How To Self-Signed PowerShell Scripts

Last updated: Feb 06, 2021

By default and for security reasons we cannot run PowerShell scripts. Of course we can use -ExecutionPolicy Bypass switch but if we want to increase security it might be interesting to know how to allow signed scripts only. So we will see here how to create and allow signed scripts only.

Group Policy to allow signed scripts only

Open group policy editor :

Go to User Configuration > Administrative Templates > Windows Components > Windows PowerShell :

Edit the Turn on Script Execution policy :

Create Certificate

To sign our scripts we need a certificate. We will see here how to create a self-signed one.

Open Windows PowerShell as administrator :

PowerShell | Open PowerShell Console as administrator

Set a name for your new certificate inside $CertificateName variable :

PS C:\Users\Administrator\Desktop> $CertificateName = "STD Certificate"

Define where you want to create your certificate :

PS C:\Users\Administrator\Desktop> $OutPutPFXFilePath = "C:\Users\administrator\Desktop\MyNewSigningCertificate.pfx"

Set the pfx password :

PS C:\Users\Administrator\Desktop> $MyStrongPassword = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText

Finaly create the certificate with 10 years lifetime and 4096 bits key size :

PS C:\Users\Administrator\Desktop> New-SelfSignedCertificate -subject $CertificateName -Type CodeSigning -NotAfter (Get-Date).AddYears(10) -KeyLength 4096 | Export-PfxCertificate -FilePath $OutPutPFXFilePath -password $MyStrongPassword

Signing the script

Load the certificate :

PS C:\Users\Administrator\Desktop> $MyCertFromPfx = Get-PfxCertificate -FilePath 'C:\Users\administrator\Desktop\MyNewSigningCertificate.pfx'
Enter password : ********

Sign the script :

PS C:\Users\Administrator\Desktop> Set-AuthenticodeSignature -PSPath 'C:\Users\administrator\Desktop\script.ps1' -Certificate $MyCertFromPfx

PowerShell | Sign a script with Set-AuthenticodeSignature command

Import Certificate

To be correctly recognized, a self-signed certificate need to be imported on the computers on which we want to run the PowerShell scripts. So type the following commands with administrator rights.

Set variables

Set the pfx password and certificate path :

PS C:\Users\Administrator\Desktop> $MyStrongPassword = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText

PS C:\Users\Administrator\Desktop> $CertPath = "C:\Users\administrator\Desktop\MyNewSigningCertificate.pfx"

Import to Trusted Root Certification Authorities store

Import certificate to the Trusted Root Certification Authorities local computer store :

PS C:\Users\Administrator\Desktop> Import-PfxCertificate -FilePath $CertPath "cert:\LocalMachine\Root" -Password $MyStrongPassword

PowerShell | Self certificate inside Trusted Root Certificates Authorities Store

Import to Trusted Publishers store

Import certificate to the Trusted Publishers local computer store :

PS C:\Users\Administrator\Desktop> Import-PfxCertificate -FilePath $CertPath "cert:\LocalMachine\TrustedPublisher" -Password $MyStrongPassword

Check signature

We can check if the script is correctly signed with the Get-AuthenticodeSignature command :

PS C:\Users\Administrator\Desktop> Get-AuthenticodeSignature 'C:\Users\administrator\Desktop\script.ps1'

PowerShell | Check if a script is correctly signed with Get-AuthenticodeSignature command

If the script has been altered after it has been signed, the HashMismacth status will appear and the script could not be executed :

PowerShell | File cannot be loaded. The contents of file might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature.

References

https://www.scriptinglibrary.com

Computing

Music

Misc