How to Sign Digitally PowerShell Script With a Code Signing?

Digitally Sign Powershell Script

Quick Guide on How to Digitally Sign a PowerShell Script to Authenticate & Secure

Are you looking to ensure your script is safe to use and hasn’t been tampered with that can harm users? If that’s the case, then you will require to digitally sign the PowerShell script using a code signing certificate offered by known certificate authorities like Sectigo.

Once you digitally sign a PowerShell script, it’ll show your identity by embedding your unique digital signature that gives away a message to users that a genuine software development company has developed it and it’s safe for users.

In this quick guide, we will take you through detailed steps showing how you can digitally sign a PowerShell script to make it appear as a trusted script that can run in the computer environment smoothly while preventing security issues and warnings.

But before we jump into it, let’s look at what are some prerequisites you should be aware of. Before that, you can get the details about What is PowerShell and What is Powershell Code Signing here!

Prerequisites You Should Know Before You Digitally Sign PowerShell Script

Once you put patch management tasks on autopilot using carefully written Shell Scripts, you should now focus on keeping those scripts secure and prevent any tampering that loads malicious malware onto your user’s device. And for that, you’ll need to sign a PowerShell script digitally.

Similarly, for that, you’ll need to make sure you’ve:

  • A device that runs Windows Operating System 8.1 and above
  • Windows PowerShell Script version 5.1 and above
  • A PowerShell script is saved in any folder you create.

Once you get everything mentioned here, you can now move ahead with a codesigning PowerShell script.

Steps for Having Scripts Written in PowerShell Digitally Signed

Purchase Code Signing Certificate From Trusted Certificate Authority

First, you’ll need to purchase an affordable Powershell Code Signing Certificate from a globally trusted certificate authority like Comodo or Sectigo. It enables you to secure your software, scripts, and another executable from unauthorized access and third-party modifications. It lessens the risk of tampering and assures your users and system administrators that scripts are safe and coming from you.

You can skip this step if you’ve already purchased a Standard or EV Code Signing Certificate. But if you haven’t, first make sure you purchase the software signing certificate according to your requirement and then move forward.

In addition, make sure you avoid using a self-signed code signing certificate because the system does not trust it. Self-signed Code Signing Certificates generate warnings, and there’s a high possibility of being tampered with. In other words, self-signed Shell Scripts will be treated like unsigned Shell Scripts, and no one will trust them.

Once you purchase and your code signing certificate is issued, you can move on to the next step.

Open Windows Power Shell as an Admin

You’ll need to run PowerShell with admin permission to sign the PowerShell script digitally. And, for opening it:

windows powershell
  • Click on the Start button
  • In the search box, type PowerShell
  • Select the application PowerShell
  • Right-click on the PowerShell and select the option Run as Administrator

View & Select Your Code Signing Certificate

If you’ve multiple code signing certificates, then ensure you’re selecting the right code signing certificate from the list. And for that, you are requested to follow the below command:

Get-ChildItem Cert:\ExampleUser\MyFolder -SMCCert
Powershell Script Command

Though, if you want to play safe and want to view all the available code signing certificates, then you can use the two below-mentioned methods:

The Directory Changing Method

Enter the command and go to the folder where code signing certificates are stored:

cd Cert\ExampleUser\MyFolder
Type ls and press Enter
change directory using powershell

The Command Method

Type this mentioned command:

Get-ChildItem Cert:\ExampleUser\MyFolder
Hit enter
get list of all your certificates

Note: If your code signing certificate is saved in another folder, then make sure you replace it in the file path Cert:\ExampleUser\MyFolder with the actual correct one. Here’s an example of the same:

Cert:\ ExampleUser\MyFolder -SMCCert [0] or Cert:\LocalMachine\MyFolder -SMCCert [2]

Once you hit the Enter button, your code signing certificate will appear on the Windows of PowerShell. Here’s an example of the same showing all the code signing certificates that are within the system:

Once you get the list of code signing certificates, you can select the one you want and move further to sign the PowerShell script digitally. Then you’re required to set the code signing certificate to the variable such as $cert. Next, you’ll need to follow a certain command that selects a specific software signing certificate from the list.

Below is one such command that selects the code signing certificate you want. (It starts from the top, which you can count as 0). Here’s the command:

$cert = (Get-ChildItem –Path Cert:\LocalMachine\MyFolder -SMCCert)[4]

Digitally Sign PowerShell Script

Once you select your code signing certificate, you can save it to your $cert variable and start signing. To digitally sign a PowerShell script, you can use the Set-AuthenticodeSignature command, such as:

Set-AuthenticodeSignature -FilePath SCRIPT_PATH -Certificate $cert
cmdlet to use for powershell code signing

Note: Use actual path by replacing SCRIPT_PATH

For instance, the command to digitally sign PowerShell script looks like this:

Set-AuthenticodeSignature -FilePath C:\MyCodeSigningCert\eg_powershell_script.ps1 -Certificate $cert

Similarly, it’s recommended that you timestamp your PowerShell sign script so your users don’t face any warnings once your code signing certificate expires and your digital signature remains valid forever. And, to timestamp your digitally signed PowerShell script, you can use the below command:

Set-AuthenticodeSignature -FilePath C:\EgCodeSigningCert\eg_powershell_script.ps1 -Certificate $cert -TimeStampServer http://timestamp.<certificate-authority-name>.com

Note: In command, change <certificate-authority-name> with the name of the certificate authority from whom you’ve purchased your code signing certificate. For instance, Sectigo or Comodo.

Verify Once You Digitally Sign a PowerShell Script

Once you codesign the PowerShell script, it’s recommended that you verify whether it’s signed correctly or not. And to verify it, here below are some of the ways:

By Opening Your Signed PowerShell Script

  • Using a text editor like Notepad, open your signed PowerShell script
  • At the bottom of the script, look for the signature block. If it’s signed correctly, it’ll start and end with #SIG#

Checking Digital Signatures Through Properties

If you want to verify the signature visually, you can do so.             

  • Open Windows Explorer and go to the folder where you’ve saved your signed PowerShell script.
  • Right-click the folder
  • From the menu, select the option Properties
  • Click on the tab named Digital signatures

And it should look like the below:

Verify Using PowerShell Command

One more way is to verify your signature using the PowerShell command. Again, you simply need to enter the command, and you’ll get the output of it that will show whether it’s signed or not.

  • Go to PowerShell Window
  • Type below mentioned command:
Get-AuthenticodeSignature -FilePath PATH_OF_PowerShell_SCRIPT | Select-Object -Property *
verify your powershell script

Note: Change PATH_OF_PowerShell_SCRIPT with the actual path where you’ve saved it.

And, if it’s signed correctly, you will see output like the below one:

Ending Note

By signing PowerShell scripts using a code signing certificate, you assure users that whatever change you make in it is approved and reviewed by you.

Similarly, it also assures that the PowerShell script hasn’t been tampered with and is safe to use. Here we have given detailed steps to sign a PowerShell script digitally. We hope it gives you better insight into how to do it.

Quickly Digitally Sign your Software or Application to run smoothly and securely with Best Code Signing Certificate at just $210.99/yr

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.