Needed to sign a powershell script today, an thought it could be of interest for others as well. So here are the steps.
First of all, you need to request/obtain a Code-signing certificate. I usually do this by creating a own template, request a certificate and use GPO to distribute this to Trusted Publisher. This is not covered by this post, but it is pretty straight forward.
So, back to signing scripts. If you get this error message when trying to run a script (script cannot be loaded. The ps1. fie is not digitally signed), many just changing the executionpolicy to be unrestricted… It is fast, but might not be the best solution:)
It is easy to sign a script when you got the basics in place (code-signing certificate and the certificate distributed to the clients Trusted publisher certificate store).
On the machine you want to sign the script from, you need to install the Code-Signing certificate on either Computer or User. I use computer in this example. To make sure you got the CodeSigning certificate run the following command:
Get-ChildItem cert:LocalMachinemy –CodeSigningCert
This command will list you Code signing certificate installed on local computer
Then run this command to get the certificate in a variable called $cert.
$cert = Get-ChildItem cert:LocalMachinemy –CodeSigningCert
Then sign the script with command:
Set-AuthenticodeSignature -Certificate $cert -FilePath C:InstallGet-DAGHealth.ps1
As you can see in the bottom of the script, there has been added a signature block.
Remember, if you do a change on the script now. It needs to be signed again:)