tek, thinks & la strada ☯ॐ☢ csmr@kapsi

Signing Powershell scripts for execution

On Windows 11 OS, powershell scripts execution may be disabled by Execution policy. So how can one use scripts to automate repetitive tasks in this scenario? Set the execution policy to AllSigned and By using signed scripts.

Get-ExecutionPolicy

There, feed that title to your powershell. If the answer is Restricted, you may not be able to run your own scripts.

Set-ExecutionPolicy AllSigned

This would set the ideal execution policy. Implying that one would sign even ones own scripts. But this implies one would have a CA cert to sign the scripts with. Like the following title...

Set-AuthenticodeSignature -Certificate (Get-PfxCertificate -FilePath "path\to\certificate.pfx") -FilePath "path\to\script.ps1" -TimestampServer "http://timestamp.digicert.com"

It is not the simplest of approaches, is it?

But then, what is. It's not like you'd want unsigned scripts to run, right?

So, how do I create a CA?

It is up to you, feel free to choose any way you like. :)

In general, one might use a CA service, or follow these steps:

  • Install a linux plus the necessary tools: Depending on your Linux distribution, you may need to install OpenSSL, GnuTLS, or other tools to create and manage certificates.
  • Create a root CA certificate: Use the openssl req command to create a private key and a self-signed root CA certificate. You can specify the details of your CA, such as the common name (CN), organization (O), and country (C), in the command.
  • Create an intermediate CA certificate: It's generally recommended to create an intermediate CA certificate rather than using your root CA certificate directly to sign your software. This allows you to keep your root CA certificate offline and secure while still being able to sign software using the intermediate CA certificate. Use the openssl req command to create a certificate signing request (CSR) for your intermediate CA, and then use the openssl ca command to sign the CSR with your root CA certificate.
  • Sign your software: Use the openssl dgst and openssl pkeyutl commands to create a signature for your software using your intermediate CA certificate. You can then distribute your software along with the signature and your intermediate CA certificate.

Copyright C. P. - Last Updated - All Rights Reserved - Ask permission to republish.