Signotaur Sign Action

The Signotaur Sign action allows you to sign files using the Signotaur service. This action provides various options to configure the signing process, including specifying the files to be signed, the signing server, and the signature details.

The Signotaur Sign action in Continua is a wrapper around the Signotaur client tool command line. If you're having trouble using the Signotaur Sign action, please refer to the Command Line Reference.

Signotaur Sign

Signotaur Sign action - Main tab

Name

A friendly name for this action (will be displayed in the actions workflow area).

Enabled

Determines if this action will be run within the relevant stage.

Working Folder

The folder where the files to be signed are located. This can be an absolute path or a path relative to the build workspace.

Files

Specify the file(s) to be signed. You can specify an exact file path or you can use ANT pattern matching to specify multiple files. Each file path or pattern must be entered on a new line. You can exclude files by prefixing the file name or pattern with a dash. e.g -*.ignore. Exclude patterns always take precedence over include patterns.

More information about pattern wild cards can be found on the Ant Pattern Usage page.

List File

The path to a text file containing a list of files to sign. This is helpful for signing multiple files at once without specifying each one in the command line. *[--file-list]

Using

The Using drop down is populated with any property collector whose namespace matches the pattern defined by the Signotaur action. The pattern for this action is ^SignotaurTool(?:\.|$). If you create a property collector for this action, make sure you select the Path Finder PlugIn type and give it a name that will match the pattern above. For more in-depth explanations on property collectors see Property Collectors.

Alternatively, you can select the Custom option from the Using drop down list and specify a path in the resulting input field that will be displayed. Please read Why it's a good idea to use a property collector before using this option.

Server

Signotaur Sign action - Server tab

Signing Server URL

The URL of the Signotaur server that will handle the signing operation. This must be a valid HTTPS URL. [--sign-server]

API Key

The API key required to authenticate with the Signotaur service. You can obtain this API key from your profile on Signotaur server. [--api-key]

Allow untrusted server SSL certificate

Allows signing using a Signotaur server that is bound to an untrusted or invalid certificate. Use this option with caution, as it may expose you to security risks. [--allow-untrusted]

Request Timeout

The request timeout for server requests in seconds. If the server takes longer than the specified time to respond, the operation will be aborted. Default is 0 for automatic timeout calculation based on the number of files. [--request-timeout]

Certificate

Signotaur Sign action - Certificate tab

Thumbprint

The thumbprint to be used for signing. You can obtain this thumbprint from the Signotaur certificate page. Either a thumbprint or subject is required to identify the signing certificate. [--thumbprint]

Subject

The certificate subject. Either subject or thumbprint is required to identify the signing certificate. [--subject]

Additional Certificates

Additional X509 certificates to add to the signature block. Specify one certificate file path per line. This is useful for including intermediate or root certificates that may be necessary for validation. [--additional-certs]

Signature

Signotaur Sign action - Signature tab

File Digest Algorithm

The file digest algorithm to use for creating file signatures. Options are: SHA 256, SHA 384 and SHA 512. The default is SHA 256. [--file-digest]

Description

A description of the signed content. This description will be embedded in the signature and should provide context about the content being signed. [--description]

Description URL

A URL for an expanded description of the signed content. This URL can point to a webpage or document that provides more detailed information about the signed files. [--description-url]

Generate page hashes for executable files

This is useful for ensuring the integrity of the executable's pages and can help detect tampering. Page hashing is only supported for executable files that have a valid PE header. This option will be ignored for files that do not meet this criteria.

