Sign command

Sign command

The sign command allows you to sign one or more files using a certificate stored on the Signotaur server. It supports advanced options such as timestamping, verifying signatures, and fallback timestamp servers for reliability. It can handle multiple files efficiently with wildcard support.

Usage

SignotaurTool.exe sign [options] <files>

Files Parameter

  • A list of file paths to sign. You can specify individual file paths or use wildcards to match multiple files. This parameter supports the following wildcard patterns:

    • *: Matches zero or more characters within a file name. For example, *.exe will match all executable files in the specified directory.
    • ?: Matches a single character. For instance, file?.dll will match file1.dll, file2.dll, but not file12.dll.
    • **: Indicates a recursive search across all subdirectories. For example, **/*.exe will match all .exe files found in the current directory and all its subdirectories.

  • Examples:

    • *.exe: Matches all executable files in the specified directory.
    • C:\Projects\**\*.dll: Matches all dynamic link library files in the C:\Projects directory and any of its subdirectories.
    • C:\MyFiles\file?.exe: Matches any executable files that start with "file" followed by a single character.

  • Notes:

    • Ensure that the directory paths are correctly specified, as the function will attempt to find matching files based on the directory provided in conjunction with the wildcards.
    • If you need to sign a large number of files, you can use the --file-list option to specify the path to a file containing the list of file paths.

Options

  • -a, --api-key <APIKey>
    Required. Specifies the Signotaur API key needed to authenticate with the Signotaur service.

  • -s, --sign-server <URL>
    Required. Specifies the URL of the Signotaur server that will handle the signing operation.

  • --allow-untrusted
    Allows signing using a Signotaur server that is bound to an untrusted or invalid certificate. Use this option with caution, as it may expose you to security risks.

  • -t, --thumbprint <Thumbprint>
    Specifies the certificate thumbprint to be used for signing. You can obtain this thumbprint from the Signotaur certificate page. Either a thumbprint or subject is required to identify the signing certificate.

  • --sb, --subject <Subject>
    Specifies the certificate subject. Either subject or thumbprint is required to identify the signing certificate.

  • -d, --description <Description>
    Specifies a description of the signed content. This description will be embedded in the signature and should provide context about the content being signed.

  • --du, --description-url <URL>
    Specifies a URL for an expanded description of the signed content. This URL can point to a webpage or document that provides more detailed information about the signed files.

  • --fd, --file-digest <Algorithm>
    Required. Specifies the file digest algorithm to use for creating file signatures. Supported algorithms include: SHA256, SHA384, SHA512.

  • --ph, --page-hashing
    Enables the generation of page hashes for executable files if supported by the file type. This is useful for ensuring the integrity of the executable's pages and can help detect tampering.

  • --nph, --no-page-hashing
    Suppresses the generation of page hashes for executable files if supported. Use this option if you do not want to include page hashes in the signature.

  • --tr, --timestamp-server <TimeStampServer>
    Specifies the URL of the RFC 3161 timestamp server. Time stamping is important for proving when a file was signed. If this option is not included, the signed file will not be timestamped, and a warning will be generated if timestamping fails.

  • --td, --timestamp-digest <DigestAlgorithm>
    Specifies the digest algorithm used by the RFC 3161 timestamp server. This option is required if the --tr option is provided. Supported algorithms include SHA256, SHA384, and SHA512.

  • --fb, --fallback-timestamp-server <FallbackTimeStampServers>
    Specifies one or more URLs for RFC 3161-compliant timestamp servers to use as fallbacks if the primary timestamp server (--tr) fails. Provide multiple servers by repeating this option. The servers are tried sequentially, stopping at the first successful response.

  • --st, --separate-timestamp
    Enables a separate time-stamping step after signing. This option is automatically activated if any fallback timestamp servers (--fb) are specified.

  • --ac, --additional-certs <CertList>
    Adds additional certificates from file paths to the signature block. You can provide a comma-separated list of certificate file paths. This is useful for including intermediate or root certificates that may be necessary for validation.

  • --as, --append-signature
    Appends this signature to the file. If no primary signature exists, this signature will become the primary one. This is useful for signing files multiple times without overwriting existing signatures.

    • --vf, --verify
      Verifies the signature after signing to ensure it is valid.

