23 out of 285 rated this helpful - Rate this topic

Sign Tool (SignTool.exe)

.NET Framework 2.0

The Sign Tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files.

Note
The Sign Tool is not supported on Microsoft Windows NT, Windows Me, Windows 98, or Windows 95.

Copy


signtool [command] [options] [file_name | ...]

Parameters

Argument	Description
command	One of the command flags that specifies an operation to perform on a file.
options	One of the option flags that modifies a command flag.
file_name	The path to a file to sign.

The following commands are supported by Sign Tool.

Command	Description
catdb	Adds or removes a catalog file to or from a catalog database.
sign	Digitally signs files.
signwizard	Launches the signing wizard. Only a single file can be specified for the file name command-line argument.
timestamp	Time stamps files.
verify	Verifies the digital signature of files.

The following options apply to the catdb command.

Catdb option	Description
/d	Specifies that the default catalog database is updated. If neither the /d nor /g option is used, Sign Tool updates the system component and driver database.
/g GUID	Specifies that the catalog database identified by the globally unique identifier (GUID) is updated.
/r	Removes the specified catalog from the catalog database. If this option is not specified, Sign Tool will add the specified catalog to the catalog database.
/u	Specifies that a unique name is automatically generated for the added catalog files. If necessary, the catalog files will be renamed to prevent name conflicts with existing catalog files. If this option is not specified, Sign Tool will overwrite any existing catalog that has the same name as the catalog being added.

Note
Catalog databases are used for automatic lookup of catalog files.

The following options apply to the sign command.

Sign option	Description
/a	Automatically selects the best signing certificate. If this option is not present, Sign Tool expects to find only one valid signing certificate.
/c CertTemplateName	Specifies the Certificate Template Name (a Microsoft extension) for the signing certificate.
/csp CSPName	Specifies the cryptographic service provider (CSP) that contains the private key container.
/d Desc	Specifies a description of the signed content.
/du URL	Specifies a Uniform Resource Locator (URL) for the expanded description of the signed content.
/f SignCertFile	Specifies the signing certificate in a file. If the file is in Personal Information Exchange (PFX) format and protected by a password, use the /p option to specify the password. If the file does not contain private keys, use the /csp and /k options to specify the CSP and private key container name, respectively.
/i IssuerName	Specifies the name of the issuer of the signing certificate. This value can be a substring of the entire issuer name.
/k PrivKeyContainerName	Specifies the private key container name.
/n SubjectName	Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name.
/p Password	Specifies the password to use when opening a PFX file. A PFX file can be specified by using the /f option.
/r RootSubjectName	Specifies the name of the subject of the root certificate that the signing certificate must chain to. This value may be a substring of the entire subject name of the root certificate.
/s StoreName	Specifies the store to open when searching for the certificate. If this option is not specified, the My store is opened.
/sha1 Hash	Specifies the SHA1 hash of the signing certificate.
/sm	Specifies that a computer store, instead of a user store, is used.
/t URL	Specifies the URL of the time stamp server. If this option is not present, the signed file will not be time stamped. A warning is generated if time stamping fails.
/u Usage	Specifies the enhanced key usage (EKU) that must be present in the signing certificate. The usage value can be specified by OID or string. The default usage is "Code Signing" (1.3.6.1.5.5.7.3.3).

The following option applies to the timestamp command.

Timestamp option	Description
/t URL	Required. Specifies the URL of the time stamp server. The file being time stamped must have previously been signed.

The following options apply to the verify command.

Sign option	Description
/a	Specifies that all methods can be used to verify the file. First, the catalog databases are searched to determine whether the file is signed in a catalog. If the file is not signed in any catalog, Sign Tool attempts to verify the file's embedded signature. This option is recommended when verifying files that may or may not be signed in a catalog. Examples of files that may or may not be signed include Windows files or drivers.
/ad	Finds the catalog using the default catalog database.
/as	Finds the catalog using the system component (driver) catalog database.
/ag CatDBGUID	Finds the catalog in the catalog database identified by the GUID.
/c CatFile	Specifies the catalog file by name.
/o Version	Verifies the file by operating system version. The version parameter is of the form: PlatformID:VerMajor.VerMinor.BuildNumber
/pa	Specifies that the Default Authentication Verification Policy is used. If the /pa option is not specified, Sign Tool uses the Windows Driver Verification Policy. This option cannot be used with the catdb options.
/pg PolicyGUID	Specifies a verification policy by GUID. The GUID corresponds to the ActionID of the verification policy. This option cannot be used with the catdb options.
/r RootSubjectName	Specifies the name of the subject of the root certificate that the signing certificate must chain to. This value can be a substring of the entire subject name of the root certificate.
/tw	Specifies that a warning is generated if the signature is not time stamped.

