First you’ll need a code-signing certificate. If you purchase one, you’ll be looking for a “Class III” digital certificate of the “Microsoft Authenticode” variety. This will often come in two parts: An SPC file, which is the Software Publishing Certificate, and a PVK file, which is the corresponding private key. If you use a utility like MakeCert.exe (which is included in the Windows Platform SDK), you can produce a certificate in a CER file; you’ll need to use the Cert2spc.exe utility (also in the SDK) to convert that to an SPC/PVK file pair.
Next you have to either install the certificate or make it into a PFX file, which includes both halves of the key. I prefer the PFX approach, since you can use the Pvk2Pfx.exe utility (again in the SDK) to combine your SPC file and your PVK file into a password-protected PFX file.
Whew. You only have to do all that nonsense once, thank goodness.
When you’re ready to sign, run this in the shell:
Set-AuthenticodeSignature MyScript.ps1 -cert (Get-PFXCertificate MyCert.pfx)
You’ll be prompted for a password as the certificate loads, and a signature will be applied to the designated script.
