Powershell setup script signing (Execution Policy)

From Birnam Designs Wiki

Jump to: navigation, search

First, turn the execution policy to the most protected. Vista users: you need to run Powershell as administrator to handle this.

Set-ExecutionPolicy AllSigned

Open the Management console with:

mmc.exe

Then go to File > Add/Remove Snap-in and add the Certificates snap-in as My user account and click Ok.

Run this command:

makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine

Enter a password in the box that pops up and click ok.

Then you'll be immediately asked for the same key. Again. You should get a success message back in the powershell window.

Now run this command to turn that authority you just made into a personal certificate:

makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer

It will ask for the password. Again. Enter it and you should get another success message in the powershell window.

You can verify that this has worked with this:

Get-ChildItem cert:\CurrentUser\My -codesign

You should see a listing that includes the CN=PowerShell User that you created.

Now create a ps1 script to actually sign the files. I created a function called sign-file in my $profile that looks like this: 

function sign-file {
        $f = $Args[0]
        Set-AuthenticodeSignature $f @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
}

Now I can sign files with sign-file filename.ps1

Thanks Scott!

Retrieved from "http://info.birnamdesigns.com/wiki/Powershell_setup_script_signing_(Execution_Policy)"
Share This!
This page was last modified on 11 February 2010, at 20:14. This page has been accessed 719 times.