Skip to content

Instantly share code, notes, and snippets.

@lohvht

lohvht/steps.md

Created March 4, 2021 17:15
Show Gist options
  • Save lohvht/532edb46d1ef59f591192c89f34f80cb to your computer and use it in GitHub Desktop.
Save lohvht/532edb46d1ef59f591192c89f34f80cb to your computer and use it in GitHub Desktop.
Download ZIP
PowerShell Self-Signing Powershell Script Steps
Raw
steps.md

Credits from: https://www.tenforums.com/general-support/107659-how-sign-powershell-profile-w-self-signed-certificate-2.html#post1341612 Attempted and suceeded at 5 March 2021

POWERSHELL ONLY SOLUTION

The following is a powershell-only solution which will not require the installation of extra software/tools/features (at least on Windows 10):

Open up a Powershell window with Admin privileges and run the following to create the self-signed certificate and save it to the PS variable of your choice.

Below, the naming distinction mycert is used. I recommend that or just copy/paste the code.

$mycert = New-SelfSignedCertificate  -Subject "CN=PowerShell signing example" -KeyAlgorithm RSA -KeyLength 2048   -Type CodeSigningCert -CertStoreLocation Cert:\LocalMachine\My\

Next, to verify the certificate was created, simply type the variable you just created. For example, the above would be $mycert Hit enter, and the thing should print out a thumbprint to the screen.

PS C:\Windows\system32> $mycert


   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------
124C9D350FF748B3F548A74E350A55AB5C1D2043  CN=PowerShell signing example

Now, with that outta the way, you need to move the certificate you just created the root cert store on your machine. To do this, run the following command (take note of the variable name; i.e. use what you used above):

Move-Item "Cert:\LocalMachine\My\$($mycert.Thumbprint)" Cert:\LocalMachine\Root

Finally, with that out of the way, you can sign your script with the following command

set-AuthenticodeSignature C:\Path\To\Script\test.ps1 $mycert

Once you run that command, you should receive output on the console displaying the successful signing.

Example running it on $PROFILE

PS C:\Windows\system32> set-AuthenticodeSignature $PROFILE $mycert


    Directory: C:\Users\MYUSER\Documents\WindowsPowerShell


SignerCertificate                         Status                                 Path
-----------------                         ------                                 ----
124C9D350FF748B3F548A74E350A55AB5C1D2043  Valid                                  Microsoft.PowerShell_profile.ps1

Incidentally, I had tried this route before but kept failing because I didn't move the certificate to the root cert store. Now I know.

In the end, I don't feel better about this compared to having just changed the execution-policy.

For those interested in the guide referenced for this method, please visit this link.

For those interested in the guide referenced for the first method (on page 1), click this link.

P.S. - I knew the code I used looked familiar, and I eventually wound up finding (piece by piece) the entire guide on another site.

P.P.S. - We shouldn't be required to do all of this just to get a few permanent aliases in Powershell.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment