PowerShell script signing in 2026 is more important and more expensive than it was two years ago. Microsoft tightened SmartScreen warnings on unsigned PS1 downloads, the CA/B Forum reduced max code-signing certificate validity to 459 days from February 2026, and DigiCert moved to 1-year-only plans. Software-only certificate keys are gone. Every standard (OV) code signing certificate now requires a hardware token or HSM.
If you have not signed a PowerShell script since 2023, your workflow probably no longer works. Below is the current 2026 process: which certificate to buy, how to sign, common errors, and the cloud signing services that replaced the old USB token workflow.
Quick reference: PowerShell signing in 2026
| Item | Detail |
|---|---|
| Cmdlet | `Set-AuthenticodeSignature` |
| Cert location | `Cert:\CurrentUser\My` (use `-CodeSigningCert`) |
| Required EKU | Code Signing (OID 1.3.6.1.5.5.7.3.3) |
| Hash algorithm | SHA256 (SHA1 deprecated) |
| Timestamp | Mandatory: `-TimestampServer "http://timestamp.digicert.com"` |
| Key storage | Hardware token, HSM, or cloud signing service |
| Max cert validity | 459 days (CA/B Forum, from Feb 23, 2026) |
The basic signing command
```powershell
$cert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert
Set-AuthenticodeSignature -FilePath .\script.ps1 -Certificate $cert -TimestampServer "http://timestamp.digicert.com" -HashAlgorithm SHA256
```
Three details that matter:
`-CodeSigningCert`: Filters to certificates with the Code Signing EKU. Without this filter, you may pick a TLS or email cert that does not work for code signing.
`-TimestampServer`: Without a timestamp, the signature breaks the moment the certificate expires (for example, 12 months from now). With a timestamp, the signature remains valid past expiration because the timestamp authority cryptographically attests the signing happened while the cert was valid.
`-HashAlgorithm SHA256`: SHA1 is deprecated and rejected by modern Windows. Always SHA256.
Pick the right certificate type
Three certificate categories matter:
OV (Organization Validation): Standard code signing. Identity verified through business documents (business registration, phone verification). Requires hardware token or HSM since June 2023. Builds SmartScreen reputation gradually as users execute your signed code.
EV (Extended Validation): Premium code signing. Stricter identity verification. Gets immediate SmartScreen reputation, no warning on first download. Required for kernel-mode driver signing. Also requires HSM/USB token.
Cloud signing services: DigiCert KeyLocker, Azure Trusted Signing, SSL.com eSigner. The certificate lives on a managed HSM in the cloud. You sign by API call instead of physical USB token. Solves the lost-token, broken-token, and remote-team problems. Azure Trusted Signing at $9.99/month is the cheapest credible option in 2026.
Cert pricing in 2026
| Provider | OV per year | EV per year |
|---|---|---|
| Sectigo | $211-$249 | $279+ |
| SSL.com | $179+ | $299+ |
| DigiCert | $399.99 | $559-$799 |
| GlobalSign | Enterprise tier | $12K-$20K/year volume |
| Azure Trusted Signing | $9.99/month | N/A |
Two notes:
- Validity caps: From Feb 23, 2026 the CA/B Forum caps validity at 459 days. DigiCert moved to 1-year-only plans starting Feb 15, 2026. Buying a 3-year cert is no longer possible from major CAs.
- Hardware costs: USB tokens (FIPS 140-2 Level 2) typically run $50-$150 from the CA. Most CAs ship the token with the certificate.
Cloud signing vs hardware token
For most 2026 workflows, cloud signing is the better default:
Hardware token:
- One-time setup, then sign locally
- Lost token = expensive replacement and re-issuance
- Not usable from CI/CD pipelines without complex middleware
- Required for some compliance regimes that mandate physical separation
Cloud signing:
- Centrally managed, accessible by API
- Works from CI/CD pipelines (GitHub Actions, Azure DevOps)
- Multiple users can sign without rotating physical tokens
- Subscription-based, no upfront hardware cost
If you ship signed code from CI/CD or have a remote team, cloud signing wins. If you are a solo developer signing once a month, a hardware token still works.
