Signing of a PowerShell script

Signing of a PowerShell script

Signing of a PowerShell script

To make sure that only authorized changes are made to a PowerShell script, you can sign the script using a CodeSigning certificate. Once you have obtained a valid certificate (self-signed or issued from a CA) it is quite easy to use.

It is important to use a timestamp services, because if one is not used, the script itself will fail once the original certificate expires, and should be re-signed using a new valid certificate. By using a timestamp service, the script will remain valid after the expiration of the signing certificate, because the service will timestamp the script and prove that when the script was signed, the signing certificate was vaild.

These lines of PowerShell will sign a script using VeriSigns timestamp service.


$cert = Get-ChildItem -Path Cert:\CurrentUser\My –CodeSigningCert
Set-AuthenticodeSignature -FilePath [PS1 FILE TO SIGN] -Certificate $cert -TimestampServer "http://timestamp.verisign.com/scripts/timstamp.dll"

The first line will grab any valid certificate for code signing in your personal store. This can be changed if a specific certificate is required.

The output of the signing should be something like this

pscodesign