Config command

The config command provides a convenient way to manage client configuration settings. This allows you to set default values for commonly used options (server URLs, display preferences) without needing to specify them on every command invocation.

Configuration File Location

The configuration file is stored at: %USERPROFILE%\.signotaur\config.json (use config path to confirm)

Configuration Priority

When SignotaurTool resolves a setting, it follows this priority order (highest to lowest):

  1. Command-line arguments (e.g., --thumbprint, --theme)
  2. Environment variables (only SIGNOTAUR_SERVER is supported)
  3. Configuration file (config.json)
  4. Default values

This means command-line arguments always override config file settings.

Note: API keys are not configuration settings and are handled separately via the SIGNOTAUR_API_KEY environment variable or the Auth Command. See Security Considerations below.

Supported Configuration Keys

The following keys can be managed via the config command:

Key Type Description
signServer string Default Signotaur server URL
thumbprint string Default certificate thumbprint
label string Default certificate label
subject string Default certificate subject
encoding string Console output encoding (UTF8, UTF16, OEMCodePage, CodePage###)
theme string Console color theme (General, Dark, Light, None)
noColor boolean Disable coloured output (true or false)
allowUntrusted boolean Allow connecting to servers with untrusted/invalid certificates (true or false)

Certificate Selector Priority

When specifying a certificate, you can use thumbprint, label, or subject. These selectors follow specific priority rules:

Command line vs Config file:

  • If ANY certificate selector is provided on the command line (--thumbprint, --label, or --subject), ALL selectors from the config file are ignored
  • This ensures explicit command-line choices always take full precedence

Within config file (when no command-line selector is provided):

  • thumbprint (highest priority - exact match)
  • label (medium priority)
  • subject (lowest priority)

Example: If your config file has both thumbprint and label set, and you run:

SignotaurTool.exe sign --label "my-cert" ...

The --label from the command line will be used, and the thumbprint from the config file will be ignored.

Commands

config init

Creates a default (empty) configuration file with secure permissions.

Usage:

SignotaurTool.exe config init [options]

Options:

  • --force

    Overwrite existing config file if one already exists.

Examples:

# Create config file
SignotaurTool.exe config init

# Overwrite existing config file
SignotaurTool.exe config init --force

config set

Sets a configuration value. Creates the config file if it doesn't exist.

Usage:

SignotaurTool.exe config set <key> <value>

Arguments:

  • <key> (required): Configuration key name (case-insensitive)
  • <value> (required): Value to set

Examples:

# Set server URL
SignotaurTool.exe config set signServer "https://signotaur.example.com"

# Set certificate thumbprint
SignotaurTool.exe config set thumbprint "A1B2C3D4E5F6789012345678901234567890ABCD"

# Set certificate label
SignotaurTool.exe config set label "my-code-signing-cert"

# Set console theme
SignotaurTool.exe config set theme "Dark"

# Disable coloured output
SignotaurTool.exe config set noColor true

# Set output encoding
SignotaurTool.exe config set encoding "UTF8"

# Allow untrusted server certificates (development/testing only)
SignotaurTool.exe config set allowUntrusted true

Notes:

  • For boolean values (noColor, allowUntrusted), the value must be true or false (case-insensitive).
  • Key names are case-insensitive (e.g., signserver, SignServer, and SIGNSERVER are all valid).
  • Setting a value overwrites any existing value for that key.

config get

Retrieves a single configuration value. Useful for scripting.

Usage:

SignotaurTool.exe config get <key>

Arguments:

  • <key> (required)

    Configuration key name (case-insensitive)

Examples:

# Get server URL
SignotaurTool.exe config get signServer

# Get theme setting
SignotaurTool.exe config get theme

# Use in a script (Windows)
set SERVER_URL=
for /f "delims=" %%i in ('SignotaurTool.exe config get signServer') do set SERVER_URL=%%i
echo Server: %SERVER_URL%

Exit Codes:

  • 0: Success (value retrieved)
  • Non-zero: Failure (key not found, config file doesn't exist, or invalid key)

config show

Displays the entire configuration.

Usage:

SignotaurTool.exe config show [options]

Options:

  • --json

    Output as raw JSON instead of a formatted table.