The following options apply to all Sign Tool commands.

Global option	Description
/q	No output on successful execution and minimal output for failed execution.
/v	Verbose output for successful execution, failed execution, and warning messages.

Remarks

Sign Tool requires that the CAPICOM 2.0 redistributable be installed on the local computer. The CAPICOM 2.0 redistributable is available from http://www.microsoft.com/msdownload/platformsdk/sdkupdate/psdkredist.htm.

The Sign Tool verify command determines whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.

Sign Tool returns an exit code of zero for successful execution, one for failed execution, and two for execution that completed with warnings.

Examples

The command demonstrates how to sign a file automatically using the best certificate.

Copy

signtool sign /a MyFile.exe

Reference

.NET Framework Tools
SDK Command Prompt

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)

Community Content Add

FAQ

Wizard no longer supported

Documentation update needed; "signwizard" option no longer available in SignTool.

Cause this is a program where we want as little help as possible.

SignTool.exe and the signwizard Option

This is the documentation set for the version of SignTool.exe that was included with the .NET Framework 2.0/Visual Studio 2005. In that version of SignTool.exe, the signwizard option is supported. So the documentation is correct.

The signwizard option was removed in the version of SignTool.exe that shipped with the .NET Framework 4/Visual Studio 2010. Its documentation appears at http://msdn.microsoft.com/en-us/library/8s9b9yaz.aspx. The signwizard option is not listed there. Again, the documentation is correct.

It is, unfortunately, easy to navigate to a topic that is in the wrong (usually earlier) documentation set. In lightweight view, the documentation set to which a topic applies appears immediately below the topic title, and an Other Version allows you to switch to a different version. In classic view, the version appears in the version box in the top right corner of the page, and it includes links to the topic in other versions of the documentation.

--Ron Petrusha
Common Language Runtime User Education
Microsoft Corporation

History

8/15/2011
Jack Tripper

8/17/2011
R Petrusha - MSFT

signtool.exe error

We have tried to configure a security-enabled build, following the steps described in the Game for Windows document, but there seems to be a problem. Basically, what we did was to switch to the Security-Enabled version of Xlive.dll from the Run-time Management Tool, after that we have created the catalog definition file and ran Makecat.exe to create the catalog file. Then we have signed the catalog file using the following commands:

makecert.exe -r -sv Game.pvk -n "CN=Company" Game.cer

pvk2pfx.exe -pvk Game.pvk -spc Game.cer -pfx Game.pfx -po testpass

signtool.exe sign /f Game.pfx /p testpass /v Game.exe.cat

The result is creating the Game.pfx file with no errors.

The problem is when building the installer using the Game for Windows LIVE Install Designer. We receive the following error:

Signing c:\Projects\Alaska\code\pc\Installer\Output\Content\ChainInstall.xml.cat

signtool.exe sign /f "C:\Projects\Alaska\code\pc\Installer\Catalog\Game.pfx" /v "c:\Projects\Alaska\code\pc\Installer\Output\Content\ChainInstall.xml.cat"

signtool.exe failed

--------------------------------------------------

Build failed!

Any idea what we are doing wrong?

History

6/28/2011
qaz_wizard_leo

Can SignTool.exe help you find the class of the digital certificate used to sign a binary?

I am trying to find out if the Signtool.exe allows to find out the class of the digital certificate that was used to sign a binary ( specifically an MSI package?)

Esther Fan, MSFT: Thank you for your feedback. You might want to try posting your question on the forums:
MSDN: http://social.msdn.microsoft.com/Forums/en-US/categories

History

9/7/2010
kraw

9/20/2010
Esther Fan