Wednesday, January 2, 2013

How to sign powershell scripts

In order to sign powershell scripts, code signing certificate is needed. Finding code signing certificates from user personal certificate store and storing it to a variable called $signcert can be done using following powershell command:

$signcert = (dir cert:currentuser\my\ -CodeSigningCert)
 
After storing the certificate for signing into $signcert, we can use Set-AuthenticodeSignature to sign the script. I'm running the Set-AuthenticodeSignature with TimeStampServer parameter, that will provide signed script to run even though the signing certificate gets expired. In most cases this scenario will be OK.
There are a lot of TimeStampServer providers, in my example I'll use server from Comodo. So, the signing script cmdlet will look like this :

Set-AuthenticodeSignature .\scripttobesigned.ps1 $signcert -TimestampServer http://timestamp.comodoca.com/authenticode

There is great two part tutorial about signing scripts on:
http://blogs.technet.com/b/heyscriptingguy/archive/2010/06/16/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-1-of-2.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2010/06/17/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2.aspx

 

No comments:

Post a Comment