Windows – How to sign a PowerShell script easily

code-signingpowershellscriptSecuritywindows

I'd prefer using the AllSigned execution policy with PowerShell, but self-signing my scripts seems to require several hundreds of megabytes of downloading and installation and the signing process seems to be a hassle.

Is there a simpler way to sign a PowerShell script than described in the documentation?

Best Answer

To do the signing you can use the Set-AuthenticodeSignature cmdlet. This, of course, requires a certificate. If you have a Certificate Authority (unlikely) that will be able to create a code signing certificate. Otherwise there are various tools to create a self-signed certificate.

You install the certificate in your certificate store (open the .cer or .pfx file in Windows Explorer to do this), and then pass it to Set-AuthenticodeSignature (the cert: provider/drive gives access to certificates in your store).

Use

help about_signing

or the online version of that help topic for details (including creating a self-signed certificate using the Windows SDK tools^[1]).

^[1] I assume this is the big download you're referring to: you can just install the bits you need, or make use of other tools (OpenSSL includes certificate generation). Getting the SDK is, for this purpose, a one-off activity.

Related Solutions

PowerShell – Running Scripts Without Admin Privileges

Try running the script like this from the Run prompt or a Shortcut:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -File D:\myfiles\get_prices.ps1

Windows 10 Logon Script Execution location

The long and short of it is, for compatibility with AppLocker, Microsoft built into powershell v5 a write of a .ps1 file (and potentially a .psm1) to %temp% when launching to determine what Language Mode to start in.

It's good security practice to monitor scripts that launch from %temp%. Unfortunatly, if you use an application whitelisting application to do that (like Bit9 or AppLocker) and create a rule to monitor for powershell scripts using that directory based on file extension, there's a good chance every time powershell is launched it will trigger that rule.

At least in my case, that means any time a .ps1 file is run under user context (such as a powershell logon script), it will trigger the notification from the whitelisting app and potentially block the script. Script signing and execution policy setting were irrelevant in my testing.

Some relevant links for further information:

https://www.sysadmins.lv/blog-en/powershell-50-and-applocker-when-security-doesnt-mean-security.aspx

https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/

https://community.spiceworks.com/topic/1451109-srp-whitelist-causing-odd-behavior-in-powershell-v5

Best Answer

Related Solutions

PowerShell – Running Scripts Without Admin Privileges

Windows 10 Logon Script Execution location

Related Question