Sign Tool (SignTool.exe) 

The Sign Tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files.

Note

The Sign Tool is not supported on Microsoft Windows NT, Windows Me, Windows 98, or Windows 95.

signtool [command] [options] [file_name | ...]

Parameters

Argument Description

command

One of the command flags that specifies an operation to perform on a file.

options

One of the option flags that modifies a command flag.

file_name

The path to a file to sign.

The following commands are supported by Sign Tool.

Command Description

catdb

Adds or removes a catalog file to or from a catalog database.

sign

Digitally signs files.

signwizard

Launches the signing wizard. Only a single file can be specified for the file name command-line argument.

timestamp

Time stamps files.

verify

Verifies the digital signature of files.

The following options apply to the catdb ** command.

Catdb option Description

/d

Specifies that the default catalog database is updated. If neither the /d nor /g option is used, Sign Tool updates the system component and driver database.

/g GUID

Specifies that the catalog database identified by the globally unique identifier (GUID) is updated.

/r

Removes the specified catalog from the catalog database. If this option is not specified, Sign Tool will add the specified catalog to the catalog database.

/u

Specifies that a unique name is automatically generated for the added catalog files. If necessary, the catalog files will be renamed to prevent name conflicts with existing catalog files. If this option is not specified, Sign Tool will overwrite any existing catalog that has the same name as the catalog being added.

Note

 Catalog databases are used for automatic lookup of catalog files.

The following options apply to the ** sign ** command.

Sign option Description

/a

Automatically selects the best signing certificate. If this option is not present, Sign Tool expects to find only one valid signing certificate.

/c CertTemplateName

Specifies the Certificate Template Name (a Microsoft extension) for the signing certificate.

/csp CSPName

Specifies the cryptographic service provider (CSP) that contains the private key container.

/d Desc

Specifies a description of the signed content.

/du URL

Specifies a Uniform Resource Locator (URL) for the expanded description of the signed content.

/f SignCertFile

Specifies the signing certificate in a file. If the file is in Personal Information Exchange (PFX) format and protected by a password, use the /p option to specify the password. If the file does not contain private keys, use the /csp and /k options to specify the CSP and private key container name, respectively.

/i IssuerName

Specifies the name of the issuer of the signing certificate. This value can be a substring of the entire issuer name.

/k PrivKeyContainerName

Specifies the private key container name.

/n SubjectName

Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name.

/p Password

Specifies the password to use when opening a PFX file. A PFX file can be specified by using the /f option.

/r RootSubjectName

Specifies the name of the subject of the root certificate that the signing certificate must chain to. This value may be a substring of the entire subject name of the root certificate.

/s StoreName

Specifies the store to open when searching for the certificate. If this option is not specified, the My store is opened.

/sha1 Hash

Specifies the SHA1 hash of the signing certificate.

/sm

Specifies that a computer store, instead of a user store, is used.

/t URL

Specifies the URL of the time stamp server. If this option is not present, the signed file will not be time stamped. A warning is generated if time stamping fails.

/u Usage

Specifies the enhanced key usage (EKU) that must be present in the signing certificate. The usage value can be specified by OID or string. The default usage is "Code Signing" (1.3.6.1.5.5.7.3.3).

The following option applies to the ** timestamp command.

Timestamp option Description

/t URL

Required. Specifies the URL of the time stamp server. The file being time stamped must have previously been signed.

The following options apply to the verify command.

Sign option Description

/a

Specifies that all methods can be used to verify the file. First, the catalog databases are searched to determine whether the file is signed in a catalog. If the file is not signed in any catalog, Sign Tool attempts to verify the file's embedded signature. This option is recommended when verifying files that may or may not be signed in a catalog. Examples of files that may or may not be signed include Windows files or drivers.

/ad

Finds the catalog using the default catalog database.

/as

Finds the catalog using the system component (driver) catalog database.

/ag CatDBGUID

Finds the catalog in the catalog database identified by the GUID.

/c CatFile

Specifies the catalog file by name.

/o Version

Verifies the file by operating system version. The version parameter is of the form: PlatformID:VerMajor.VerMinor.BuildNumber

/pa

Specifies that the Default Authentication Verification Policy is used. If the /pa option is not specified, Sign Tool uses the Windows Driver Verification Policy. This option cannot be used with the catdb options.

/pg PolicyGUID

Specifies a verification policy by GUID. The GUID corresponds to the ActionID of the verification policy. This option cannot be used with the catdb options.

/r RootSubjectName

Specifies the name of the subject of the root certificate that the signing certificate must chain to. This value can be a substring of the entire subject name of the root certificate.

/tw

Specifies that a warning is generated if the signature is not time stamped.

The following options apply to all Sign Tool commands.

Global option Description

/q

No output on successful execution and minimal output for failed execution.

/v

Verbose output for successful execution, failed execution, and warning messages.

Remarks

Sign Tool requires that the CAPICOM 2.0 redistributable be installed on the local computer. The CAPICOM 2.0 redistributable is available from https://www.microsoft.com/msdownload/platformsdk/sdkupdate/psdkredist.htm.

The Sign Tool verify command determines whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.

Sign Tool returns an exit code of zero for successful execution, one for failed execution, and two for execution that completed with warnings.

Examples

The command demonstrates how to sign a file automatically using the best certificate.

signtool sign /a MyFile.exe

See Also

Reference

.NET Framework Tools
SDK Command Prompt