  • --ignore-untrusted-root
    Ignores untrusted root errors when verifying a file signed with a self-signed certificate.

  • -m, --max-degree-of-parallelism <MDOP>
    Specifies the maximum number of concurrent file signing operations. This setting allows you to control the degree of parallelism to optimize performance. The default value is 4, but you can adjust this based on the capabilities of your machine.

  • --fl, --file-list <FileName>
    Specifies the path to a file containing a list of file paths to sign. This is helpful for signing multiple files at once without specifying each one in the command line. Each line in the file should contain one file path, and you can use wildcards (e.g., *, ?, **) to match multiple files. The tool will interpret each path just as it does for the Files parameter. Ensure that the file is correctly formatted with one path per line to avoid processing errors.

  • --continue-on-fail
    Continues signing subsequent files even if an error occurs while signing a file. This option is useful for batch signing scenarios where you want to attempt to sign all files regardless of individual failures.

  • --nb, --no-banner
    Hides the banner in the output, which may be useful for scripting or logging purposes where you want a clean output.

  • -v, --verbose
    Enables verbose logging for the signing operation, providing detailed output of the signing process, which can be useful for debugging.

  • --request-timeout <TimeoutInSeconds>
    Specifies the request timeout for server requests in seconds. If the server takes longer than the specified time to respond, the operation will be aborted. Default is 0 for automatic timeout calculation based on number of files

  • --skip-signed
    Skips any files that have been previously signed.

  • --help
    Displays help information and usage instructions for this command.

Examples

  1. Sign multiple files with a specified thumbprint:

    SignotaurTool.exe sign -a <APIKey> -s <SignServer> -t <Thumbprint> file1.exe file2.dll

  2. Sign files with timestamping:

    SignotaurTool.exe sign -a <APIKey> -s <SignServer> -t <Thumbprint> --tr <TimeStampServer> --td SHA256 file1.exe file2.dll

  3. Sign files with timestamping and verification:

    SignotaurTool.exe sign -a <APIKey> -s <SignServer> -t <Thumbprint> --tr <TimeStampServer> --td SHA256 --vf file1.exe file2.   ```

Exit Codes

The following exit codes indicate the result of the operation performed by SignotaurTool.exe:

  • 0 (Success): The operation completed successfully without any errors.

  • 1 (NotFound): One or more specified files were not found. Ensure that the file paths provided are correct.

  • 2 (Aborted): The operation was aborted by the user or due to an unrecoverable error during execution.

  • 3 (AccessDenied): The operation could not be completed due to insufficient permissions. Check that you have the necessary access rights for the files or directories involved.

  • 4 (Failure): A general failure occurred during the operation. The specifics of the error are logged as a message.

  • 5 (InvalidHandle): An invalid handle was encountered. This usually indicates a problem with a resource that was expected to be valid but is not.

  • 6 (InvalidArgument): One or more arguments provided to the command are invalid. Verify the input parameters and their formats.

  • 7 (NoInterface): The requested interface is not available. This typically indicates an issue with the underlying implementation.

  • 8 (NotImplemented): The requested feature or operation has not been implemented.

  • 9 (OutOfMemory): The operation could not be completed due to insufficient memory. Try closing other applications or freeing up system resources.

  • 10 (InvalidPointer): An invalid pointer was encountered. This suggests that a reference to an object or memory location was not valid.

  • 11 (UnexpectedFailure): An unexpected failure occurred, which is not classified under the other exit codes. This usually indicates a bug or an unforeseen issue.

  • 12 (AdditionalCertNotFound): One or more additional certificates specified for signing were not found. Ensure the paths to the certificates are correct.

  • 13 (FileListError): An error occurred while processing the file list. This may indicate issues with the format or accessibility of the file list provided.

  • 14 (UnknownResult): The result of the operation is unknown. This could occur if the operation was not completed properly or if an unexpected state was encountered.

Troubleshooting

  1. Server Connection Issues:

    • Ensure the Signotaur server URL is reachable.
    • Verify the server certificate is trusted unless using --allow-untrusted.

  2. Certificate Not Found:

    • Double-check the thumbprint or subject name.
    • Verify the certificate exists in the server’s store.

  3. File Signing Errors:

    • Ensure the file path is correct.
    • Check permissions for accessing files and server resources.

Further Information

See Migrating from Signtool to SignotaurTool.