Sign PowerShell scripts with free code signing certificate!

Last updated  September 13th, 2013 by Steven Jordan

Problem:  Incorporate code signing scripts in PowerShell.

PowerShell script execution policy set to unrestricted is poor practice; don't do it!  A compromised computer is especially dangerous with unrestricted PowerShell scripts.  Exceptions may include one time use but don't forget to change the execution policy back to to restricted.

  1. Generate a free code signing certificate using Windows SDK (free download from Microsoft).

    Global PKI code signing certificates are expensive. Unless you plan to distribute your PowerShell script outside your organization use of a code signing certificate from a public CA is not necessary.
  2. Incorporate the self generated code signing certificate for all PowerShell scripts.
  3. Change PowerShell execution policy to AllSigned.
  4. Import the self generated code signing certificate to the Trusted Root Certification Authorities using the Certificate manager or distribute to domain resources with group policy.    

All PowerShell scripts must include a code signing certificate to maintain server integrity.  All self generated code signing certificates must be considered a Trusted Root to maintain functionality.

Please visit the Kreelbits Blog  for detailed instructions on how to implement the above steps.  Great work +Scott Kreel!


Post a Comment

My Instagram