Sign Tool (SignTool.exe)

Sign Tool (SignTool.exe)

Switch on low bandwidth view

Collapse All

Language Filter

This page is specific to

Microsoft Visual Studio 2008/.NET Framework 3.5

Other versions are also available for the following:

.NET Framework Tools

Sign Tool (SignTool.exe)

The Sign Tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files.

Note:
The Sign Tool is not supported on Microsoft Windows NT, Windows Me, Windows 98, or Windows 95.

signtool [command] [options] [file_name | ...]

Parameters

Argument	Description
command	One of the command flags that specifies an operation to perform on a file.
options	One of the option flags that modifies a command flag.
file_name	The path to a file to sign.

The following commands are supported by Sign Tool.

Command	Description
catdb	Adds or removes a catalog file to or from a catalog database.
sign	Digitally signs files.
signwizard	Launches the signing wizard. Only a single file can be specified for the file name command-line argument.
timestamp	Time stamps files.
verify	Verifies the digital signature of files.

The following options apply to the catdbcommand.

Catdb option	Description
/d	Specifies that the default catalog database is updated. If neither the /dnor /g option is used, Sign Tool updates the system component and driver database.
/g GUID	Specifies that the catalog database identified by the globally unique identifier (GUID) is updated.
/r	Removes the specified catalog from the catalog database. If this option is not specified, Sign Tool will add the specified catalog to the catalog database.
/u	Specifies that a unique name is automatically generated for the added catalog files. If necessary, the catalog files will be renamed to prevent name conflicts with existing catalog files. If this option is not specified, Sign Tool will overwrite any existing catalog that has the same name as the catalog being added.

Note:
Catalog databases are used for automatic lookup of catalog files.

The following options apply to thesigncommand.

Sign option	Description
/a	Automatically selects the best signing certificate. If this option is not present, Sign Tool expects to find only one valid signing certificate.
/c CertTemplateName	Specifies the Certificate Template Name (a Microsoft extension) for the signing certificate.
/csp CSPName	Specifies the cryptographic service provider (CSP) that contains the private key container.
/d Desc	Specifies a description of the signed content.
/du URL	Specifies a Uniform Resource Locator (URL) for the expanded description of the signed content.
/f SignCertFile	Specifies the signing certificate in a file. If the file is in Personal Information Exchange (PFX) format and protected by a password, use the /p option to specify the password. If the file does not contain private keys, use the /csp and /k options to specify the CSP and private key container name, respectively.
/i IssuerName	Specifies the name of the issuer of the signing certificate. This value can be a substring of the entire issuer name.
/k PrivKeyContainerName	Specifies the private key container name.
/n SubjectName	Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name.
/p Password	Specifies the password to use when opening a PFX file. A PFX file can be specified by using the /f option.
/r RootSubjectName	Specifies the name of the subject of the root certificate that the signing certificate must chain to. This value may be a substring of the entire subject name of the root certificate.
/s StoreName	Specifies the store to open when searching for the certificate. If this option is not specified, the My store is opened.
/sha1 Hash	Specifies the SHA1 hash of the signing certificate.
/sm	Specifies that a computer store, instead of a user store, is used.
/t URL	Specifies the URL of the time stamp server. If this option is not present, the signed file will not be time stamped. A warning is generated if time stamping fails.
/u Usage	Specifies the enhanced key usage (EKU) that must be present in the signing certificate. The usage value can be specified by OID or string. The default usage is "Code Signing" (1.3.6.1.5.5.7.3.3).

The following option applies to thetimestamp command.

Timestamp option	Description
/t URL	Required. Specifies the URL of the time stamp server. The file being time stamped must have previously been signed.

The following options apply to the verify command.

Sign option	Description
/a	Specifies that all methods can be used to verify the file. First, the catalog databases are searched to determine whether the file is signed in a catalog. If the file is not signed in any catalog, Sign Tool attempts to verify the file's embedded signature. This option is recommended when verifying files that may or may not be signed in a catalog. Examples of files that may or may not be signed include Windows files or drivers.
/ad	Finds the catalog using the default catalog database.
/as	Finds the catalog using the system component (driver) catalog database.
/ag CatDBGUID	Finds the catalog in the catalog database identified by theGUID.
/c CatFile	Specifies the catalog file by name.
/o Version	Verifies the file by operating system version. The version parameter is of the form: PlatformID:VerMajor.VerMinor.BuildNumber
/pa	Specifies that the Default Authentication Verification Policy is used. If the /pa option is not specified, Sign Tool uses the Windows Driver Verification Policy. This option cannot be used with the catdb options.
/pg PolicyGUID	Specifies a verification policy by GUID. The GUID corresponds to the ActionID of the verification policy. This option cannot be used with the catdb options.
/r RootSubjectName	Specifies the name of the subject of the root certificate that the signing certificate must chain to. This value can be a substring of the entire subject name of the root certificate.
/tw	Specifies that a warning is generated if the signature is not time stamped.

The following options apply to all Sign Tool commands.

Global option	Description
/q	No output on successful execution and minimal output for failed execution.
/v	Verbose output for successful execution, failed execution, and warning messages.

Remarks

Sign Tool requires that the CAPICOM 2.0 redistributable be installed on the local computer. The CAPICOM 2.0 redistributable is available from http://www.microsoft.com/msdownload/platformsdk/sdkupdate/psdkredist.htm.

The Sign Tool verify command determines whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.

Sign Tool returns an exit code of zero for successful execution, one for failed execution, and two for execution that completed with warnings.

Examples

The command demonstrates how to sign a file automatically using the best certificate.

signtool sign /a MyFile.exe

Reference

.NET Framework Tools

SDK Command Prompt