature -Certificate $cert -FilePath c:\MyScript.ps1 -IncludeChain All -TimeStampServer "http://timestamp.verisign.com/scripts/timstamp.dll"

It's recommended to use a timestamp-server from a trusted certificate provider like Verisign, Comodo, Thawte etc.