What Does “Powershell Script is Not Digitally Signed” Error Mean?
Dealing with the “Powershell script is not digitally signed” error message can be frustrating. This error pops up when running unsigned PowerShell scripts and blocks the execution for security reasons.
The good news is there are a few ways to resolve this issue. With the right solutions, you can digitally sign scripts or bypass the signature validation to run unsigned code.
In this guide, I’ll cover the core reasons for the “not digitally signed” error, along with actionable steps to fix it. You’ll also learn PowerShell execution policies and how to modify them to fit your needs.
By the end, you’ll have the knowledge to troubleshoot and resolve unsigned script errors, which will give you full control over PowerShell in your environment. Let’s get started!
Key Takeaways
- The “not digitally signed” error appears when running PowerShell scripts that lack a digital signature.
- It’s a security feature that prevents unsigned, potentially malicious code from running.
- To fix it, you can digitally sign your scripts or change the PowerShell execution policy to bypass signature validation.
- Execution policies govern which scripts can be run on a system.
- Use Set-ExecutionPolicy to view and modify the execution policy.
- Signing scripts involves generating a code-signing certificate and using it to add a signature.
Why Do I Get the “Powershell Script is Not Digitally Signed” Error?
When this error pops up, PowerShell is blocking the execution of your script because it lacks a trusted digital signature.
PowerShell includes a security feature that prevents unsigned scripts from running automatically. This protects untrusted, potentially malicious code.
By default, PowerShell’s restricted execution policy only allows the following scripts to run:
- Scripts are located in the PowerShell installation folder ($PSHOME)
- Scripts located in the current user’s profile folder
- Scripts passed explicitly to the PowerShell console
Any other unsigned scripts trigger the “not digitally signed” error when executed.
The signature validation restricts running scripts downloaded from the internet or unknown sources. This prevents unverified code from executing malicious actions on your system.
However, the restricted policy can also block legitimate scripts. If you write a PowerShell script and attempt to run it, this error appears unless you digitally sign your code.
That brings us to the main solutions – digitally signing your scripts or modifying the execution policy to allow unsigned code. Let’s explore both…
How to Sign PowerShell Scripts with a Cod -Signing Certificate
Digitally signing scripts involves generating a certificate and using it to add a signature that marks your code as trusted.
Here are the steps to sign PowerShell scripts on Windows:
- Create a Self-Signed Certificate
- Create a Certificate Store
- Export the Signing Certificate
- Import the Signing Certificate
- Sign a Script
Step 1 – Create a Self-Signed Certificate
First, you need to create a code-signing certificate. The New-SelfSignedCertificate cmdlet generates one based on a subject you specify:
New-SelfSignedCertificate -Subject "CN=PowerShellCodeSigning" -CertStoreLocation "Cert:\CurrentUser\My"
- Replace “PowerShellCodeSigning” with your desired certificate name.
- Cert:\CurrentUser\My stores the certificate in your personal certificate store.
This creates a self-signed certificate for the signing code. You can also generate a certificate request (CSR) to obtain a trusted code-signing cert from a certificate authority (CA).
Step 2 – Create a Certificate Store
Next, make a certificate store folder to place the certificate in:
New-Item -Path "C:\Certificates" -ItemType Directory
We’ll export the signing cert as a .PFX file into this folder.
Step 3 – Export the Signing Certificate
Now export your signing certificate from the certificate store:
$cert = Get-ChildItem -Path "Cert:\CurrentUser\My" | Where-Object {$_.Subject -eq "CN=PowerShellCodeSigning"}
Export-PfxCertificate -Cert $cert -FilePath "C:\Certificates\PowerShellSigningCert.pfx" -Password (ConvertTo-SecureString -String "YOUR_PASSWORD" -Force -AsPlainText)- Fetch your signing certificate using the subject name
- Export it as a .PFX file with a password
This extracts the certificate file needed for code signing.
Step 4 – Import the Signing Certificate
Before signing scripts, you need to import the PFX file into your certificate store:
Import-PfxCertificate -FilePath "C:\Certificates\PowerShellSigningCert.pfx" -CertStoreLocation "Cert:\CurrentUser\My" -Password (ConvertTo-SecureString -String "YOUR_PASSWORD" -Force -AsPlainText)
Now, your signing certificate is installed and ready!
Step 5 – Sign a Script
Finally, use Set-AuthenticodeSignature to sign your PowerShell scripts:
Set-AuthenticodeSignature -FilePath "C:\Scripts\myscript.ps1" -Certificate (Get-ChildItem -Path "Cert:\CurrentUser\My" | Where-Object {$_.Subject -eq "CN=PowerShellCodeSigning"})This adds a digital signature to the script using the code-signing certificate.
Now, when you run the script, PowerShell recognizes it as signed code from a trusted publisher. There are no more “not digitally signed” errors!
