How To Self-Signed PowerShell Scripts

By default and for security reasons we cannot run PowerShell scripts. Of course we can use -ExecutionPolicy Bypass switch but if we want to increase security it might be interesting to know how to allow signed scripts only. So we will see here how to create and allow signed scripts only.

Group Policy to allow signed scripts only

  • Open group policy editor :
Windows | Run gpedit.msc
  • Go to User Configuration > Administrative Templates > Windows Components > Windows PowerShell :
GPO | Windows PowerShell policies
  • Edit the Turn on Script Execution policy :
GPO | Turn on Script Execution policy

Create Certificate

To sign our scripts we need a certificate. We will see here how to create a self-signed one.

  • Open Windows PowerShell as administrator :
PowerShell | Open PowerShell Console as administrator
  • Set a name for your new certificate inside $CertificateName variable :
PS C:\Users\Administrator\Desktop> $CertificateName = "STD Certificate"
  • Define where you want to create your certificate :
PS C:\Users\Administrator\Desktop> $OutPutPFXFilePath = "C:\Users\administrator\Desktop\MyNewSigningCertificate.pfx"
  • Set the pfx password :
PS C:\Users\Administrator\Desktop> $MyStrongPassword = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText
  • Finaly create the certificate with 10 years lifetime and 4096 bits key size :
PS C:\Users\Administrator\Desktop> New-SelfSignedCertificate -subject $CertificateName -Type CodeSigning -NotAfter (Get-Date).AddYears(10) -KeyLength 4096 | Export-PfxCertificate -FilePath $OutPutPFXFilePath -password $MyStrongPassword

Signing the script

  • Load the certificate :
PS C:\Users\Administrator\Desktop> $MyCertFromPfx = Get-PfxCertificate -FilePath 'C:\Users\administrator\Desktop\MyNewSigningCertificate.pfx'
Enter password : ********
  • Sign the script :
PS C:\Users\Administrator\Desktop> Set-AuthenticodeSignature -PSPath 'C:\Users\administrator\Desktop\script.ps1' -Certificate $MyCertFromPfx
PowerShell | Sign a script with Set-AuthenticodeSignature command

Import Certificate

To be correctly recognized, a self-signed certificate need to be imported on the computers on which we want to run the PowerShell scripts. So type the following commands with administrator rights.

Set variables

  • Set the pfx password and certificate path :
PS C:\Users\Administrator\Desktop> $MyStrongPassword = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText
PS C:\Users\Administrator\Desktop> $CertPath = "C:\Users\administrator\Desktop\MyNewSigningCertificate.pfx"

Import to Trusted Root Certification Authorities store

  • Import certificate to the Trusted Root Certification Authorities local computer store :
PS C:\Users\Administrator\Desktop> Import-PfxCertificate -FilePath $CertPath "cert:\LocalMachine\Root" -Password $MyStrongPassword
PowerShell | Self certificate inside Trusted Root Certificates Authorities Store

Import to Trusted Publishers store

  • Import certificate to the Trusted Publishers local computer store :
PS C:\Users\Administrator\Desktop> Import-PfxCertificate -FilePath $CertPath "cert:\LocalMachine\TrustedPublisher" -Password $MyStrongPassword
PowerShell | Self certificate inside Trusted Root Certificates Authorities Store

Check signature

  • We can check if the script is correctly signed with the Get-AuthenticodeSignature command :
PS C:\Users\Administrator\Desktop> Get-AuthenticodeSignature 'C:\Users\administrator\Desktop\script.ps1'
PowerShell | Check if a script is correctly signed with Get-AuthenticodeSignature command
  • If the script has been altered after it has been signed, the HashMismacth status will appear and the script could not be executed :
PowerShell | File cannot be loaded. The contents of file might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature.

References

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :