Packaging Pitfalls, Part 6: How to create a self-signed certificate and sign scripts with PowerShell or Windows tools

When working with PowerShell scripts or executable files, code signing is an essential step to ensure trust and security. Unsigned code can trigger warnings, fail to run under certain execution policies, or even be blocked entirely in enterprise environments.

In this guide, we’ll cover both parts of the process:

• creating a self-signed certificate for code signing, and
• using that certificate to sign your scripts or executables.

We will demonstrate two methods — with PowerShell and with alternative Windows tools — so you can choose the one that best fits your scenario.

Create a self-signed code-signing certificate with PowerShell

1. Run PowerShell as Administrator.
2. Use the following example to create a self-signed root certificate named ExampleCert. It will be automatically installed in ‘Certificates\Current User\Personal\Certificates’
3. To view the certificate, open mmc.exe or Manage User Certificates.

$cert = New-SelfSignedCertificate -Type CodeSigning -KeySpec Signature `
-Subject "CN=ExeCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

Create a self-signed code-signing certificate with makecert.exe

1. Download and install the Windows SDK.
   Makecert.exe is included in the Windows SDK, which you can download from the official Microsoft website.
2. Run Command Prompt (cmd.exe) as Administrator.
3. Navigate to the folder that contains makecert.exe
   

cd "%programfiles%\Microsoft SDKs\Windows\v7.1\Bin"

4. To create the certificate, run the following command:

makecert -r -sv C:\work\mkcert.pvk -n CN="mkcert" C:\work\mkcert.cer

5. In the dialog window, enter and confirm a password.

6. Then run the following two commands to convert this certificate into a private .pfx certificate with a password:

cert2spc C:\work\mkcert.cer C:\work\mkcert.spc
pvk2pfx -pvk C:\work\mkcert.pvk -pi 1 -spc C:\work\mkcert.spc -pfx C:\work\mkcert.pfx -po 1

In the second command, set the password you entered in the previous step to the -pi and -po keys.

As a result, we receive the mkcert.pfx private certificate.

How to sign a script or executable file using PowerShell

1. First, install your certificate in the machine Root Certificate store and in the Personal store.
2. To sign a script, use the following command. Replace Thumbprint with your certificate’s thumbprint and specify the path to $fileToSigning.

$thumbPrint = "E4076DF19CF1A7C836A0227FB12F733D216474DF"
$fileToSigning =  "C:\PACKAGES\Change WMI Object Structure.ps1"
set-AuthenticodeSignature $fileToSigning (Get-ChildItem Cert:\LocalMachine\Root\$thumbPrint -codesign)

3. In the PowerShell console, you will see the result of this command. In the Status column, you can verify that the signing was successful.

4. If you open the signed script in Windows PowerShell ISE, you will see a comment with the signature block at the end of the file. To verify that the script was signed, change the execution policy to AllSigned

Set-ExecutionPolicy AllSigned

5. If you try to run a non-signed script, it will not start. Only signed scripts will be executed.

How to sign a script or executable file using signtool.exe

To sign scripts and executable files, you can use signtool.exe. This tool is included in the Windows SDK, which can be downloaded from the official Microsoft website.

1. First, download and install the Windows SDK.
2. Run Command Prompt (cmd.exe) as Administrator.
3. Navigate to the folder that contains signtool.exe. You can do it using the following command:

cd "%programfiles%\Microsoft SDKs\Windows\v7.1\Bin"

4. Now you have signtool.exe and a certificate (how to create it was described earlier). You can now start signing.

Use the following command, where C:\work\example.pfx is the path to your certificate and C:\work\example.ps1 is the path to the file you want to sign:

signtool sign /f c:\work\example.pfx /p 1 /t http://timestamp.verisign.com/scripts/timstamp.dll /v c:\work\example.ps1

Pay attention to the result of this command: the number of warnings and the number of errors. If this step fails, the exit code will be different from 0, so check the command.

To check the result, right-click the executable file, select Properties, and open the Digital Signatures tab. In this tab, you can see the signature.

Need help?

Application packaging can be tricky, and hidden pitfalls often slow down the process.
Apptimized experts make sure your applications are packaged, tested, and ready for deployment without surprises.

If you have any questions or would like to discuss your packaging needs, contact us.