Last active January 13, 2020 15:02
Function Add-AuthenticodeSigningToScript {
Signs scripts during the build process
Uses an in-memory cert to sign files, rather than from one of the stores
The file you want to sign
C:\PS> Add-AuthenticodeSigningToScript c:\temp\test.ps1
C:\PS> Get-ChildItem "c:\temp*.ps*" | Add-AuthenticodeSigningToScript -Certificate c:\test.pfx -Password (ConvertTo-SecureString "Testing!" -AsPlainText -Force)
Param (
[parameter(Mandatory, ValueFromPipeLine, ValueFromPipeLineByPropertyName)]
if(-Not ($_ | Test-Path) ){
throw "File does not exist"
if(-Not ($_ | Test-Path -PathType Leaf) ){
throw "The Path argument must be a file. Folder paths are not allowed."
return $true
Begin {
# TODO: - determine cert "intended puposes"
try {
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::New($Certificate, $Password)
catch {
If ($cert.NotAfter -le (Get-Date)) {
Throw "Code signing certificate expired."
} Elseif ($cert.NotAfter -le (Get-Date).AddDays(30)) {
Write-Warning "Code signing certificate expires within the next 30 Days"
If (($Path | Get-AuthenticodeSignature).Status -eq 'NotSigned') {
If ($PSCmdlet.ShouldProcess($path)) {
$Null = $Path | Set-AuthenticodeSignature -Certificate $cert -ErrorAction Stop
} Else {
# TODO: Add support for force
Write-Verbose "$($Path) is already signed"
Get-ChildItem -Path c:\temp -Filter *.ps* -Include *.ps* -exclude *.tests.ps1 -Recurse |
Add-AuthenticodeSigningToScript `
-Certificate c:\temp\test.pfx `
-Password (ConvertTo-SecureString "Testing!" -AsPlainText -Force)