Common signing errors
Five errors that trip people up:
"Certificate is not valid for code signing": Wrong EKU. Check `(Get-ChildItem Cert:\CurrentUser\My).EnhancedKeyUsageList` for "Code Signing". Without this OID, the cert cannot sign code.
"UnknownError": Usually no timestamp server reachable. Check internet connection or try a different timestamp server (`http://timestamp.sectigo.com`, `http://timestamp.globalsign.com/scripts/timstamp.dll`).
"Cannot sign code": Script encoding issue. PowerShell scripts must be UTF-8 with BOM or ASCII. Save as UTF-8 without BOM and signing fails. Use `Set-Content -Encoding UTF8` (which writes BOM by default).
"HashMismatch": The script was edited after signing. Re-sign after every change.
"The signature of the certificate cannot be verified": Certificate chain incomplete. Install the intermediate certs from your CA. Most CAs publish a "chain installation" guide.
Windows 11 24H2 execution policy in 2026
Out-of-box defaults:
- Windows clients: `Restricted` (some SKUs) or `RemoteSigned` (most SKUs). Signed scripts required for downloaded files.
- Windows Server: `RemoteSigned` (default).
- Group Policy / WDAC enforcement: Increasingly common in enterprises. AppLocker rules can block any unsigned script regardless of execution policy.
Check current policy:
```powershell
Get-ExecutionPolicy -List
```
Set per-machine policy (admin required):
```powershell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
```
For enterprises: Windows Defender Application Control (WDAC) or AppLocker is the right enforcement mechanism in 2026. Execution policy is bypassable. WDAC is not.
What changed in 2025-2026
Three real shifts:
459-day validity cap (Feb 23, 2026): CA/B Forum baseline reduced max code signing cert lifetime. Annual renewal is the new normal. Plan for it in your operations budget.
Mandatory hardware key storage (since June 2023, still applies): All standard (OV) code signing certs must be on hardware tokens or HSMs. Software-only certs are gone. This pushed many shops to cloud signing services.
Azure Trusted Signing at $9.99/month (2024-2025 launch): Microsoft's cloud signing service is the cheapest credible option. Managed HSM, API-driven, integrates with Azure DevOps and GitHub Actions. Worth considering if you sign frequently.
FAQ
Do I need to sign every PowerShell script?
For internal scripts running on machines where you control execution policy: not strictly. For scripts distributed to other users, downloaded from the internet, or run on systems with `RemoteSigned` policy: yes. Signing is also required by many enterprise WDAC and AppLocker policies.
Can I use a self-signed certificate for production?
No. Self-signed certificates only work on the issuing machine. SmartScreen and execution policies on other machines reject self-signed code. Use a CA-issued certificate from Sectigo, DigiCert, SSL.com, or Azure Trusted Signing.
How much does a code signing certificate cost in 2026?
OV certificates run $179-$400/year. EV certificates run $279-$800/year. Azure Trusted Signing at $9.99/month is the cheapest cloud option. Hardware tokens add $50-$150 if you choose token-based instead of cloud signing.
What is the difference between OV and EV code signing?
OV builds SmartScreen reputation gradually as users execute your code. EV gets immediate SmartScreen reputation (no warning on first download). EV is required for kernel-mode driver signing. Both require hardware tokens or HSM.
How do I sign PowerShell scripts in CI/CD?
Use a cloud signing service: Azure Trusted Signing, DigiCert KeyLocker, or SSL.com eSigner. They expose APIs that GitHub Actions, Azure DevOps, and other CI tools can call. Hardware tokens are not practical in CI/CD.
Sources and further reading
- Microsoft Learn signing documentation
- Gradenegger on PowerShell code signatures
- essential security best practices
Stop overpaying for AI tools you barely use. See how Dupple X helps your team adopt AI without the bloat.
