Use an authenticode signature to sign a PowerShell script or other file.
Syntax
Set-AuthenticodeSignature [-filePath] string[]
[-certificate] X509Certificate2 [-includeChain string]
[-timeStampServer string] [-force] [-whatIf]
[-confirm] [CommonParameters]
key
-filePath path
The path to a file that is being signed. {may be piped}
-certificate X509Certificate2
The certificate that will be used to sign the script/file.
(use an expression or variable that gets the certificate via
Get-PfxCertificate or Get-ChildItem)
-includeChain string
What should be included in the digital signature:
"Signer" : Include only the signer's certificate.
"NotRoot": Include all of the certificates in the certificate chain,
except for the root authority. (this is the default)
"All" : Include all certificates in the certificate chain.
-timeStampServer string
Use a timestamp server to certify the time that the certificate
was added to the file. string = the URL of the timestamp server.
-force
Override restrictions that prevent the command from succeeding, apart
from security settings. e.g. -force will override a files read-only
attribute, but will not change file permissions.
-whatIf
Describe what would happen if you executed the command without actually
executing the command.
-confirm
Prompt for confirmation before executing the command.
CommonParameters:
-Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutVariable.
If the certificate is not valid or does not have code-signing authority, the command will fail.
To create a self-signed certificate, use MakeCert.exe, (available in the Microsoft .NET Framework SDK) for details see: Get-Help about_signing
Examples
Retrieve a code-signing certificate from the certificate provider and use it to sign a PowerShell script:
PS C:\>$cert=Get-ChildItem -FilePath cert:\CurrentUser\my -CodeSigningCert
PS C:\>Set-AuthenticodeSignature PsTest.ps1 -cert $cert
Find a code signing certificate and use it to sign a PowerShell script:
PS C:\>$cert = Get-PfxCertificate C:\Test\Mysign.pfx
PS C:\>Set-AuthenticodeSignature -Filepath C:\myscript.ps1 -Cert $cert
Add a digital signature signed by a third-party timestamp server:
PS C:\>Set-AuthenticodeSignature -filepath c:\myscript.ps1 -cert $cert -TimeStampServer "http://www.fabrikam.com/TimeManager"
#I'll send you all my dreams, Every day in a letter, Sealed with a kiss# - Brian Hyland
Related:
Get-AuthenticodeSignature - Get the signature object associated with a file
Get-ExecutionPolicy - Get the execution policy for the shell
Set-ExecutionPolicy - Change the execution policy (user preference)
Get-Pfxcertificate - Get pfx certificate information
Get-Help about_signing
Equivalent bash command: OpenSSL - Open Secure Sockets Layer
