Signotaur Client Tool

SignotaurTool.exe is a command-line utility designed to sign files using the Signotaur service. The tool provides functionality for file signing, timestamping, and verification.

Installation

By default, the installer places the client tool in the following directory:

%Program Files%\VSoft Technologies\Signotaur\ClientTool

Alternatively, you can download SignotaurTool.exe directly from the Signotaur server home page. The tool is distributed as a self-contained executable, allowing it to be copied and used on any system without requiring additional dependencies or installation steps.

Key Features

  • File Signing: Sign files with a certificate securely stored on the Signotaur server.
  • Timestamping: Apply a trusted timestamp to signatures for long-term validity.
  • Verification: Validate existing digital signatures to ensure integrity and authenticity.
  • Batch Processing: Support for signing, timestamping, and verifying multiple files at once without requiring user interaction.

Usage

Run the tool from the command line using the following syntax:

SignotaurTool.exe [options] <COMMAND>

Global Options

  • --help Displays help information, including usage instructions and available commands.

  • --theme <Theme> Sets the console color theme. Valid values: General (default), Dark, Light, None. Can also be configured via %USERPROFILE%\.signotaur\config.json.

  • --no-color (or --no-colour, --nc) Disables colored console output. Useful for CI/CD systems or when color codes cause display issues. Overrides the --theme option.

  • --encoding <Encoding> Specifies console output encoding. Valid values: UTF8 (default), UTF16, OEMCodePage, or CodePage### where ### is a code page number. Can also be configured via config file.

  • --nb Hides the banner output. Useful for scripting or logging where you want clean output without version information.

Commands

sign

Signs one or more files using a certificate stored on the Signotaur server. This command can optionally also timestamp and verify the signatures. For details about parameters and options, see the Sign Command Documentation.

Example:

SignotaurTool.exe sign -a <APIKey> -s <SignServer> -t <Thumbprint> --tr <TimeStampServer> --td SHA256 file1.exe file2.dll

timestamp

Adds a timestamp to an existing digital signature on one or more files. For more details, see the Timestamp Command Documentation.

Example:

SignotaurTool.exe timestamp --tr <TimeStampServer> --fb <FallbackTimeStampServer> --fb <FallbackTimeStampServer2>  --td SHA256 file1.exe file2.dll

verify

Verifies the integrity and authenticity of an existing digital signature on one or more files. For detailed usage, see the Verify Command Documentation.

Example:

SignotaurTool.exe verify file1.exe file2.dll

update

Checks for and installs updates of the Signotaur client tool itself from the Signotaur server. For details about parameters and options, see the Update Command Documentation.

Example:

SignotaurTool.exe update --sign-server https://signotaur.example.com

auth set-key

Securely stores an API key for use with SignotaurTool commands. This command allows you to bootstrap API key storage from various sources (stdin, environment variables, or direct input) and optionally verify the key with the server before storing it. For details about parameters and options, see the Auth Command Documentation.

Example:

echo "your-api-key" | SignotaurTool.exe auth set-key --from-stdin --write-key-file %USERPROFILE%\.signotaur\api_key.txt

rotate-key

Enables seamless API key rotation with overlapping validity periods. This allows you to update API keys in CI/CD systems without downtime - both the old and new keys remain valid during a configurable overlap period, after which the old key can be automatically revoked. For details about parameters and options, see the Rotate Key Command Documentation.

Example:

SignotaurTool.exe rotate-key --api-key-file %USERPROFILE%\.signotaur\api_key.txt -s https://signotaur.example.com --write-key-file %USERPROFILE%\.signotaur\api_key.txt

config

Manages client configuration settings stored in %USERPROFILE%\.signotaur\config.json. This allows you to set default values for commonly used options (API keys, server URLs, console themes) without needing to specify them on every command invocation. For details about subcommands and options, see the Config Command Documentation.

Subcommands:

  • init - Create default config file
  • set - Set a configuration value
  • get - Get a configuration value
  • show - Display entire configuration
  • path - Show config file path
  • unset - Remove a configuration value

Examples:

# Create config file
SignotaurTool.exe config init

# Set server URL
SignotaurTool.exe config set signServer "https://signotaur.example.com"

# Set console theme
SignotaurTool.exe config set theme "Dark"

# View configuration
SignotaurTool.exe config show

Additional Resources

  • Migrating from Signtool to SignotaurTool: Learn how to transition from using Microsoft's signtool.exe to SignotaurTool.exe.

Troubleshooting

If you encounter issues, ensure the following:

  1. The Signotaur service is running and accessible.
  2. The correct credentials and permissions are configured for accessing the Signotaur server.
  3. Files to be signed are not in use or locked by another application.
  4. If you are using a self-signed certificate on the server, ensure that are specifying the --allow-untrusted option on the command line.

System Requirements

  • Operating System: Windows 10 or Windows Server 2016 (or later)
  • Network: Access to the Signotaur server.