Examples:

# Show config as table
SignotaurTool.exe config show

# Show config as JSON
SignotaurTool.exe config show --json

Sample Output (Table):

Configuration (C:\Users\username\.signotaur\config.json):

┌─────────────┬──────────────────────────────────────┐
│ Key         │ Value                                │
├─────────────┼──────────────────────────────────────┤
│ signServer  │ https://signotaur.example.com       │
│ theme       │ Dark                                 │
└─────────────┴──────────────────────────────────────┘

Sample Output (JSON):

{
  "signServer": "https://signotaur.example.com",
  "theme": "Dark"
}

Notes:

  • Only non-null values are displayed.

config path

Shows the path to the configuration file and whether it exists.

Usage:

SignotaurTool.exe config path

Example:

SignotaurTool.exe config path

Sample Output:

Config file: C:\Users\username\.signotaur\config.json
Status: exists

config unset

Removes a configuration value (sets it to null).

Usage:

SignotaurTool.exe config unset <key>

Arguments:

  • <key> (required)

    Configuration key name (case-insensitive)

Examples:

# Remove thumbprint
SignotaurTool.exe config unset thumbprint

# Remove label
SignotaurTool.exe config unset label

# Remove theme setting
SignotaurTool.exe config unset theme

Notes:

  • Unsetting a key removes it from the configuration file.
  • The key will no longer appear in config show output.
  • Attempting to config get an unset key will return an error.

Complete Workflow Example

Here's a complete example of setting up and using the configuration file:

# 1. Create config file
SignotaurTool.exe config init

# 2. Configure server URL
SignotaurTool.exe config set signServer "https://signotaur.example.com"

# 3. Set default certificate (optional - use ONE of these)
SignotaurTool.exe config set thumbprint "A1B2C3D4E5F6789012345678901234567890ABCD"
# OR
SignotaurTool.exe config set label "my-code-signing-cert"

# 4. Set preferred theme
SignotaurTool.exe config set theme "Dark"

# 5. View configuration
SignotaurTool.exe config show

# 6. Now sign files without specifying server/theme every time
SignotaurTool.exe sign --api-key-file %USERPROFILE%\.signotaur\api_key.txt --fd SHA256 myapp.exe

Security Considerations

API Key Storage

Important: API keys are NOT stored in config.json. Use one of these secure methods instead:

  1. API Key File (recommended):

    echo your-api-key | SignotaurTool.exe auth set-key --from-stdin --write-key-file %USERPROFILE%\.signotaur\api_key.txt
SignotaurTool.exe sign --api-key-file %USERPROFILE%\.signotaur\api_key.txt ...

  2. Environment Variable:

    set SIGNOTAUR_API_KEY=your-api-key
SignotaurTool.exe sign ...

  3. Command-line argument (least secure - appears in shell history):

    SignotaurTool.exe sign --api-key your-api-key ...

File Permissions

On Windows, SignotaurTool automatically sets secure file permissions on the config file to prevent unauthorized access:

  • Only the current user has full control
  • Inheritance is disabled
  • Other users and groups cannot access the file

Configuration File Format

The configuration file is a simple JSON file with optional properties. Here's an example:

{
  "signServer": "https://signotaur.example.com",
  "thumbprint": "A1B2C3D4E5F6789012345678901234567890ABCD",
  "label": "my-code-signing-cert",
  "subject": "CN=My Company",
  "encoding": "UTF8",
  "theme": "Dark",
  "noColor": false,
  "allowUntrusted": false
}

Note: While you can have multiple certificate selectors in the config file, only one will be used based on priority (thumbprint > label > subject). It's recommended to set only one certificate selector to avoid confusion.

Notes:

  • All properties are optional
  • Null/missing properties use default values or require command-line specification
  • The file uses UTF-8 encoding
  • Boolean values in the JSON file are true or false

Troubleshooting

Config file not found:

  • Use config init to create the file
  • Check the path with config path

Permission denied:

  • Ensure you have write access to %USERPROFILE%\.signotaur\

Invalid value error:

  • For boolean values (noColor, allowUntrusted), use true or false (not yes/no or 1/0)
  • Check key names are spelled correctly (use config show to see valid keys)

Config not being used:

  • Remember command-line arguments override config file values
  • Verify the config file path with config path
  • Check the file is valid JSON with config show --json

See Also

  • Auth Command - Securely store API keys
  • Sign Command - File signing with config support
  • API Key Management - Best practices for API keys