SignotaurTool.exe
is a command-line tool used to sign files using the Signotaur service. By default, the installer places the client tool in the %Program Files%\VSoft Technologies\Signotaur\ClientTool
folder. It can also be downloaded directly from the Signotaur server home page. The tool is a self-contained executable, meaning it can be copied and used on any system without the need for installation. The client tool can sign multiple files at once without any requirement for user interaction.
SignotaurTool.exe [options] <files>
A list of file paths to sign. You can specify individual file paths or use wildcards to match multiple files. This parameter supports the following wildcard patterns:
*
: Matches zero or more characters within a file name. For example, *.exe
will match all executable files in the specified directory.?
: Matches a single character. For instance, file?.dll
will match file1.dll
, file2.dll
, but not file12.dll
.**
: Indicates a recursive search across all subdirectories. For example, **/*.exe
will match all .exe
files found in the current directory and all its subdirectories.Examples:
*.exe
: Matches all executable files in the specified directory.C:\Projects\**\*.dll
: Matches all dynamic link library files in the C:\Projects
directory and any of its subdirectories.C:\MyFiles\file?.exe
: Matches any executable files that start with "file" followed by a single character.Notes:
--file-list
option to specify the path to a file containing the list of file paths.-a, --api-key <APIKey>
Required. Specifies the Signotaur API key needed to authenticate with the Signotaur service.
-s, --sign-server <URL>
Required. Specifies the URL of the Signotaur server that will handle the signing operation.
-t, --thumbprint <Thumbprint>
Specifies the certificate thumbprint to be used for signing. You can obtain this thumbprint from the Signotaur certificate page. Either a thumbprint or subject is required to identify the signing certificate.
--sb, --subject <Subject>
Specifies the certificate subject. Either subject or thumbprint is required to identify the signing certificate.
-d, --description <Description>
Specifies a description of the signed content. This description will be embedded in the signature and should provide context about the content being signed.
--du, --description-url <URL>
Specifies a URL for an expanded description of the signed content. This URL can point to a webpage or document that provides more detailed information about the signed files.
--fd, --file-digest <Algorithm>
Required. Specifies the file digest algorithm to use for creating file signatures. Supported algorithms include: SHA256
, SHA384
, SHA512
.
--ph, --page-hashing
Enables the generation of page hashes for executable files if supported by the file type. This is useful for ensuring the integrity of the executable's pages and can help detect tampering.
--nph, --no-page-hashing
Suppresses the generation of page hashes for executable files if supported. Use this option if you do not want to include page hashes in the signature.
--tr, --timestamp-server <TimeStampServer>
Specifies the URL of the RFC 3161 timestamp server. Time stamping is important for proving when a file was signed. If this option is not included, the signed file will not be timestamped, and a warning will be generated if timestamping fails.
--td, --timestamp-digest <DigestAlgorithm>
Specifies the digest algorithm used by the RFC 3161 timestamp server. This option is required if the --tr
option is provided. Supported algorithms include SHA256
, SHA384
, and SHA512
.
--ac, --additional-certs <CertList>
Adds additional certificates from file paths to the signature block. You can provide a comma-separated list of certificate file paths. This is useful for including intermediate or root certificates that may be necessary for validation.
--as, --append-signature
Appends this signature to the file. If no primary signature exists, this signature will become the primary one. This is useful for signing files multiple times without overwriting existing signatures.
-m, --max-degree-of-parallelism <MDOP>
Specifies the maximum number of concurrent file signing operations. This setting allows you to control the degree of parallelism to optimize performance. The default value is 4, but you can adjust this based on the capabilities of your machine.
--fl, --file-list <FileName>
Specifies the path to a file containing a list of file paths to sign. This is helpful for signing multiple files at once without specifying each one in the command line. Each line in the file should contain one file path, and you can use wildcards (e.g., *
, ?
, **
) to match multiple files. The tool will interpret each path just as it does for the Files
parameter. Ensure that the file is correctly formatted with one path per line to avoid processing errors.
--continue-on-fail
Continues signing subsequent files even if an error occurs while signing a file. This option is useful for batch signing scenarios where you want to attempt to sign all files regardless of individual failures.
--allow-untrusted
Allows signing using a Signotaur server that is bound to an untrusted or invalid certificate. Use this option with caution, as it may expose you to security risks.
--nb, --no-banner
Hides the banner in the output, which may be useful for scripting or logging purposes where you want a clean output.
-v, --verbose
Enables verbose logging for the signing operation, providing detailed output of the signing process, which can be useful for debugging.
--request-timeout <TimeoutInSeconds>
Specifies the request timeout for server requests in seconds. If the server takes longer than the specified time to respond, the operation will be aborted. Default is 0 for automatic timeout calculation based on number of files
--skip-signed
Skips any files that have been previously signed.
--help
Displays help information and usage instructions for the tool.
Sign files with a specified API key and server URL:
SignotaurTool.exe -a <APIKey> -s <SignServer> file1.exe file2.dll
Sign files with a thumbprint and timestamping:
SignotaurTool.exe -a <APIKey> -s <SignServer> -t <Thumbprint> --tr <TimeStampServer> file1.exe file2.dll
Sign multiple files with page hashing and parallelism:
SignotaurTool.exe -a <APIKey> -s <SignServer> --ph -m 8 file1.exe file2.dll
The following exit codes indicate the result of the operation performed by SignotaurTool.exe:
0 (Success): The operation completed successfully without any errors.
1 (NotFound): One or more specified files were not found. Ensure that the file paths provided are correct.
2 (Aborted): The operation was aborted by the user or due to an unrecoverable error during execution.
3 (AccessDenied): The operation could not be completed due to insufficient permissions. Check that you have the necessary access rights for the files or directories involved.
4 (Failure): A general failure occurred during the operation. The specifics of the error are logged as a message.
5 (InvalidHandle): An invalid handle was encountered. This usually indicates a problem with a resource that was expected to be valid but is not.
6 (InvalidArgument): One or more arguments provided to the command are invalid. Verify the input parameters and their formats.
7 (NoInterface): The requested interface is not available. This typically indicates an issue with the underlying implementation.
8 (NotImplemented): The requested feature or operation has not been implemented.
9 (OutOfMemory): The operation could not be completed due to insufficient memory. Try closing other applications or freeing up system resources.
10 (InvalidPointer): An invalid pointer was encountered. This suggests that a reference to an object or memory location was not valid.
11 (UnexpectedFailure): An unexpected failure occurred, which is not classified under the other exit codes. This usually indicates a bug or an unforeseen issue.
12 (AdditionalCertNotFound): One or more additional certificates specified for signing were not found. Ensure the paths to the certificates are correct.
13 (FileListError): An error occurred while processing the file list. This may indicate issues with the format or accessibility of the file list provided.
14 (UnknownResult): The result of the operation is unknown. This could occur if the operation was not completed properly or if an unexpected state was encountered.
Server Connection Issues:
Signotaur server URL
is reachable.--allow-untrusted
.Certificate Not Found:
File Signing Errors: