The SignTool tool is a command-line tool that
digitally signs files, verifies signatures in files, or time stamps files. For information about why
signing files is important, see
Introduction to Code Signing.
The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path.
SignTool is available as part of the Windows SDK, which you can download as part of the Windows SDK for Windows Server 2008 and .NET Framework 3.5.
Here is the syntax for SignTool:
signtool
[Command][Options][FileName …]
The following commands are supported by SignTool.
| Command | Description |
|---|
| catdb |
Adds or removes a catalog file to or from a catalog database.
|
| sign |
Digitally signs files.
|
| signwizard |
This command is not supported.
Windows Vista and earlier: Launches the signing wizard. Only a single file can be specified for the file name command-line parameter.
|
| timestamp |
Time stamps files.
|
| verify |
Verifies the digital signature of files.
|
The following options apply to the catdb command.
| Catdb option | Description |
|---|
| /d |
Specifies that the default catalog database be updated. If neither the /d
nor /g option is used,
SignTool updates the system component and driver
database.
|
| /g GUID |
Specifies that the catalog database identified by the GUID be updated.
|
| /r |
Removes the specified catalog from the catalog database. If this option is not specified,
SignTool will add the specified catalog to the catalog
database.
|
| /u |
Specifies that a unique name be automatically generated for the added catalog files. If necessary, the
catalog files are renamed to prevent name conflicts with existing catalog files. If this option is not
specified, SignTool overwrites any existing catalog
that has the same name as the catalog being added.
|
Note Catalog databases are used for automatic lookup of catalog files.
The following options apply to the sign command.
| Sign option | Description |
|---|
| /a |
Selects the best signing certificate automatically. If this option is not present,
SignTool expects to find only one valid signing
certificate.
|
| /ac FileName |
Specifies a file that contains an additional certificate to add to the signature block.
|
| /c CertTemplateName |
Specifies the Certificate Template Name (a Microsoft extension) for the signing certificate.
|
| /csp CSPName |
Specifies the
cryptographic service provider
(CSP) that contains the private key container.
|
| /d Desc |
Specifies a description of the signed content.
|
| /du URL |
Specifies a URL for expanded description of the signed content.
|
| /f SignCertFile |
Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is
supported. You can use the PVK2PFX.exe tool to convert SPC and PVK files to PFX format.
If the file is in PFX format protected by a password, use the /p option
to specify the password. If the file does not contain private keys, use the
/csp and /k options to specify the CSP
and private key container name, respectively.
|
| /i IssuerName |
Specifies the name of the issuer of the signing certificate. This value can be a substring of the entire
issuer name.
|
| /fd |
Specifies the file digest algorithm to use to create file
signatures. The default algorithm is Secure Hash Algorithm (SHA-1).
Windows Vista and earlier: This flag is not supported.
|
| /j DLL |
This flag is not supported.
Windows Vista and earlier: Specifies the name of a DLL that provides attributes of the signature.
|
| /jp ParameterName |
This flag is not supported.
Windows Vista and earlier: Specifies a parameter that is passed to the DLL specified by the /j command.
|
| /k PrivKeyContainerName |
Specifies the private key container name.
|
| /kc Name |
Specifies the key that contains the name of the private key.
|
| /n SubjectName |
Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name.
|
| /nph |
If supported, suppresses page hashes for executable files.
The default behavior is determined by the SIGNTOOL_PAGE_HASHES
environment variable and by the Wintrust.dll version. This option is ignored for non-PE files.
|
| /p Password |
Specifies the password to use when opening a PFX file. A PFX file can be specified by using the /f option. For information about protecting passwords, see
Handling Passwords.
|
| /ph |
If supported, generates page hashes for executable files. This option is ignored for non-PE files.
|
| /r RootSubjectName |
Specifies the name of the subject of the root certificate that the signing certificate must chain to. This
value can be a substring of the entire subject name of the root certificate.
|
| /s StoreName |
Specifies the store to open when searching for the certificate. If this option is not specified, the My store is opened.
|
| /sha1 Hash |
Specifies the SHA1 hash of the signing certificate.
|
| /sm |
Specifies that a computer store, instead of a user store, be used.
|
| /snk FileName |
This flag is not supported.
Windows Vista and earlier: Specifies the SNK file that contains the strong name private key.
|
| /sncsp Name |
This flag is not supported.
