My last post showed you an easy way to sign windows scripting host files. The same thing is available for Powershell and other executables. I found a lot of complicated way to sign applications before I figured out that Powershell can sign them too. This still assumes you have a Code Singing Cert already. Here is my Powershell signing script

$cert = @(gci cert:\currentuser\my -CodeSigningCert )[0]
Set-AuthenticodeSignature $args[0] $cert

I save that in a file called SignScript.ps1 on my computer where my cert is installed into the local store. The script I want signed is passed as $args[0] from the command line like this:

PS C:\> .\SignScript.ps1 myScript.ps1
PS C:\> .\SignScript.ps1 myApp.exe

I take this one step further by adding a sign option on the right click context menu from explorer. This is very easy to set up if you get it working from the command line. From regedit, open HKEY_CLASS_ROOT, and find Microsoft.PowerShellScript.1 (and exefile). Under the key called Shell, add a key called “Sign”. This is what will show up in the context menu. Under the key you added, add a new key called “command”. Then set the default value on that “command” key to match this .reg file.

[HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\Shell\Sign\Command]
@="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-file\" \"C:\\Scratch\\Scripts\\SignScript.ps1\" \"%1\""

[HKEY_CLASSES_ROOT\exefile\shell\Sign\command]
@="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-file\" \"C:\\Scratch\\Scripts\\SignScript.ps1\" \"%1\""

Now when you right click a .ps1 or .exe file, you can digitally sign it.