Professional Documents
Culture Documents
Daft Size2
Daft Size2
about_signing
SHORT DESCRIPTION
Explains to how sign scripts so that they comply with the Windows
PowerShell execution policies.
LONG DESCRIPTION
The Restricted execution policy does not permit any scripts to run.
The AllSigned and RemoteSigned execution policies prevent Windows
PowerShell from running scripts that do not have a digital signature.
This topic explains how to run selected scripts that are not signed,
even while the execution policy is RemoteSigned, and how to sign
scripts for your own use.
get-executionpolicy
To run unsigned scripts that you write on your local computer and signed
scripts from other users, use the following command to change the execution
policy on the computer to RemoteSigned:
set-executionpolicy remotesigned
Before you run the script, review the code to be sure that you trust it.
Scripts have the same effect as any executable program.
If a script that was downloaded from the Internet is digitally signed, but
you have not yet chosen to trust its publisher, Windows PowerShell displays
the following message:
[V] Never run [D] Do not run [R] Run once [A] Always run
[?] Help (default is "D"):
For more information about the syntax and the parameter descriptions of the
MakeCert.exe tool, see "Certificate Creation Tool (MakeCert.exe)" in the
MSDN (Microsoft Developer Network) library at
http://go.microsoft.com/fwlink/?LinkId=119097.
Note: You can copy or type the commands exactly as they appear.
No substitutions are necessary, although you can change the
certificate name.
The MakeCert.exe tool will prompt you for a private key password. The
password ensures that no one can use or access the certificate without
your consent. Create and enter a password that you can remember. You will
use this password later to retrieve the certificate.
Thumbprint Subject
---------- -------
4D4917CB140714BA5B81B96E0B18AAF2C4564FDF CN=PowerShell User ]
SIGN A SCRIPT
-------------
After you create a self-signed certificate, you can sign scripts. If you
use the AllSigned execution policy, signing a script permits you to run
the script on your computer.
To use this script, copy the following text into a text file, and
name it Add-Signature.ps1.
Note: Be sure that the script file does not have a .txt file name
extension. If your text editor appends ".txt", enclose the file name
in quotation marks: "add-signature.ps1".
## add-signature.ps1
## Signs a file
param([string] $file=$(throw "Please specify a filename."))
$cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
Set-AuthenticodeSignature $file $cert
After the script is signed, you can run it on the local computer.
However, the script will not run on computers on which the Windows
PowerShell execution policy requires a digital signature from a
trusted authority. If you try, Windows PowerShell displays the following
error message:
4. Select "Yes, export the private key", and then click Next.
7. Type a file name that has the .pfx file name extension.
8. Click Finish.
3. Open to the location of the .pfx file that you created during the
export process.
6. Click Finish.
Because most signing certificates are valid for one year only, using a
time stamp server ensures that users can use your script for many years
to come.
SEE ALSO
about_Execution_Policies
about_Profiles
Get-ExecutionPolicy
Set-ExecutionPolicy
Set-AuthenticodeSignature
"Introduction to Code Signing" (http://go.microsoft.com/fwlink/?LinkId=106296)