How to Sign Digitally PowerShell Script With a Code Signing?
Quick Guide on How to Digitally Sign a PowerShell Script to Authenticate & Secure
Are you looking to ensure your script is safe to use and hasn’t been tampered with that can harm users? If that’s the case, then you will require to digitally sign the PowerShell script using a code signing certificate offered by known certificate authorities like Sectigo.
Once you digitally sign a PowerShell script, it’ll show your identity by embedding your unique digital signature that gives away a message to users that a genuine software development company has developed it and it’s safe for users.
In this quick guide, we will take you through detailed steps showing how you can digitally sign a PowerShell script to make it appear as a trusted script that can run in the computer environment smoothly while preventing security issues and warnings.
But before we jump into it, let’s look at what are some prerequisites you should be aware of. Before that, you can get the details about What is PowerShell and What is Powershell Code Signing here!
Prerequisites You Should Know Before You Digitally Sign PowerShell Script
Once you put patch management tasks on autopilot using carefully written Shell Scripts, you should now focus on keeping those scripts secure and prevent any tampering that loads malicious malware onto your user’s device. And for that, you’ll need to sign a PowerShell script digitally.
Similarly, for that, you’ll need to make sure you’ve:
- A device that runs Windows Operating System 8.1 and above
- Windows PowerShell Script version 5.1 and above
- A PowerShell script is saved in any folder you create.
Once you get everything mentioned here, you can now move ahead with a codesigning PowerShell script.
Steps for Having Scripts Written in PowerShell Digitally Signed
Purchase Code Signing Certificate From Trusted Certificate Authority
First, you’ll need to purchase an affordable Powershell Code Signing Certificate from a globally trusted certificate authority like Comodo or Sectigo. It enables you to secure your software, scripts, and another executable from unauthorized access and third-party modifications. It lessens the risk of tampering and assures your users and system administrators that scripts are safe and coming from you.
You can skip this step if you’ve already purchased a Standard or EV Code Signing Certificate. But if you haven’t, first make sure you purchase the software signing certificate according to your requirement and then move forward.
In addition, make sure you avoid using a self-signed code signing certificate because the system does not trust it. Self-signed Code Signing Certificates generate warnings, and there’s a high possibility of being tampered with. In other words, self-signed Shell Scripts will be treated like unsigned Shell Scripts, and no one will trust them.
Once you purchase and your code signing certificate is issued, you can move on to the next step.
Open Windows Power Shell as an Admin
You’ll need to run PowerShell with admin permission to sign the PowerShell script digitally. And, for opening it:
- Click on the Start button
- In the search box, type PowerShell
- Select the application PowerShell
- Right-click on the PowerShell and select the option Run as Administrator
View & Select Your Code Signing Certificate
If you’ve multiple code signing certificates, then ensure you’re selecting the right code signing certificate from the list. And for that, you are requested to follow the below command:
Get-ChildItem Cert:\ExampleUser\MyFolder -SMCCert
Though, if you want to play safe and want to view all the available code signing certificates, then you can use the two below-mentioned methods:
The Directory Changing Method
Enter the command and go to the folder where code signing certificates are stored:
cd Cert\ExampleUser\MyFolder
Type ls and press Enter
The Command Method
Type this mentioned command:
Get-ChildItem Cert:\ExampleUser\MyFolder
Hit enter
Note: If your code signing certificate is saved in another folder, then make sure you replace it in the file path Cert:\ExampleUser\MyFolder with the actual correct one. Here’s an example of the same:
Cert:\ ExampleUser\MyFolder -SMCCert [0] or Cert:\LocalMachine\MyFolder -SMCCert [2]Once you hit the Enter button, your code signing certificate will appear on the Windows of PowerShell. Here’s an example of the same showing all the code signing certificates that are within the system:
Once you get the list of code signing certificates, you can select the one you want and move further to sign the PowerShell script digitally. Then you’re required to set the code signing certificate to the variable such as $cert. Next, you’ll need to follow a certain command that selects a specific software signing certificate from the list.
Below is one such command that selects the code signing certificate you want. (It starts from the top, which you can count as 0). Here’s the command:
$cert = (Get-ChildItem –Path Cert:\LocalMachine\MyFolder -SMCCert)[4]Digitally Sign PowerShell Script
Once you select your code signing certificate, you can save it to your $cert variable and start signing. To digitally sign a PowerShell script, you can use the Set-AuthenticodeSignature command, such as:
Set-AuthenticodeSignature -FilePath SCRIPT_PATH -Certificate $cert
Note: Use actual path by replacing SCRIPT_PATH
For instance, the command to digitally sign PowerShell script looks like this:
Set-AuthenticodeSignature -FilePath C:\MyCodeSigningCert\eg_powershell_script.ps1 -Certificate $certSimilarly, it’s recommended that you timestamp your PowerShell sign script so your users don’t face any warnings once your code signing certificate expires and your digital signature remains valid forever. And, to timestamp your digitally signed PowerShell script, you can use the below command:
Set-AuthenticodeSignature -FilePath C:\EgCodeSigningCert\eg_powershell_script.ps1 -Certificate $cert -TimeStampServer http://timestamp.<certificate-authority-name>.comNote: In command, change <certificate-authority-name> with the name of the certificate authority from whom you’ve purchased your code signing certificate. For instance, Sectigo or Comodo.
Verify Once You Digitally Sign a PowerShell Script
Once you codesign the PowerShell script, it’s recommended that you verify whether it’s signed correctly or not. And to verify it, here below are some of the ways:
By Opening Your Signed PowerShell Script
- Using a text editor like Notepad, open your signed PowerShell script
- At the bottom of the script, look for the signature block. If it’s signed correctly, it’ll start and end with #SIG#
Checking Digital Signatures Through Properties
If you want to verify the signature visually, you can do so.
- Open Windows Explorer and go to the folder where you’ve saved your signed PowerShell script.
- Right-click the folder
- From the menu, select the option Properties
- Click on the tab named Digital signatures
And it should look like the below:
Verify Using PowerShell Command
One more way is to verify your signature using the PowerShell command. Again, you simply need to enter the command, and you’ll get the output of it that will show whether it’s signed or not.
- Go to PowerShell Window
- Type below mentioned command:
Get-AuthenticodeSignature -FilePath PATH_OF_PowerShell_SCRIPT | Select-Object -Property *
Note: Change PATH_OF_PowerShell_SCRIPT with the actual path where you’ve saved it.
And, if it’s signed correctly, you will see output like the below one:
Ending Note
By signing PowerShell scripts using a code signing certificate, you assure users that whatever change you make in it is approved and reviewed by you.
Similarly, it also assures that the PowerShell script hasn’t been tampered with and is safe to use. Here we have given detailed steps to sign a PowerShell script digitally. We hope it gives you better insight into how to do it.
Quickly Digitally Sign your Software or Application to run smoothly and securely with Best Code Signing Certificate at just $199.99/yr
