PowerShell Script digitally signed error

Question

I'm getting an error when I run a PowerShell script:

File test_new.ps1 cannot be loaded. The file test_new.ps1 is not digitally signed.

I created a CA and a certificate and signed this file using the procedure described here.

Here is when I do a dir on the MY directory:

EF76B3D7D8D2406E1F2EE60CC40644B122267F18  CN=PowerShell User

I can see the signature block appended at the end of the test_new.ps1 file.

Here is the execution policy and scope:

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       AllSigned
   UserPolicy       Undefined
      Process          Bypass
  CurrentUser       AllSigned
 LocalMachine       Undefined

The machinepolicy should take priority which is set as AllSigned. Everything seems allright, why am I still getting the digitally signed error.

Answer 1

Powershell execution policy set to Allsigned only run scripts which are signed by trusted publisher only. You can find the possible values for -ExecutionPolicy parameter below:

Restricted: The default setting which does not load configuration files or run scripts.

AllSigned: Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.

RemoteSigned: Requires that all scripts and configuration files downloaded from the Internet be signed by a trusted remote publisher.

Unrestricted: Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.

Bypass: Nothing is blocked and there are no warnings or prompts.

Undefined: Removes the currently assigned execution policy from the current scope, returning the session to the default. This parameter will not remove an execution policy that is set in an Active Directory Group Policy.

You can set PowerShell execution policy by a command like:

Set-ExecutionPolicy unrestricted

If you want to run the script on the domain network, then you would probably use Group Policy to make sure the code signing certificate used to sign the script is a trusted publisher in your domain. To do this there are two steps:

1. Export the code signing certificate.

2. Create a policy and import the code signing certificate into trusted publishers.

Once the policy is updated in your domain network then the Trusted Publisher certificate should list in 'Trusted Publisher' under Certificates snap-in.

Answer 2

Finally found a solution to this:

$cert=Get-ChildItem cert:\CurrentUser\MY
$store = New-Object 
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store ("TrustedPublisher" , "LocalMachine")
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()

It had to be published in the TrustedPublisher store for it to work.