File Signing Tool (Signcode.exe)
The File Signing tool signs a portable executable (PE) file (.dll or .exe file) with an Authenticode digital signature. You can sign either an assembly or an individual file contained in a multifile assembly. If you are distributing an assembly, you should sign the assembly rather than the individual files. Running Signcode.exe without specifying any options launches a wizard that helps with signing.
The File Signing Tool only ships with the .NET Framework SDK version 1.0 and 1.1. In later versions, use the Sign Tool (SignTool.exe) utility instead.
The name of the PE file to sign.
The name of the assembly to sign. This file must contain an assembly manifest.
Specifies the signing authority of the certificate, which must be either individual or commercial. By default, Signcode.exe uses the certificate's highest permission.
Specifies the hashing algorithm for signing, which must be either md5 (the default) or sha1.
Specifies the file that contains the encoded software publishing certificate.
Specifies the common name of the certificate.
Specifies a place to get more information on content (usually a URL).
Specifies the name of a DLL that returns an array of authenticated attributes for signing files. You can specify more than one DLL by repeating the -j option.
Specifies a parameter to be passed for the preceding DLL. For example: -j dll1 -jp dll1Param. The tool allows only one parameter per DLL.
Specifies the key container name.
Specifies the key type, which must be signature, exchange, or an integer (such as 4).
Specifies a text name that represents the content of the file to sign.
Specifies the name of the cryptographic provider on the system.
Specifies the location of the certificate store in the registry, which must be either currentuser (the default) or localmachine.
Specifies the certificate store that contains the signing certificate. The default is my store.
Specifies the thumbprint, which is the sha1 hash of the signing certificate included in the certificate store.
Sets the certificate store policy, which must be either spcStore (the default) or chain. If you specify chain, all certificates in the verification chain, including self-signed certificates, are added to the signature. If you specify spcStore, trusted, self-signed certificates are not included with the certificates in the chain that are added to the signature.
Specifies the SPC file that contains software publishing certificates.
Indicates that the file is to be timestamped by the timestamp server at the specified http address.
Specifies the maximum number of timestamp trials until success; defaults to 1.
Specifies the delay (in number of seconds) between each timestamp trial. Defaults to 0.
Specifies the private key (.pvk) file name that contains the private key.
Timestamps, but does not sign, the file.
Specifies the cryptographic provider type to use.
A cryptographic provider contains implementations of cryptographic standards and algorithms. For a list of the default provider types, see "Microsoft Cryptographic Service Providers" in the Platform SDK.
Displays command syntax and options for the tool.
To sign with a software publisher certificate (SPC) file, you must specify the -spc and -v options if your private key is in a PVK file. If your private key is in a registry key container, you must specify the -spc and -k options. If you want to sign your file with an SPC file, you should create the SPC file using the Certificate Creation tool and the Software Publisher Certificate Test tool.
The following command signs XYZ.exe using the XYZ.spc Software Publisher Certificate and the private key in the registry key container XYZ.
signcode /spc XYZ.spc /k XYZ XYZ.exe
The following command signs the assembly myAssembly using the certificate in myCertificate.spc and the private key in myKey.pvk.
signcode /spc myCertificate.spc /v myKey.pvk myAssembly