How do I sign a Windows PowerShell script?
First you’ll need a code-signing certificate. If you purchase one, you’ll be looking for a "Class III" digital certificate of the "Microsoft Authenticode" variety. This will often come in two parts: An SPC file, which is the Software Publishing Certificate, and a PVK file, which is the corresponding private key. If you use a utility like MakeCert.exe (which is included in the Windows Platform SDK), you can produce a certificate in a CER file; you’ll need to use the Cert2spc.exe utility (also in the SDK) to convert that to an SPC/PVK file pair.
Next you have to either install the certificate or make it into a PFX file, which includes both halves of the key. I prefer the PFX approach, since you can use the Pvk2Pfx.exe utility (again in the SDK) to combine your SPC file and your PVK file into a password-protected PFX file.
Whew. You only have to do all that nonsense once, thank goodness.
When you’re ready to sign, run this in the shell:
Set-AuthenticodeSignature MyScript.ps1 -cert (Get-PFXCertificate MyCert.pfx)
You’ll be prompted for a password as the certificate loads, and a signature will be applied to the designated script.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Tags: authenticode, certificate, pfx, powershell, sign, signature
February 21st, 2008 at 11:44 am
Is there an easy way to set it up so that all the computers in my domain will trust a certificate created using the steps you laid out in the article?
February 25th, 2008 at 7:38 am
[...] sent this one in, and it’s a doozy. I have two places for you to look: First is at http://www.scriptinganswers.com/essentials/index.php/2008/02/21/how-do-i-sign-a-windows-powershell-sc…, which describes the process I used to sign a script for a new self-paced training video that [...]
March 14th, 2008 at 6:17 am
Sure, you can deploy a root certificate using Group Policy to have your domain computers trust it.