Sign command

Sign command

The sign command allows you to sign one or more files using a certificate stored on the Signotaur server. It supports advanced options such as timestamping, verifying signatures, and fallback timestamp servers for reliability. It can handle multiple files efficiently with wildcard support.

Usage

SignotaurTool.exe sign [options] <files>

Files Parameter

  • A list of file paths to sign. You can specify individual file paths or use wildcards to match multiple files. This parameter supports the following wildcard patterns:

    • *: Matches zero or more characters within a file name. For example, *.exe will match all executable files in the specified directory.
    • ?: Matches a single character. For instance, file?.dll will match file1.dll, file2.dll, but not file12.dll.
    • **: Indicates a recursive search across all subdirectories. For example, **/*.exe will match all .exe files found in the current directory and all its subdirectories.

  • Examples:

    • *.exe: Matches all executable files in the specified directory.
    • C:\Projects\**\*.dll: Matches all dynamic link library files in the C:\Projects directory and any of its subdirectories.
    • C:\MyFiles\file?.exe: Matches any executable files that start with "file" followed by a single character.

  • Notes:

    • Ensure that the directory paths are correctly specified, as the function will attempt to find matching files based on the directory provided in conjunction with the wildcards.
    • If you need to sign a large number of files, you can use the --file-list option to specify the path to a file containing the list of file paths.

Options

Authentication

  • -a, --api-key <APIKey>
    Required. Specifies the Signotaur API key needed to authenticate with the Signotaur service.

  • -s, --sign-server <URL>
    Required. Specifies the URL of the Signotaur server that will handle the signing operation.

Certificate Selection

  • -t, --thumbprint <Thumbprint>
    Specifies the certificate thumbprint to be used for signing. You can obtain this thumbprint from the Signotaur certificate page. Either a thumbprint or subject is required to identify the signing certificate.

  • --sb, --subject <Subject>
    Specifies the certificate subject. Either subject or thumbprint is required to identify the signing certificate.

  • --ac, --additional-certs <CertList>
    Adds additional certificates from file paths to the signature block. You can provide a comma-separated list of certificate file paths. This is useful for including intermediate or root certificates that may be necessary for validation.

Signature Metadata

  • -d, --description <Description>
    Specifies a description of the signed content. This description will be embedded in the signature and should provide context about the content being signed.

  • --du, --description-url <URL>
    Specifies a URL for an expanded description of the signed content. This URL can point to a webpage or document that provides more detailed information about the signed files.

  • --an, --app-name <Name>
    Specifies an application name - only used when signing ClickOnce/VSTO manifests.

Digest & Page Hashing

  • --fd, --file-digest <Algorithm>
    Required. Specifies the file digest algorithm to use for creating file signatures. Supported algorithms include: SHA256, SHA384, SHA512.

  • --ph, --page-hashing
    Enables the generation of page hashes for executable files if supported by the file type. This is useful for ensuring the integrity of the executable's pages and can help detect tampering.

  • --nph, --no-page-hashing
    Suppresses the generation of page hashes for executable files if supported. Use this option if you do not want to include page hashes in the signature.

Timestamping

  • --tr, --timestamp-server <TimeStampServer>
    Specifies the URL of the RFC 3161 timestamp server. Time stamping is important for proving when a file was signed. If this option is not included, the signed file will not be timestamped, and a warning will be generated if timestamping fails.

  • --td, --timestamp-digest <DigestAlgorithm>
    Specifies the digest algorithm used by the RFC 3161 timestamp server. This option is required if the --tr option is provided. Supported algorithms include SHA256, SHA384, and SHA512.

  • --fb, --fallback-timestamp-server <FallbackTimeStampServers>
    Specifies one or more URLs for RFC 3161-compliant timestamp servers to use as fallbacks if the primary timestamp server (--tr) fails. Provide multiple servers by repeating this option. The servers are tried sequentially, stopping at the first successful response.

  • --st, --separate-timestamp
    Enables a separate time-stamping step after signing. This option is automatically activated if any fallback timestamp servers (--fb) are specified.

