Q. How can I sign my PowerShell script?
A. If you have the execution policy set to AllSigned then all scripts on a machine must be signed. To sign a PowerShell script two things are required:
- You need a code signing certificate (a template exists with AD CS, just copy the template on your CA, make whatever changes are required then publish)
- The code signing certificate must be stored in the Trusted Publishers folder of all machines that will run the script (this can be installed manually or via Group Policy)
Once these requirements are met the actual signing is very simple. Firstly store your code signing certificate in a variable, for example:
$cert = @(gci cert:\currentuser\my -codesigning)
The code above gets all items via the certificate provider under your profile that can be used for code signing and selects the first one (array item 0). Then to use the certificate to sign your script use:
Set-AuthenticodeSignature script.ps1 $cert
If you open the PowerShell script it will now have a large signature block at the end. If you try and change the code the signature will be invalid and will not execute.