How To Digitally Sign a Microsoft PowerShell Script with a Third-Party Code Signing Certificate (Update April 4, 2012)

I recently wrote an article on using Microsoft PowerShell to document a Citrix XenApp 6.0 farm.  I am also in the process of finishing up follow-up articles for XenApp 5 and XenApp 6.5.  One of the options I wanted to make available is a digitally signed copy of the script used in that article.  As there may be environments where only signed PowerShell scripts are allowed, I want to make signed copies of all my PowerShell scripts available.  I still consider myself a PowerShell rookie, so I wanted to document what I had to go through to sign a PowerShell script.

The first thing needed is to request a code signing certificate.  At DigiCert, I clicked on Code Signing Certificates (Figure 1).

Figure 1

I then selected Buy Now (Figure 2).

Figure 2

I then selected Code Signing Cert, a Validity Period and clicked Continue (Figure 3).

Figure 3

Next, I selected Microsoft Authenticode and clicked Continue (Figure 4).

Figure 4

Next, I filled in my Organization Details and clicked Continue (Figure 5).

Figure 5

I then filled in my Contact Details and clicked Continue (Figure 6).

Figure 6

I removed the Payment step information.  I selected I agree to the Terms of Service above and clicked Complete Order (Figure 7).

Figure 7

I then received an e-mail from DigiCert Support asking me to verify that I did request a Code Signing Certificate.  After I replied to the e-mail in the affirmative, I received another e-mail with a link to create the code-signing certificate (Figure 8).

Figure 8

Clicking the link in the e-mail opens my Internet browser with the following popup (Figure 9).  I clicked Yes.

Figure 9

Which then took me to the web site shown in Figure 10.  I then clicked Generate Certificate.

Figure 10

Which then took me to the web page shown in Figure 11.

Figure 11

I verified in Internet Explorer that the certificate is installed (Figure 12 and Figure 13).

Figure 12

Figure 13

On the computer where the Code Signing Certificate was installed, I started a PowerShell session running as Administrator.  Using the information from Don Jones’ Windows PowerShell 2.0 TFM book on page 149, I entered the following PowerShell command (should be one long line):

Set-AuthenticodeSignature `
"C:\Users\cwebster\Documents\carlwebster.com\Documenting a Citrix XenApp 6 Farm with Microsoft PowerShell\XA6_Inventory_Signed.ps1" `
-TimestampServer "http://timestamp.digicert.com/" @(Get-Childitem cert:\CurrentUser\My -codesigning)[0]

Which then returns a successful signing (Figure 14).

Figure 14

Opening my script shows the added signature block (Figure 15).

Figure 15

To verify the newly signed script, I went to my XenApp 6 server, copied the signed script to the C:\PSScripts folder, started a PowerShell session as Administrator and changed to the C:\PSScripts folder.  I then set the PowerShell script execution policy to AllSigned (Figure 16).

Figure 16

I then tried to run the original unsigned script (Figure 17).  The script would not run because it is not digitally signed.

Figure 17

I then tried to run the signed script (Figure 18).

Figure 18

I answered A to Always run scripts signed by me (Figure 19) and the script runs successfully.

Figure 19

By answering Always run my code signing certificate was installed on the server in the Trusted Publishers store (Figure 20).

Figure 20

The next time I run the signed script, the script automatically runs (Figure 21).

Figure 21

What I learned is that digitally signing PowerShell scripts is simple to do.  It isnot cheap, but it is simple.

,

About Carl Webster

Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

View all posts by Carl Webster

4 Responses to “How To Digitally Sign a Microsoft PowerShell Script with a Third-Party Code Signing Certificate (Update April 4, 2012)”

  1. Barry Schiffer Says:

    Thanks for the manual Carl. Now I don’t have to send you all my scripts to get them signed!

    Reply

  2. CM Says:

    I’m not entirely familiar with certificates, but if this is signed by Digicert, shouldn’t your computer already trust it? Am I overlooking something?

    Regards,

    CM

    Reply

    • Carl Webster Says:

      This is a Code Signing certificate which is treated differently. This is a much higher level of trust. Just see the recent Adobe incident.

      Thanks

      Webster

      Reply

  3. Alain Assaf Says:

    Carl,

    Thanks for this. I recently got my employer to turn on code-signing on our local CA and now I can run scripts in our XenApp environment as a regular user.

    Thanks,
    Alain

    Reply

Leave a Reply