Use an authenticode signature to sign a PowerShell script or other file.

      Set-AuthenticodeSignature [-filePath] string[]
           [-certificate] X509Certificate2  [-includeChain string]
              [-timeStampServer string] [-HashAlgorithm string]
                 [-force] [-whatIf] [-confirm] [CommonParameters]
   -FilePath path
      The path to a file that is being signed. {may be piped}

   -Certificate X509Certificate2
       The certificate that will be used to sign the script/file.
       (use an expression or variable that gets the certificate via 
       Get-PfxCertificate or Get-ChildItem)

   -includeChain string
       What should be included in the digital signature: 
        "Signer" : Include only the signer's certificate.
        "NotRoot": Include all of the certificates in the certificate chain,
                   except for the root authority. (this is the default)
        "All"    : Include all certificates in the certificate chain.

   -TimeStampServer string
       Use a timestamp server to certify the time that the certificate
       was added to the file. string = the URL of the timestamp server.

       Override restrictions that prevent the command from succeeding, apart
       from security settings. e.g. -force will append a signature to a read-only file,
       but will not override security permissions.

   -HashAlgorithm string
       The hashing algorithm that Windows uses to compute the digital signature for the file.
       The default is SHA1, which is the Windows default hashing algorithm.

Files that are signed with a different hashing algorithm might not be recognized on other systems. -WhatIf Describe what would happen if you executed the command without actually executing the command. -Confirm Prompt for confirmation before executing the command. CommonParameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable, -OutBuffer -OutVariable.

If the certificate is not valid or does not have code-signing authority, the command will fail.

To create a self-signed certificate, use MakeCert.exe, (available in the Microsoft .NET Framework SDK) for details see: Get-Help about_signing


Retrieve a code-signing certificate from the certificate provider and use it to sign a PowerShell script:

PS C:\>$cert=Get-ChildItem -FilePath cert:\CurrentUser\my -CodeSigningCert
PS C:\>Set-AuthenticodeSignature PsTest.ps1 -cert $cert

Find a code signing certificate and use it to sign a PowerShell script:

PS C:\>$cert = Get-PfxCertificate C:\Test\Mysign.pfx
PS C:\>Set-AuthenticodeSignature -Filepath C:\myscript.ps1 -Cert $cert

Add a digital signature signed by a third-party timestamp server:

PS C:\>Set-AuthenticodeSignature -filepath c:\myscript.ps1 -cert $cert -TimeStampServer ""

#I'll send you all my dreams, Every day in a letter, Sealed with a kiss# ~ Brian Hyland


Get-AuthenticodeSignature - Get the signature object associated with a file
Get-ExecutionPolicy - Get the execution policy for the shell
- Change the execution policy (user preference)
Get-Pfxcertificate - Get pfx certificate information
Get-Help about_signing
Equivalent bash command: OpenSSL - Open Secure Sockets Layer

© Copyright 1999-2014
Some rights reserved