Windows Vista and earlier.: Specifies the CSP that contains the strong name private key container.
|
| /snkc Name |
This flag is not supported.
Windows Vista and earlier: Specifies the key that contains the name of the strong name private key.
|
| /snks {1|2} |
This flag is not supported.
Windows Vista and earlier: Specifies which strong name private key to use. If this argument is not used, the default value 2 is assumed.
The following values are supported:
- 1
AT_KEYEXCHANGE
- 2 (default)
AT_SIGNATURE
|
| /t URL |
Specifies the URL of the time stamp server. If this option is not present, then the signed file will not
be time stamped. A warning is generated if time stamping fails.
|
| /td alg |
Used with the /tr switch to request a digest algorithm used by the
RFC 3161 time stamp server.
Windows Vista and earlier: This flag is not supported.
|
| /tr URL |
Specifies the RFC 3161 time stamp server's URL. If this option
(or /t) is not specified, the signed file will not be time stamped.
A warning is generated if time stamping fails. This switch cannot
be used with the /t switch.
Windows Vista and earlier: This flag is not supported.
|
| /u Usage |
Specifies the enhanced key usage
(EKU) that must be present in the signing certificate. The usage value can be specified by OID or string. The
default usage is "Code Signing" (1.3.6.1.5.5.7.3.3).
|
| /uw |
Specifies using "Windows System Component Verification" (1.3.6.1.4.1.311.10.3.6).
|
The following option applies to the timestamp command.
| Timestamp option | Description |
|---|
| /t URL |
Required. Specifies the URL of the time stamp server. The file being time stamped must have previously been signed.
|
The following options apply to the verify command.
| Verify option | Description |
|---|
| /a |
Specifies that all methods can be used to verify the file. First, the catalog databases are searched to
determine whether the file is signed in a catalog. If the file is not signed in any catalog,
SignTool attempts to verify the file's embedded
signature. This option is recommended when verifying files that may or may not be signed in a catalog.
Examples of files that may or may not be signed include Windows files or drivers.
|
| /ad |
Finds the catalog by using the default catalog database.
|
| /as |
Finds the catalog by using the system component (driver) catalog database.
|
| /ag CatDBGUID |
Finds the catalog in the catalog database identified by the GUID.
|
| /c CatFile |
Specifies the catalog file by name.
|
| /d |
Print the description and description URL.
Windows Vista and earlier: This flag is not supported.
|
| /kp |
Performs the verification by using the x64 kernel-mode driver signing policy.
|
| /o Version |
Verifies the file by operating system version. The version parameter is of the form:
PlatformID:VerMajor.VerMinor.BuildNumber
|
| /pa |
Specifies that the Default Authentication Verification Policy is used. If the /pa option is not specified,
SignTool uses the Windows Driver Verification Policy.
This option cannot be used with the catdb options.
|
| /pg PolicyGUID |
Specifies a verification policy by GUID. The
GUID corresponds to the ActionID of the verification policy. This option cannot
be used with the catdb options.
|
| /ph |
Print and verify page hash values.
Windows Vista and earlier: This flag is not supported.
|
| /r RootSubjectName |
Specifies the name of the subject of the root certificate that the signing certificate must chain to. This
value can be a substring of the entire subject name of the root certificate.
|
| /tw |
Specifies that a warning is generated if the signature is not time stamped.
|
The following options apply to all SignTool commands.
| Global option | Description |
|---|
| /q |
No output on successful execution and minimal output for failed execution.
|
| /v |
Verbose output for successful execution, failed execution, and warning messages.
|
The SignTool
verify command determines whether the signing certificate was issued by a trusted
authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate
is valid for a specific policy.
SignTool returns an exit code of zero for successful
execution, one for failed execution, and two for execution that completed with warnings.
The following command line shows signing a file automatically using the best certificate.
signtool sign /a MyFile.exe
Note When signing an executable file that is larger than approximately 300 megabytes for use on a computer running Windows XP with Service Pack 2 (SP2) and later, you should use catalog
signing with the MakeCat tool rather than use the
SignTool tool. Depending on the available
system resources of the computer on which the file is verified, some applications may not be able to verify the binary signature of a large file. For more
information, see KB article 922225.
Send comments about this topic to Microsoft
Build date: 11/16/2009