Signcode Tool (Compact 2013)

3/26/2014

The Signcode tool (Signcode.exe) is a command-line tool that you use to sign a file with a certificate.

Syntax

signcode [options] <filename>

Parameters

  • -spc < file>
    Specifies the public key (.spc) file that contains software publishing certificates.
  • -v < pvkFile>
    Specifies the private key (.pvk) file name that contains the private key.
  • -k < KeyName>
    Specifies the key container name.
  • -n < name>
    Specifies a text name that represents the content of the file to be signed.
  • -i < info>
    Specifies a place to get more information about content, typically a URL.
  • -p < provider>
    Specifies the name of the cryptographic provider on the system.
  • -y < type>
    Specifies the cryptographic provider type to use.
  • -ky < keytype>
    Specifies the key type, which must be either signature, exchange, or an integer.
  • -$ < authority>
    Specifies the signing authority of the certificate, which must be either individual or commercial.

    By default, Signcode.exe uses the certificate's highest permission.

  • -a < algorithm>
    Specifies the hashing algorithm for signing, which must be either md5 or sha1.

    By default, this is set to md5.

  • -t < URL>
    Specifies that the file is to be timestamped by the timestamp server at the specified http address.
  • -tr < number>
    Specifies the maximum number of timestamp trials allowed until success. By default, this is set to to 1.
  • -tw < number>
    Specifies the delay, in seconds, between each timestamp trial. By default, this is set to 0.
  • -j < dllName>
    Specifies the name of the .dll file that provides an array of authenticated attributes for signing files. You can specify more than one .dll file by repeating this option.
  • -jp < param>
    Specifies the parameter to be passed to the preceding .dll file, which is specified in turn by the -j parameter. You can only use one parameter per .dll file.
  • -c < file>
    Specifies the X509 file that contains the encoded software publishing certificate.
  • -s < store>
    Specifies the certificate store that contains the signing certificate. By default, this is set to my store.
  • -r < location>
    Specifies the location of the certificate store in the registry, which must be either currentuser or localmachine.

    By default, this is set to to currentuser.

  • -sp < policy>
    Sets the certificate store policy, which must be either spcStore or chain. If you specify chain, all certificates in the verification chain, including self-signed certificates, are added to the signature. If you specify spcStore, trusted, self-signed certificates are not included with the certificates in the chain that are added to the signature.

    By default, this is set to spcStore.

  • -cn < name>
    Specifies the common name of the certificate.
  • -sha1 < thumbPrint>
    Specifies the sha1 hash of the certificate.
  • -x
    Specifies that the file is timestamped, but not signed.
  • -ph
    Specifies that page hashes should be included.
  • -nph
    Specifies that page hashes should be excluded.

Note

If your private key is in a .pvk file, to sign a file using an.spc file, the required options are -spc and -v. If your private key is in a registry key container, you must use -spc and -k.

Example

signcode -spc exepriv.cer -v exepriv.pvk -n "Signed using exepriv.cer" -a sha1 myapp.exe

See Also

Reference

Platform Builder Command Line Tools