The Signotaur Sign action allows you to sign files using the Signotaur service. This action provides various options to configure the signing process, including specifying the files to be signed, the signing server, and the signature details.
The Signotaur Sign action in Continua is a wrapper around the Signotaur client tool command line. If you're having trouble using the Signotaur Sign action, please refer to the Command Line Reference.
A friendly name for this action (will be displayed in the actions workflow area).
Determines if this action will be run within the relevant stage.
The folder where the files to be signed are located. This can be an absolute path or a path relative to the build workspace.
Specify the file(s) to be signed. You can specify an exact file path or you can use ANT pattern matching to specify multiple files. Each file path or pattern must be entered on a new line. You can exclude files by prefixing the file name or pattern with a dash. e.g -*.ignore. Exclude patterns always take precedence over include patterns.
More information about pattern wild cards can be found on the Ant Pattern Usage page.
The path to a text file containing a list of files to sign. This is helpful for signing multiple files at once without specifying each one in the command line. *[--file-list]
The Using drop down is populated with any property collector whose namespace matches the pattern defined by the Signotaur action. The pattern for this action is ^SignotaurTool(?:\.|$)
. If you create a property collector for this action, make sure you select the Path Finder PlugIn type and give it a name that will match the pattern above. For more in-depth explanations on property collectors see Property Collectors.
Alternatively, you can select the Custom option from the Using drop down list and specify a path in the resulting input field that will be displayed. Please read Why it's a good idea to use a property collector before using this option.
The URL of the Signotaur server that will handle the signing operation. This must be a valid HTTPS URL. [--sign-server]
The API key required to authenticate with the Signotaur service. You can obtain this API key from your profile on Signotaur server. [--api-key]
Allows signing using a Signotaur server that is bound to an untrusted or invalid certificate. Use this option with caution, as it may expose you to security risks. [--allow-untrusted]
The request timeout for server requests in seconds. If the server takes longer than the specified time to respond, the operation will be aborted. Default is 0 for automatic timeout calculation based on the number of files. [--request-timeout]
The thumbprint to be used for signing. You can obtain this thumbprint from the Signotaur certificate page. Either a thumbprint or subject is required to identify the signing certificate. [--thumbprint]
The certificate subject. Either subject or thumbprint is required to identify the signing certificate. [--subject]
Additional X509 certificates to add to the signature block. Specify one certificate file path per line. This is useful for including intermediate or root certificates that may be necessary for validation. [--additional-certs]
The file digest algorithm to use for creating file signatures. Options are: SHA 256, SHA 384 and SHA 512. The default is SHA 256. [--file-digest]
A description of the signed content. This description will be embedded in the signature and should provide context about the content being signed. [--description]
A URL for an expanded description of the signed content. This URL can point to a webpage or document that provides more detailed information about the signed files. [--description-url]
This is useful for ensuring the integrity of the executable's pages and can help detect tampering. Page hashing is only supported for executable files that have a valid PE header. This option will be ignored for files that do not meet this criteria.
The options are Yes, No or Default. If Default is specified, the system’s current configuration for page hashing will be used. If not explicitly configured, the default behaviour is to exclude page hashes. This setting is influenced by system-wide policies or defaults, such as those set by the WintrustSetDefaultIncludePEPageHashes function. [--page-hashing | --no-page-hashing]
If no primary signature exists, this signature will become the primary one. This is useful for signing files multiple times without overwriting existing signatures. [--append-signature]
The name of the application or product (used only when signing ClickOnce and VSTO manifests). [--application-name]
When enabled, the action checks that each certificate in the chain is valid and issued by a trusted authority. This also enables the Revocation Check Mode and optionally Ignore untrusted root settings. [--verify-cert-chain]
Specifies how to check for certificate revocation when verifying the certificate chain. This ensures that no certificate in the chain has been revoked. [--revocation-mode]
Options:
This option is only available when Verify Certificate Chain is enabled.
Ignore errors caused by an untrusted or self-signed root certificate when verifying the certificate chain. Useful when signing with a private or internal CA. [--ignore-untrusted-root] This option is only available when Verify Certificate Chain is enabled.
Verify the signature after signing to ensure it is valid. [--verify]
The URL of the RFC 3161 timestamp server. Time stamping is important for proving when a file was signed. If this option is not included, the signed file will not be timestamped, and a warning will be generated if timestamping fails. [--timestamp-server]
The digest algorithm used by the RFC 3161 timestamp server. This option is required if the Timestamp Server URL is provided. [--timestamp-digest]
One or more URLs for RFC 3161-compliant timestamp servers to use as fallbacks if the primary timestamp server fails. Specify one server URL per line. [--fallback-timestamp-server]
Run a separate timestamping step after signing. Only applicable if a primary timestamp server is specified and no fallback servers are provided. [--separate-timestamp]
Skip signing files that have already been signed. [--skip-signed]
Continue signing subsequent files even if an error occurs while signing a file. This option is useful for batch signing scenarios where you want to attempt to sign all files regardless of individual failure. [--continue-on-fail]
The maximum number of concurrent file signing operations. This setting allows you to control the degree of parallelism to optimize performance. The default value is 4, but you can adjust this based on the capabilities of your machine. [--max-degree-of-parallelism]
If an update is installed, the updated version is restarted with the same command line arguments, excluding this argument. [--auto-self-update]
Controls how the Automatically check for and install updates before signing feature determines when to update the Signotaur client. [--update-mode]
Options:
Visible only when Automatically check for and install updates before signing is enabled.
Log detailed output of the signing process. [--verbose]
Hide the banner for a clean log output. [--no-banner]
How long to wait for the action to finish running before timing out. Leaving this blank (or zero) will default to 86400 seconds (24 hours).
Tick to continue build on failure marking the action with a warning status.
If this is ticked, any warnings logged will not mark the action with a warning status.
Multiple environment variables can be defined - one per line. These are set before the command line is run.
If this is ticked, environment variable values are written to the build log.
Tick this checkbox to set up a list of new environment variables prefixed with 'ContinuaCI.' for all current system expression objects and variables.
This checkbox is visible only if the 'Generate system environment variables' checkbox is ticked.
If this is ticked, the values of any variables marked as sensitive will be masked with **** when setting system environment variables. Clear this to expose the values.