Home Library Learn Downloads Support Community
Sign in | United States - English | |
4 out of 6 rated this helpful - Rate this topic

SignTool

SignTool (Signtool.exe) is a command-line CryptoAPI tool that digitally-signs files, verifies signatures in files, and timestamps files.

Copy 

    SignTool [Operation] [Switches] [FileName ...]

Partial list of operations, switches, and arguments

Operations

catdb

Configures SignTool to update a catalog database. SignTool either adds catalog files to a database or removes catalogs from a database. By default, the catdb command adds the files, whose names are specified by the FileName argument, to the system component (driver) database.

Note  Catalog databases are used for automatic lookup of catalog files.

sign

Configures SignTool to digitally-sign the files whose names are specified by the FileName argument.

timestamp

Configures SignTool to timestamp the files whose names are specified by the FileName argument.

verify

Configures SignTool to verify the digital signature of the files whose names are specified by the FileName argument.

Catdb operation switches

/d

Configures SignTool to update the catalog database. If neither /d nor /g switch is used, SignTool updates the system component and the driver database.

/g Guid

Configures SignTool to update the catalog database identified by the GUID argument.

/r

Configures SignTool to remove each of the catalog files, whose names are specified by the FileName argument, from the catalog database. If this switch is not specified, SignTool adds the specified catalog files to the catalog database.

/u

Configures SignTool to generate a unique name, if necessary, for a catalog file to prevent a conflict with an existing catalog file in the catalog database. If this switch is not specified, SignTool overwrites any existing catalog that has the same name as the catalog being added.

Sign operation switches

/a

Configures SignTool to automatically select the best signing certificate. If this switch is not present, SignTool expects to find only one signing certificate.

/ac CrossCertFileName

Specifies the name of a cross-certificate file that is used with a Software Publisher Certificate (SPC) that is named CertificateName and is installed in the certificate store StoreName. This switch should only be used if the signing certificate is an SPC.

/csp CSPName

Specifies the cryptographic service provider (CSP) that contains the private key container.

/d Desc

Specifies a description of the signed content.

/du URL

Specifies a URL for the expanded description of the signed content.

/f SignCertFile

Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported. You can use the Pvk2Pfx tool to convert SPC and PVK files to PFX format.

If the file is in PFX format protected by a password, use the /p switch to specify the password. If the file does not contain private keys, use the /csp and /k switches to specify the CSP and private key container name, respectively.

/i IssuerName

Specifies the name of the issuer of the signing certificate. This value can be a substring of the entire issuer name.

/j DLL

Specifies the name of a DLL that provides attributes of the signature.

/jp ParameterName

Specifies a parameter that is passed to the DLL specified by the /j command.

/kc PrivKeyContainerName

Specifies the key container name of the private key.

/n SubjectName

Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name.

/p Password

Specifies the password to use when opening a PFX file. A PFX file can be specified by using the /f switch

/r RootSubjectName

Specifies the subject name of the root certificate that the signing certificate must chain to. This value can be a substring of the entire subject name of the root certificate.

/s StoreName

Specifies the name of the certificate store to open when searching for the certificate to use for signing files. If this switch is not specified, the My certificate store is opened.

/sha1 Hash

Specifies the SHA1 hash of the signing certificate.

/sm

Configures SignTool to use a machine certificate store instead of a user certificate store.

/t URL

Specifies a URL to a timestamp server. If this switch is not provided, the signed file is not timestamped. A catalog file or driver file should be timestamped, because if the signer's key is compromised, the timestamp provides the information necessary to revoke the key that was used to sign the file.

Timestamp operation switches

/t URL

Specifies the URL of the timestamp server. The file being timestamped must have been signed previously

Verify operation switches

/a

Specifies that all methods can be used to verify the file. First, the catalog databases are searched to determine whether the file is signed in a catalog. If the file is not signed in any catalog, SignTool attempts to verify the file's embedded signature. This option is recommended when verifying files that may or may not be signed in a catalog.

/ad

Specifies that only the default catalog database is searched for the catalog that the file was signed in.

/as

Specifies that only the system component (driver) catalog database is searched for the catalog that the file was signed in.

/ag CatDBGUID

Specifies that only the catalog database, identified through the CatDBGUID argument, is searched for the catalog that the file was signed in.

/c CatalogFileName

Specifies the name of a catalog file.

/kp

Configures SignTool to verify that the digital signature of each of the files specified by the FileName argument complies with the kernel-mode code signing policy and the PnP device installation signing requirements of Windows Vista and later versions of Windows. If this switch is not specified, SignTool only verifies that a signature complies with the PnP device installation signing requirements.

/o Version

Verifies the file as per the operating system version. The format for the Version argument is PlatformID:VerMajor.VerMinor.BuildNumber

/pa

Configures SignTool to verify that the digital signature of each of the files specified by the FileName argument complies with the PnP device installation signing requirements.

Note  This switch cannot be used with the catdb switches.

/r RootSubjectName

Specifies the subject name of the root certificate that the signing certificate must chain to. This value can be a substring of the entire subject name of the root certificate.

