PowerShell Signing

This post was migrated from my older blog.

I wanted to sign a PowerShell script to make it easier and more secure to use in our environment. PowerShell signing was not in great use in the environment. To make signing the scripts easier I created a simple script to help with the signing process. There was an issue however. We have generic, fully trusted, all purposes certificates. Despite being fully trusted and all purpose, they did not show up as valid certificates in PowerShell. I tried manually running:

Get-ChildItem cert:\CurrentUser\My -codesigning

It returned nothing. The certificates should work, but they weren’t showing up. I checked the certificate inside of the Certificate Store. Inside the certificate’s properties on the “General” tab, there is a “Certificate purposes” group box. Inside of this “Enable all purposes for this certificate” was selected.

Showing how to manually enable all purposes

Since that was not working, I selected “Enable only for the following purposes”.
By default, all purposes were already checked. I clicked “Ok” and ran the Get-ChildItem command again and the certificate was finally listed. I ran through the signing process successfully. The signature on the PowerShell file was trusted and valid.