SignTool Tool

Windows Driver Kit: Device Installation

SignTool Tool

The SignTool tool (Signtool.exe) is a command-line CryptoAPI tool that digitally signs files, verifies signatures in files, and time-stamps files.

SignTool [Command] [Options] [FileName ...]

Partial list of commands, options, and parameters

Commands

sign: Configures SignTool to digitally sign the files whose names are supplied by the string "FileName …".
verify: Configures SignTool to verify the digital signature of the files whose names are supplied by the string "FileName …".
catdb: Configures SignTool to update a catalog database. SignTool either adds catalog files to a database or removes catalogs from a database. By default, the catdb command adds the files whose names are specified by the string "FileName …" to the system component (driver) database.

sign command options

/a: Configures SignTool to automatically select the best signing certificate. If this option is not present, SignTool expects to find only one signing certificate.
/ac CrossCertFileName: Specifies the name of a cross-certificate file that is used with a Software Publisher Certificate (SPC) that is named CertificateName and is installed in the certificate store StoreName. This option should only be used if the signing certificate is an SPC.
/s StoreName: Specifies the name of the certificate store to open when searching for the certificate to use sign files. If this option is not specified, the My certificate store is opened.
/n CertificateName: Specifies the name of the signing certificate.
/t URL: Specifies a URL to a time stamp server. If this option is not provided, the signed file is not time-stamped. A catalog file or driver file should be time-stamped, because if the signer's key is compromised, the time stamp provides the information necessary to revoke the key that was used to sign the file.

verify command options

/c CatalogFileName: Specifies the name of a catalog file.
/kp: Configures SignTool to verify that the digital signature of each of the files whose names are supplied by the string "FileName …" complies with the kernel-mode code signing policy and the PnP device installation signing requirements on Windows Server 2008 and Windows Vista. If this option is not specified, SignTool only verifies that a signature complies with the PnP device installation signing requirements.
/pa: Configures SignTool to verify that the digital signature of each of the files whose names are supplied by the string "FileName …" complies with the PnP device installation signing requirements.

catdb command options

/r: Configures SignTool to remove each of the catalog files whose names are supplied by the string "Filename …" from the catalog database. If this option is not specified, SignTool adds the specified catalog files to the catalog database.
/u: Configures SignTool to generate a unique name, if necessary, for a catalog file to prevent a conflict with an existing catalog file in the catalog database. If this option is not specified and a catalog file is present in the catalog database that has the same name as a catalog file being added, SignTool overwrites the existing catalog file.

Options that apply to the sign command, verify command, and catbd command

/v: Configures SignTool to display the verbose version of operation and warning messages.
/?: Configures SignTool to display help information in a command window.
FileName …: A list of names of files to sign or verify, or a list of catalog files to add or remove from a catalog database. A file can be a catalog file for a driver package or a driver file.

Comments

SignTool supports a large number of options. The options described in this topic are limited to the ones that you can use to sign or verify a driver package or driver file.

For a complete list of SignTool parameters, see the Microsoft Aa906251.internet_link_sm(en-us,MSDN.10).gif SignTool Web site.

For more information about signing files, see the Microsoft Aa906251.internet_link_sm(en-us,MSDN.10).gif Cryptography Tools Web site.

The SignTool tool is located in the ..\bin\SelfSign folder of the WDK.

Signing Examples

The following is an example of how to sign a driver package catalog file using a Software Publisher Certificate (SPC) and a corresponding cross-certificate. This example is valid for signing a driver package for 64-bit versions of Windows Server 2008 and Windows Vista, which enforce the kernel-mode code signing policy. The example signs the driver package catalog file AbcCatFileName.cat. To sign the catalog file, the command uses the cross-certificate AbcCrossCertificate and the AbcSPCCertificate certificate, which is located in the AbcCertificateStore certificate store. The command also uses a publicly-available time stamp server to sign the catalog file. The time stamp server is provided by VeriSign and its URL is http://timestamp.verisign.com/scripts/timestamp.dll.

SignTool sign /ac AbcCrossCertificate.cer /s AbcCertificateStore /n AbcSPCCertificate /t http://timestamp.verisign.com/scripts/timestamp.dll AbcCatFileName.cat

The following is an example of how to embed a signature in a driver file using an SPC and cross-certificate. All the parameters are the same as in the example that signs a catalog file, except that the file that is signed is AbcDriverFile.sys instead of the catalog file AbcCatFileName.cat.

SignTool sign /ac AbcCrossCertificate.cer /s AbcCertificateStore /n AbcSPCCertificate /t http://timestamp.verisign.com/scripts/timestamp.dll AbcDriverFile.sys

The following is an example of how to sign a driver package catalog file using a commercial release certificate or a commercial test certificate. This example is valid for signing a driver package for 32-bit versions of Windows Server 2008 and Windows Vista, which do not enforce the kernel-mode code signing policy. The example signs the driver package catalog file CatalogFileName.cat. The command uses the AbcTestCertificate test certificate, which is located in the TestCertificateStore certificate store, to sign the catalog file. The command also uses a publicly-available time stamp server to sign the catalog file. The time stamp server is provided by VeriSign and its URL is http://timestamp.verisign.com/scripts/timestamp.dll.

SignTool sign /s TestCertificateStore /n AbcTestCertificate /t http://timestamp.verisign.com/scripts/timestamp.dll CatalogFileName.cat

Verifying Examples

The following is an example of how to verify that the signature of a driver package catalog file complies with the kernel-mode code signing policy and the PnP device installation signing requirements. The example verifies the signature of the catalog file AbcCatalogFile.cat.

SignTool verify /kp CatalogFileName.cat

The following is an example of how to verify that the signature of a file listed in a driver package catalog file complies with the kernel-mode code signing policy and the PnP device installation signing requirements. The example verifies the signature of the file AbcDriverPackage.inf, which must have a thumbprint entry in the catalog file CatalogFileName.cat.

SignTool verify /kp /c CatalogFileName.cat AbcDriverPackage.inf

The following is an example of how to verify that an embedded signature complies with the kernel-mode code signing policy on Windows Server 2008 and Windows Vista. The example verifies the signature that is embedded in the driver file AbcDriverFile.sys.

SignTool verify /kp AbcDriverFile.sys

The following is an example of how to verify that the signature of a driver package catalog file complies with the PnP device installation signing requirements. The example verifies the signature of the catalog file CatalogFileName.cat.

SignTool verify /pa CatalogFileName.cat

Example of Adding a Catalog File to the System Component (Driver) Database

The following is an example of how to use SignTool to add the catalog file CatalogFileName.cat to the system component (driver) database. The /v option configures SignTool to operate in verbose mode and the /u option configures SignTool to generate a unique name for the catalog file being added, if necessary, to prevent replacing an already existing catalog file that has the same name as CatalogFileName.cat.

SignTool catdb /v /u CatalogFileName.cat