/tw

Specifies that a warning is generated if the signature is not timestamped.

General Switches

/q

Configures SignTool to display no output on successful execution and minimal output for failed execution.

/v

Configures SignTool to display the verbose version of operation and warning messages.

/?

Configures SignTool to display help information in a command window.

FileName ...

Specifies a list of one or more file names. Depending on the command, SignTool will sign, timestamp, or verify the specified files. If the catdb command is used, SignTool will add or remove the specified files from a catalog database.

For the sign, timestamp, and verify commands, a file can be a catalog file for a driver package or a driver file.

For the catdb command, a file must be a catalog file for a driver package.

Comments

SignTool supports a large number of switches. The switches described in this topic are limited to the ones that you can use to sign or verify a driver package or driver file.

For a complete list of SignTool parameters, see the Microsoft SignTool website.

For more information about signing files, see the Microsoft Cryptography Tools website.

A 32-bit version of SignTool is located in the bin\i386 folder of the WDK. A 64-bit version of the tool is located in the bin\amd64 and bin\ia64 folders of the WDK.

Signing Examples

The following is an example of how to sign a driver package's catalog file using a Software Publisher Certificate (SPC) and a corresponding cross-certificate. This example is valid for signing a driver package for 64-bit versions of Windows Vista and later versions of Windows, which enforce the kernel-mode code signing policy. The example signs the driver package's catalog file AbcCatFileName.cat. To sign the catalog file, the example uses the cross-certificate AbcCrossCertificate and the AbcSPCCertificate certificate. The AbcSPCCertificate certificate is located in the AbcCertificateStore certificate store.

The example also uses a publicly-available timestamp server to sign the catalog file. The timestamp server is provided by VeriSign and its URL is http://timestamp.verisign.com/scripts/timstamp.dll.

Copy 

SignTool sign /ac AbcCrossCertificate.cer /s AbcCertificateStore /n AbcSPCCertificate /t http://timestamp.verisign.com/scripts/timstamp.dll AbcCatFileName.cat

The following is an example of how to embed a signature in a driver file using an SPC and cross-certificate. All the parameters are the same as in the example that signs a catalog file, except that the file that is signed is AbcDriverFile.sys instead of the catalog file AbcCatFileName.cat.

Copy 

SignTool sign /ac AbcCrossCertificate.cer /s AbcCertificateStore /n AbcSPCCertificate /t http://timestamp.verisign.com/scripts/timstamp.dll AbcDriverFile.sys

The following is an example of how to sign a driver package's catalog file using a commercial release certificate or a commercial test certificate. This example is valid for signing a driver package for 32-bit versions of Windows Vistaand later versions of Windows, which do not enforce the kernel-mode code signing policy. The example signs the driver package's catalog file CatalogFileName.cat. The example uses the AbcTestCertificate test certificate, located in the TestCertificateStore certificate store, to sign the catalog file.

The example also uses a publicly-available timestamp server to sign the catalog file. The timestamp server is provided by VeriSign and its URL is http://timestamp.verisign.com/scripts/timstamp.dll.

Copy 

SignTool sign /s TestCertificateStore /n AbcTestCertificate /t http://timestamp.verisign.com/scripts/timstamp.dll CatalogFileName.cat

Verifying Examples

The following is an example of how to verify that the signature of a driver package's catalog file complies with the kernel-mode code signing policy and the PnP device installation signing requirements. The example verifies the signature of the catalog file AbcCatalogFile.cat.

Copy 

SignTool verify /kp CatalogFileName.cat

The following is an example of how to verify that the signature of a file listed in a driver package's catalog file complies with the kernel-mode code signing policy and the PnP device installation signing requirements. The example verifies the signature of the file AbcDriverPackage.inf, which must have a thumbprint entry in the catalog file CatalogFileName.cat.

Copy 

SignTool verify /kp /c CatalogFileName.cat AbcDriverPackage.inf

The following is an example of how to verify that an embedded signature complies with the kernel-mode code signing policy on Windows Vista and later versions of Windows. The example verifies the signature that is embedded in the driver file AbcDriverFile.sys.

Copy 

SignTool verify /kp AbcDriverFile.sys

The following is an example of how to verify that the signature of a driver package's catalog file complies with the PnP device installation signing requirements. The example verifies the signature of the catalog file CatalogFileName.cat.

Copy 

SignTool verify /pa CatalogFileName.cat

Example of Adding a Catalog File to the System Component (Driver) Database

The following is an example of how to use SignTool to add the catalog file CatalogFileName.cat to the system component (driver) database. The /v switch configures SignTool to operate in verbose mode and the /u switch configures SignTool to generate a unique name for the catalog file being added, if necessary, to prevent replacing an already existing catalog file that has the same name as CatalogFileName.cat.

Copy 

SignTool catdb /v /u CatalogFileName.cat

 

 

Send comments about this topic to Microsoft

Build date: 4/5/2012

Did you find this helpful?
(1500 characters remaining)