Home Library Learn Downloads Support Community
Sign in | United States - English | |
0 out of 1 rated this helpful - Rate this topic

SignFile Task

.NET Framework 4

Signs the specified file using the specified certificate.

The following table describes the parameters of the SignFile task.

Parameter

Description

CertificateThumbprint

Required String parameter.

Specifies the certificate to use for signing. This certificate must be in the current user's personal store.

SigningTarget

Required ITaskItem parameter.

Specifies the files to sign with the certificate.

TimestampUrl

Optional String parameter.

Specifies the URL of a time stamping server.

In addition to the parameters listed above, this task inherits parameters from the Task class. For a list of these additional parameters and their descriptions, see Task Base Class.

The following example uses the SignFile task to sign the files specified in the FilesToSign item collection with the certificate specified by the Certificate property.

Copy 
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

    <ItemGroup>
        <FileToSign Include="File.exe" />
    </ItemGroup>

    <PropertyGroup>
        <Certificate>Cert.cer</Certificate>
    </PropertyGroup>

    <Target Name="Sign">
        <SignFile
            CertificateThumbprint="$(CertificateThumbprint)"
            SigningTarget="@(FileToSign)" />
    </Target>

</Project>
NoteNote

The certificate thumbprint is the SHA1 hash of the certificate. For more information, see Obtain the SHA-1 Hash of a Trusted Root CA Certificate.

The following example uses the Exec task to sign the files specified in the FilesToSign item collection with the certificate specified by the Certificate property. You can use this to sign Windows Installer files during the build process.

Copy 
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

    <ItemGroup>
        <FileToSign Include="File.msi" />
    </ItemGroup>

    <PropertyGroup>
        <Certificate>Cert.cer</Certificate>
    </PropertyGroup>

    <Target Name="Sign">
        <Exec Command="signtool.exe sign /f CertFile /p Password "@(FileToSign)" "/>
    </Target>

</Project>
Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ
SignFile needs to support additional parameters.
It would be better if this task could use a PFX and have the following parameters: $0$0 $0 $0 $0CertificatePath -> path to file on disk.$0 $0CertificatePassword -> password.$0 $0ForceSign -> Option to force sign.$0 $0TimestampUrl$0 $0SigningTarget$0 $0DisplayName -> You can sign a executable with the /d flag and give it a friendly name that is displayed to the user.$0 $0
History
Additional signtool params
The task should be extended to support additional signtool parameters:
e.g.
signtool.exe /n "Name" /d "Description" /du "Url"
History
SignFile will only Sign PE files and XML manifests
It should be noted that SignFile can only be used to digitally sign PE files and/or associated XML manifest files. PE files include: DLLs, EXEs, etc

SignFile will throw a System.NullReferenceException when you attempt to sign other filetypes:
Cabinet (.cab)
Windows Installer (.msi;.msp;.mst)
VBScript / Windows Script Host (.vbs;.wsf)
Powershell Scripts (.ps1;.psm1;.psd1)

Despite these filetypes having the appropriate SIP (Subject Interface Package) packages to support digital signatures in Windows. However, signtool.exe has been implemented correctly and should be used instead.
History