Self-sign Powershell scripts

source: https://community.spiceworks.com/t/windows-10-signing-a-powershell-script-with-a-self-signed-certificate/1012198

You can create a cert to allow you to sign your own Powershell scripts.

Using unsigned scripts requires you to completely disable Windows security measures that protect against running unwanted Powershell code, which would be bad. This method allows you to avoid disabling this code-signed policy.

Step 1: Create your code signing certificate

From a Powershell prompt, run:

New-SelfSignedCertificate -CertStoreLocation cert:\currentuser\my -Subject "CN=Local Code Signing" -KeyAlgorithm RSA -KeyLength 2048 -Provider “Microsoft Enhanced RSA and AES Cryptographic Provider” -KeyExportPolicy Exportable -KeyUsage DigitalSignature -Type CodeSigningCert

Lengthening the expiration period for the cert? Add the following parameter

-NotAfter (Get-Date).AddYears(3)

This would change the expiration date to 3 years from the day you created it.

Step 2: Open the Certificate Manager for Current User

From the same Powershell prompt, run:

certmgr /s my

Step 3: Copy the new certificate to the appropriate cert stores

Expand the “Personal” folder, select Certificates. Right click the new “Local Code Signing” certificate, and Copy.

Paste into “Trusted Root Certification Authorities” and into “Trusted Publishers” stores.

Step 4: Sign your Powershell script with the new cert

From a Powershell prompt, run these two commands:

$cert = @(Get-ChildItem cert:\CurrentUser\My -CodeSigning)[0]
Set-AuthenticodeSignature .\your-script.ps1 $cert

Step 5: Rerun the Powershell script

You should now be able to run this script without being blocked or prompted about the script being “unsigned”. You’re done!