Migrating from SignTool to SignotaurTool

This guide will help you transition from using Microsoft's SignTool to the SignotaurTool for signing files. We'll cover the key differences, equivalent commands, and examples for a seamless migration.

Prerequisites

Before you start, ensure the following:

  1. SignotaurTool is installed and accessible. Download it from your Signotaur server or deployment environment.
  2. You have the following information:
    • API Key: Form your Signotaur server profile.
    • Server URL: The URL of the Signotaur server.
    • Certificate Thumbprint or Subject Name: For the certificate used to sign files.
    • Any additional certificate file (if required) for the signature block.
  3. A list of the files you want to sign.

Key Differences Between Signtool and SignotaurTool

Feature SignTool SignotaurTool
Tool Name signtool.exe SignotaurTool.exe
Signing Server Not applicable (local certificates only) Requires a Signotaur server and API key for signing operations.
Timestamping /tr for URL, /td for digest algorithm --tr for URL, --td for digest algorithm
Certificate Selection /n (subject) or /t (thumbprint) --sb (subject) or -t (thumbprint)
Wildcards Supported Supported
Additional Certificates /ac --ac (comma-separated for multiple certificates)
Digest Algorithm /fd --fd

Translating Commands

Signtool Command Example

signtool sign /td sha256 /fd sha256 /s my /n "Company Name" /ac "IntermediateCert.cer"  /d "My Application" /du "https://www.example.com" /tr http://timestamp.digicert.com "D:\MyFile.exe"

Equivalent SignotaurTool Command

SignotaurTool.exe sign "D:\MyFile.exe" -a BwAAAAwTSlIsf1bMK2B8ta12k-MjyH_1D9wPBiyUCizkKk7Pw= -s https://signotaur-server:82 -t 7BCAC6E43ECB7E79392DA48E2F1FC214356A762B --sb "Company Name" --ac "IntermediateCert.cer" -d "My Application"  --du "https://www.example.com" --fd sha256 --tr http://timestamp.digicert.com --td sha256

Command Reference

This table lists the direct mappings between Signtool and SignotaurTool where applicable. Options not available in SignotaurTool are managed on the Signotaur server or are not supported due to different workflows.

Signtool Option Description SignotaurTool Equivalent
/a Automatically selects the best signing certificate. Not applicable (Signotaur uses specific server certificates via --sb or -t).
/ac <file> Adds an additional certificate from a file to the signature block. --ac <file>
/as Appends the signature block. --as
/c <certTemplateName> Specifies the Certificate Template Name of the signing certificate. Not applicable (Signotaur uses thumbprint or subject name to match certificate registered on server).
/csp <CSPName> Specifies the Cryptographic Service Provider (CSP) to use. Not applicable (Signotaur manages certificates on the server).
/d <description> Specifies a description of the signed content. -d <description>
/du <URL> Specifies a URL for the expanded description of the signed content. --du <URL>
/f <File> Specifies the signing certificate in a file. Not applicable (Signotaur manages certificates on the server)
/fd <hashAlgorithm> Specifies the hash algorithm to use for file signature creation. --fd <hashAlgorithm>
/i <issuerName> Specifies the issuer of the signing certificate. Not applicable (Signotaur uses thumbprint or subject name to match certificate registered on server).
/kc <keyContainer> Specifies the key container to be used for signing. Not applicable (Signotaur handles key storage securely on the server).
/n <subjectName> Specifies the subject name of the signing certificate. --sb <subjectName>
/nph Specifies that page hashes should not be generated. --nph
/p <password> Specifies the password to access the private key of the signing certificate. Not applicable (Signotaur handles key storage securely on the server).
/p7 <filePath> Generates a P7 file in addition to signing the file. Not currently supported.
/p7ce <value> Specifies attributes for the PKCS #7 file. Not currently supported.
/p7co <OID> Specifies the object identifier (OID) for PKCS #7 content. Not currently supported.
/ph Specifies that page hash signing should be used. --ph
/r <rootSubjectName> Specifies the name of the subject of the root certificate that the signing certificate must chain to. Not applicable (Signotaur uses thumbprint or subject name to match certificate registered on server).
/s <storeName> Specifies the store name to search for the certificate. Not applicable (Signotaur uses thumbprint or subject name to match certificate registered on server).
/sha1 <sha1Thumbprint> Specifies the SHA-1 thumbprint of the signing certificate. -t <thumbprint>
/sm Specifies that a certificate in the computer store, instead of the user store, should be used. Not applicable (Signotaur uses thumbprint or subject name to match certificate registered on server).
/t <URL> Specifies the URL of the timestamp server. --tr <URL>
/td <hashAlgorithm> Specifies the hash algorithm to use for the timestamp. --td <hashAlgorithm>
/tr <URL> Specifies the URL of the RFC 3161 timestamp server. --tr <URL>
/u <usageOID> Specifies the enhanced key usage (EKU) that must be present in the certificate. Not directly supported. Certificate policies are managed on the server side.
/v Verbose output. -v
/uw Specifies usage of "Windows System Component Verification". Not applicable.