The options are Yes, No or Default. If Default is specified, the system’s current configuration for page hashing will be used. If not explicitly configured, the default behaviour is to exclude page hashes. This setting is influenced by system-wide policies or defaults, such as those set by the WintrustSetDefaultIncludePEPageHashes function. [--page-hashing | --no-page-hashing]

Append the signature to the file

If no primary signature exists, this signature will become the primary one. This is useful for signing files multiple times without overwriting existing signatures. [--append-signature]

Application Name

The name of the application or product (used only when signing ClickOnce and VSTO manifests). [--application-name]

Verification

Signotaur Sign action - Signature tab

Verify the signing certificate chain before signing

When enabled, the action checks that each certificate in the chain is valid and issued by a trusted authority. This also enables the Revocation Check Mode and optionally Ignore untrusted root settings. [--verify-cert-chain]

Revocation Check Mode

Specifies how to check for certificate revocation when verifying the certificate chain. This ensures that no certificate in the chain has been revoked. [--revocation-mode]

Options:

  • Online – Perform live checks against Certificate Revocation Lists (CRL) and OCSP servers (default).
  • Offline – Use only cached CRL/OCSP information (faster if network access is restricted).
  • NoCheck – Skip revocation checking entirely (higher risk).

This option is only available when Verify Certificate Chain is enabled.

Ignore untrusted root

Ignore errors caused by an untrusted or self-signed root certificate when verifying the certificate chain. Useful when signing with a private or internal CA. [--ignore-untrusted-root] This option is only available when Verify Certificate Chain is enabled.

Verify

Verify the signature after signing to ensure it is valid. [--verify]

Timestamp

Signotaur Sign action - Timestamp tab

Timestamp Server URL

The URL of the RFC 3161 timestamp server. Time stamping is important for proving when a file was signed. If this option is not included, the signed file will not be timestamped, and a warning will be generated if timestamping fails. [--timestamp-server]

Timestamp Digest Algorithm

The digest algorithm used by the RFC 3161 timestamp server. This option is required if the Timestamp Server URL is provided. [--timestamp-digest]

Fallback Timestamp Server URL(s)

One or more URLs for RFC 3161-compliant timestamp servers to use as fallbacks if the primary timestamp server fails. Specify one server URL per line. [--fallback-timestamp-server]

Separate timestamping step after signing

Run a separate timestamping step after signing. Only applicable if a primary timestamp server is specified and no fallback servers are provided. [--separate-timestamp]

Settings

Signotaur Sign action - Settings tab

Skip any files that have been previously signed

Skip signing files that have already been signed. [--skip-signed]

Continue on failure

Continue signing subsequent files even if an error occurs while signing a file. This option is useful for batch signing scenarios where you want to attempt to sign all files regardless of individual failure. [--continue-on-fail]

Max Degree Of Parallelism

The maximum number of concurrent file signing operations. This setting allows you to control the degree of parallelism to optimize performance. The default value is 4, but you can adjust this based on the capabilities of your machine. [--max-degree-of-parallelism]

Automatically check for and install updates before signing

If an update is installed, the updated version is restarted with the same command line arguments, excluding this argument. [--auto-self-update]

Update Mode

Controls how the Automatically check for and install updates before signing feature determines when to update the Signotaur client. [--update-mode]

Options:

  • SourceHash – Update only when the source code hash changes (default).
  • Version – Update whenever a new version is available.

Visible only when Automatically check for and install updates before signing is enabled.

Options

Signotaur Sign action - Options tab

Verbose logging

Log detailed output of the signing process. [--verbose]

No banner

Hide the banner for a clean log output. [--no-banner]

Timeout (in seconds)

How long to wait for the action to finish running before timing out. Leaving this blank (or zero) will default to 86400 seconds (24 hours).

Treat failure as warning

Tick to continue build on failure marking the action with a warning status.

Ignore warnings

If this is ticked, any warnings logged will not mark the action with a warning status.

Environment

Signotaur Sign action - Environment tab

Environment Variables

Multiple environment variables can be defined - one per line. These are set before the command line is run.

Log environment variables

If this is ticked, environment variable values are written to the build log.

Generate system environment variables

Tick this checkbox to set up a list of new environment variables prefixed with 'ContinuaCI.' for all current system expression objects and variables.

Mask sensitive variable values in system environment variables

This checkbox is visible only if the 'Generate system environment variables' checkbox is ticked.

If this is ticked, the values of any variables marked as sensitive will be masked with **** when setting system environment variables. Clear this to expose the values.