18

I'm getting an error when I run a PowerShell script:

File test_new.ps1 cannot be loaded. The file test_new.ps1 is not digitally signed.

I created a CA and a certificate and signed this file using the procedure described here.

Here is when I do a dir on the MY directory:

EF76B3D7D8D2406E1F2EE60CC40644B122267F18  CN=PowerShell User

I can see the signature block appended at the end of the test_new.ps1 file.

Here is the execution policy and scope:

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       AllSigned
   UserPolicy       Undefined
      Process          Bypass
  CurrentUser       AllSigned
 LocalMachine       Undefined

The machinepolicy should take priority which is set as AllSigned. Everything seems allright, why am I still getting the digitally signed error.

Improve this question
2
  • Did you run dir with the parameter -Codesigning? Is the CA certificate imported correctly? Commented Oct 13, 2017 at 11:16
  • Yes, I have done that. Even after -Codesigning it wasn't working. But I have finally figured it out. I had to publish the certificate in Trusted Root Certification Authorities. After which it started working. See my answer below Commented Oct 13, 2017 at 11:57

6 Answers 6

Reset to default
19

Powershell execution policy set to Allsigned only run scripts which are signed by trusted publisher only. You can find the possible values for -ExecutionPolicy parameter below:

Restricted: The default setting which does not load configuration files or run scripts.

AllSigned: Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.

RemoteSigned: Requires that all scripts and configuration files downloaded from the Internet be signed by a trusted remote publisher.

Unrestricted: Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.

Bypass: Nothing is blocked and there are no warnings or prompts.

Undefined: Removes the currently assigned execution policy from the current scope, returning the session to the default. This parameter will not remove an execution policy that is set in an Active Directory Group Policy.

You can set PowerShell execution policy by a command like:

Set-ExecutionPolicy unrestricted

If you want to run the script on the domain network, then you would probably use Group Policy to make sure the code signing certificate used to sign the script is a trusted publisher in your domain. To do this there are two steps:

  1. Export the code signing certificate.

  2. Create a policy and import the code signing certificate into trusted publishers.

Once the policy is updated in your domain network then the Trusted Publisher certificate should list in 'Trusted Publisher' under Certificates snap-in.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

That is fine, I know about this and have tried this it works. But my problem is this is a domain machine, we need to run on it without compromising security. So I need to sign the PS1 file and run it as a digital signed trusted.
17

Try right-clicking the *.ps1, *.zip or *.nupkg file and choose Properties, then click on Unblock:

enter image description here

Improve this answer

Comments

10

To fix it you have to run the command below to run Set-ExecutionPolicy and change the Execution Policy setting.

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Improve this answer

1 Comment

thanks brother, run that script on C:\Program Files\PowerShell\7\pwsh.exe, everything works after that.
4

Finally found a solution to this:

$cert = Get-ChildItem cert:\CurrentUser\MY
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store ("TrustedPublisher" , "LocalMachine")
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()

It had to be published in the TrustedPublisher store for it to work.

Improve this answer

2 Comments

Nicely done; worth noting that targeting the LocalMachine store requires elevation (running as admin). I'm assuming that if it's sufficient for signed scripts to be considered validly signed when run by the current user, [System.Security.Cryptography.X509Certificates.X509Store]::new('TrustedPublisher' , 'CurrentUser') would work too; adding to the CurrentUser store doesn't require elevation.
P.S.: There is now a conceptual about_Signing help topic, which covers both creating a self-signed certificate (which in v3+ you can do with New-SelfSignedCertificate) and the signing process.
3

It is obviously related to PowerShell's policies, with 3 option, it can change the policies for the pass from this error and all the same type of this error.

1 Set-ExecutionPolicy Bypass -Scope CurrentUser -Force

2 Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force.(recommended)

3 Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force. (not recommended, because, your computer environment become weak against the malware or any harmful software...)

Improve this answer

1 Comment

this does not answer the Question. it is just a restatement of the reason why the OP chose to use RemoteSigned.
0

I try all the suggestions, but nothing work for me. Here my solution,

  1. Check Get-executionpolicy -list
  2. My machinepolicy is AllSigned - I need to change this.
  3. Go to registry editor: HKEY_L_M>SOFTWARE>POLICIES>MICROSOFT>WINDOWS>powershell: ExecutionPolicy change data to Bypass.
  4. Run the ps1 script to check if it is fixed.

My machine has no issue before updating to Windows 11. I still not sure what cause this issue.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.