Digitally sign package scripts

Since version 2.1 of the Packaging PowerBench, you can automatically digitally sign the package script Script.ps1 and optionally other package files as part of the preparing the package for distribution process.

To enable package signing, go to Settings and change the value of the "Script Code signing" property in the "Package settings" section. This setting can take three values:

  • Don't digitally sign package files (default setting).
    If you set this value, package files - as in older PPB versions - will not get a digital signature.
  • Use certificate from certificate store
    If you configure this value, you must select an installed code signing certificate from your personal certificate store.
  • Use certificate file
    When set to this value, select a PFX certificate file that will be used for signing. 


If you have a code-signing certificate suitable for signing installed in your personal certificate store, select the "Use certificate from certificate store" option. The following settings are then available:

  • Certificate from certificate store
    By pressing the "..." button you can select an installed code signing certificate. The selected certificate will be saved as a path on the PowerShell Cert:\ drive. You can, of course, enter the path directly if you know it.
  • List of package files to sign
    By default, when you enable package signing, only the package script Script.ps1 itself is signed. However, if you want to sign additional package files, for example of helper scripts that you have placed in the SupportFiles folder, you can specify them in this setting separated by commas.
  • Code signing hash algorithm
    Use this setting to specify which algorithm is used to calculate the signature hash.
    • SHA256
      Uses the Secure Hash Algorithm SHA-256. This is the default value and should only be changed if special circumstances make it necessary.
    • SHA1
      The SHA-1 algorithm is obsolete and no longer considered secure, so it is not recommended to use this setting.
    • MD5
      The MD5 algorithm is deprecated and no longer considered secure, so use of this setting is discouraged.
  • Timestamp service URL
    If you want to timestamp the signature, specify the URL to the timestamp service to use in this field.


If your code signing certificate is in the form of a .pfx file, then select the "Use certificate file" option. The following settings must be configured in this case:

  • Certificate file path
    By pressing the "..." button you can select the PFX certificate to be used from the file system. The selected certificate is saved as a path. Of course, you can also enter the path directly, if you know it.
  • Password of the certificate
    Since the certificate file contains the private key of the certificate, it is protected by a password. If you do not want to enter the password at this point, you can leave the setting blank. You will then be asked for the certificate password as part of the preparation for distribution.
  • List of package files to sign
    By default, when you enable package signing, only the package script Script.ps1 itself is signed. However, if you want to sign additional package files, for example of helper scripts that you have placed in the SupportFiles folder, you can specify them in this setting separated by commas.
  • Code signing hash algorithm
    Use this setting to specify which algorithm is used to calculate the signature hash.
    • SHA256
      Uses the Secure Hash Algorithm SHA-256. This is the default value and should only be changed if special circumstances make it necessary.
    • SHA1
      The SHA-1 algorithm is obsolete and no longer considered secure, so it is not recommended to use this setting.
    • MD5
      The MD5 algorithm is deprecated and no longer considered secure, so use of this setting is discouraged.
  • Timestamp service URL
    If you want to timestamp the signature, specify the URL to the timestamp service to use in this field.


After you enable and configure script code signing, you will not initially notice any difference when working with the Packaging PowerBench. However, if you copy the current package revision to the Rev\n subdirectory, as described in the Preparing packages for distribution section, the files specified in the "List of package files to sign" setting are digitally signed. If you also specified a Timestamp service URL, the signature also receives a timestamp so that the signature remains valid even if the signing certificate has expired.

You can check in the Rev\n subdirectory of the package directory whether the specified files have been correctly signed by switching to the "Digital Signatures" tab in the properties and checking the information there.