Signing scripts is the best practice for running your own PowerShell code. Next, let’s look at simply bypassing the signature check by changing the execution policy…
How to Bypass Signature Validation by Changing Execution Policy
PowerShell’s execution policy determines which scripts are allowed to run. By default, it blocks unsigned code, causing the “not digitally signed” error.
You can bypass the signature check by setting the execution policy to allow unsigned scripts. Here’s how:
- View the Current Execution Policy
- Change the Execution Policy
- Test an Unsigned Script
#1 View the Current Execution Policy
First, check the current execution policy:
Get-ExecutionPolicy
This will likely return Restricted, which only allows signed scripts.
#2 Change the Execution Policy
Next, change the execution policy to Bypass or Unrestricted, which allows all scripts:
Set-ExecutionPolicy Bypass -Force
Or
Set-ExecutionPolicy Unrestricted -Force
Use -Force to override any confirmation prompts.
Note: Bypass/Unrestricted policies reduce security by removing signature validation. Only use them temporarily as needed.
#3 Test an Unsigned Script
Now, try running your unsigned script again.
The “not digitally signed” error should no longer appear since the execution policy allows unsigned code.
This gets your script working quickly, but signing your code is better for production use.
Best Tips for Managing Execution Policies
Here are some useful tips for working with execution policies:
- Set the policy back to Restricted or AllSigned when no longer needed to restore security.
- Scope the policy narrowly for specific scripts instead of globally.
- Use Set-ExecutionPolicy -Scope Process to bypass validation only for the current session.
- View effective policy with Get-ExecutionPolicy -List to see policy hierarchy.
- Consider using RemoteSigned, which allows local unsigned scripts but still requires signatures for downloaded scripts.
Troubleshooting Guide: Resolving “Not Digitally Signed” Errors
Follow this troubleshooting guide if you are still seeing “not digitally signed” errors after attempting the solutions:
- Verify the script path/name: Check the path and script name being passed to Set-AuthenticodeSignature for signing. Make sure they match the location of the executing script.
- Check certificate settings: Confirm that the certificate is imported correctly with no errors and shows in your store. In the certificate properties, check that it is trusted for code signing purposes.
- Validate execution policy: Run Get-ExecutionPolicy to verify the policy change took effect as expected. Check scope with Get-ExecutionPolicy -List.
- Restart PowerShell session: Try closing PowerShell and opening a new session for policy changes to take full effect.
- Check for wildcards: Execution policy rules may have wildcards excluding specific folders or files. Make sure your script is not getting blocked that way.
- Allow per-script override: Use Set-ExecutionPolicy -ExecutionPolicy Bypass -Force -Path C:\Scripts\myscript.ps1 to whitelist your script.
- Use built-in signing: Try the SignTool utility to sign scripts instead of Set-AuthenticodeSignature.
Final Thoughts
Fixing the “PowerShell script is not digitally signed” error ultimately comes down to either signing your scripts or modifying the execution policy.
Digitally signing with a code-signing certificate is the best security practice. However, temporarily bypassing the restriction can get your scripts running when needed.
Following the step-by-step instructions provided, you should now be able to resolve unsigned script errors. Take time to understand PowerShell execution policies as well.
Properly signing and securing scripts takes your PowerShell coding to the next level. The solutions in this guide will help you troubleshoot and unlock the full potential of PowerShell automation on your systems!
Frequently Asked Questions
Here are some common questions about resolving the “PowerShell script is not digitally signed” error:
Do all PowerShell scripts need to be digitally signed?
No, signing scripts is not strictly required. You can modify the execution policy to allow unsigned scripts to run. However, signing is recommended for security, especially for shared scripts.
What CertUtil commands help troubleshoot code signing?
Use CertUtil -verify to validate a signed script’s signature. CertUtil -hashfile checks the script hash. CertUtil -store lists signing certificates.
Can I sign scripts on Linux/Mac with PowerShell Core?
Yes, you can generate a keypair and use it to sign scripts on non-Windows platforms. The process is similar but with openssl tools instead of Windows certificates.
Where are trusted root certificates stored on Windows?
Trusted root CA certificates are stored in Cert:\LocalMachine\Root. Signing certs should chain to a trusted root for script validation.
Is there a way to whitelist specific unsigned scripts?
Yes, you can use the -ExecutionPolicy and -File parameters on Set-ExecutionPolicy to bypass policy for certain scripts.
What’s the best overall execution policy from a security standpoint?
The RemoteSigned policy strikes a good balance, requiring signatures for internet-downloaded scripts while allowing local unsigned scripts to run.
What PowerShell modules are related to signing and certificates?
Key modules include: PKI, PSScriptAnalyzer, PackageManagement, Microsoft.PowerShell.Security, and Microsoft.PowerShell.Utility.
Can I sign a script without the source code?
Unfortunately, no: the original .PS1 script source is required to generate a valid signature over the code contents.
Do child scripts or functions need signing if the parent script is signed?
No, only the top-level parent script needs to be signed. The signature validates that entire code tree by default.
Jinu Arjun
