Code-Signing Mini-Series (Part 4: Code-Signing PowerShell Files)

by Dec 3, 2018

Before you give away a PowerShell script to others, it is a good idea to digitally sign it. A signature acts like a “wrapper” for your script and helps others identify who originally wrote the script and whether the script is still in original condition or was tampered with.

To sign PowerShell scripts you need a digital code-signing certificate. In the previous tips we explained how you can create one, and/or load one from pfx files or your certificate store. The example code that follows presumes you have a valid code-signing certificate in $cert. If not, revisit our previous tips, please!

# make sure this PFX file exists or create one
# or load a code-signing cert from other sources
# (review the previous tips for hints)
$pfxFile = "$home\desktop\tobias.pfx"
$cert = Get-PfxCertificate -FilePath $pfxFile

# make sure this folder exists and contains
# PowerShell script that you'd like to sign
$PathWithScripts = 'c:\myScripts'

# apply signatures to all scripts in the folder
Get-ChildItem -Path $PathWithScripts -Filter *.ps1 -Recurse |
  Set-AuthenticodeSignature -Certificate $cert

After you run the code, all scripts in the supplied folder receive a digital signature. If you are connected to the Internet, you should consider using a timestamp server while signing, and replace the last line with this one:

# apply signatures to all scripts in the folder
Get-ChildItem -Path $PathWithScripts -Filter *.ps1 -Recurse |
  Set-AuthenticodeSignature -Certificate $cert -TimestampServer http://timestamp.digicert.com  

Using a timestamp server slows down the signing but protects signatures from expiring certificates: when a certificate expires one day, the signature remains valid, because the official timestamp server certifies that the signature was applied before certificate expiration.

Twitter This Tip! ReTweet this Tip!