Tag Archives: code signing

Powershell code signing script

Powershell Code Signing

Code Signing Script in Action

By default Microsoft ships Powershell with script execution disabled.

For security reasons I agree with restricting script execution by default. Can you imaging the onslaught of Powershell based malware that would have been brought on by any other decision? However Microsoft makes it prohibitively inconvenient to enable a script signing policy that is both secure and conducive to a fluid work flow.

For the most part, in my observation, anyone who needs to run a Powershell script simply sets their execution policy to unrestricted and moves on.

In a future post I will detail the steps in creating a code signing certificate chain, but for now I’ll post the script that I use to put my code signing certificate to use. Any script of mine that is running in a production environment, whether it be in my home lab or work, is put through this signing process.

There is no magic here, the script simply lists the available code signing certs in your certificate store, asks which one you would like to use, then signs the specified script.

if($args.count -gt 0)
{
   if (Test-Path $args[0])
   {
       $certs = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert

       for ($i = 0; $i -le @($certs).count; $i++)
       {
           if(@($certs)[$i] -ne $null)
           {
               "[{0} -- {1}]" -f $i, @($certs)[$i].Subject 
           }
       }

       $a = Read-Host "Select the corresponding number for the code signing cert to use"
       Write-Host Code Signing $args[0] with @($certs)[$a].Subject
       Set-AuthenticodeSignature $args[0] @($certs)[$a]
   }
   else
   {
        Write-Host Unable to find specified file $args[0].  No scripts were signed.
   }
}
else
{
      Write-Host "Usage: SignScripts.ps1 TargetScript"
}