Signature Validation

  • --vc|--verify-cert-chain Verifies the certificate chain before signing. If not set, the chain is not verified (default). Enables --revocation-mode and optionally --ignore-untrusted-root.

  • --rm, --revocation-mode <Mode> Specify the revocation check mode when building the certificate chain. Only used during signing when --verify-cert-chain is enabled.

    By default, the chain-building process may try to check the certificate status against online Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) responders. If these URLs are inaccessible or slow to respond — possibly due to firewall restrictions, then changing the revocation mode can improve signing performance. The parameter accepts the following <Mode> values:

    • Online (default): Performs live revocation checks.
    • Offline: Skips online checks and uses cached data.
    • NoCheck: Disables all revocation validation, increasing the risk of using revoked certificates.

    Note: Software signed with a revoked certificate may trigger trust warnings or be blocked by operating systems. We therefore recommend checking and adjusting your firewall settings first. Ensure that it permits outbound HTTP (port 80) and HTTPS (port 443) traffic to the CRL and OCSP URLs specified in your certificates.

  • --ignore-untrusted-root
    Ignore untrusted root errors. When signing, it allows certificate chains that do not terminate in a trusted root (requires --verify-cert-chain). When verifying, this skips errors caused by unknown or self-signed root certificates.

Signing Behaviour

  • --as, --append-signature
    Appends this signature to the file. If no primary signature exists, this signature will become the primary one. This is useful for signing files multiple times without overwriting existing signatures. Note that appending signatures requires Windows 11 or later.

  • --vf, --verify
    Verifies the signature after signing to ensure it is valid.

  • --skip-signed
    Skips any files that have been previously signed.

  • --allow-untrusted
    Allows signing using a Signotaur server that is bound to an untrusted or invalid certificate. Use this option with caution, as it may expose you to security risks

  • --continue-on-fail
    Continues signing subsequent files even if an error occurs while signing a file. This option is useful for batch signing scenarios where you want to attempt to sign all files regardless of individual failures.

Input Files

  • --fl, --file-list <FileName>
    Specifies the path to a file containing a list of files to sign. This is useful for batch signing multiple files without specifying them individually on the command line.

    Each line in the file must follow this format:

    FilePath|Description|URL|ApplicationName
    • FilePath (required): The path to the file to be signed. This can be a specific file path or use wildcards (*, ?, **) to match multiple files. The tool will interpret each path just as it does for the Files parameter.
    • Description (optional): A description of the signed content. Overrides the -d or --description option for the specified file or matching files.
    • URL (optional): A URL for an expanded description of the signed content. Overrides the -du or --description-ul option for the specified file or matching files.
    • ApplicationName (optional): Specifies an application name for use with ClickOnce or VSTO manifests. Overrides the --an or --app-name option for the specified file or matching files.

    Quoting and escaping rules

    • Quotes are optional unless a field contains a pipe (|) or a double quote (").
    • If a field contains a pipe (|) or a double quote ("), it must be enclosed in double quotes ("").
    • Double quotes inside a quoted field must be escaped using a backslash (\").
    • Backslashes (\) must be escaped (\\) inside a quoted field, but remain unchanged if unquoted.

    Example entries

    C:\Folder\*.exe
/home/user/*.so|Sample description
"C:\Projects\**\file.dll"|"A \"quoted\" description"|"http://example.com"
"C:\Dev\drivers\*.sys"|"System drivers"|http://example.com
"*.dll"|"This description contains a | pipe character"|http://example.com
"E:\Publish\App\app.exe"|Description with spaces|https://example.com

Updating

  • --asu, --auto-self-update
    Automatically checks for and installs updates before signing.
    If an update is installed, the updated version restarts with the same command-line arguments, excluding this option.

  • --update-mode <Mode>
    Choose 'Version' to update to every new release, or 'SourceHash' (default) to update only when the source code hash differs (e.g. when there are changes).

Miscellaneous

  • --request-timeout <TimeoutInSeconds>
    Specifies the request timeout for server requests in seconds. If the server takes longer than the specified time to respond, the operation will be aborted. Default is 0 for automatic timeout calculation based on number of files

  • -m, --max-degree-of-parallelism <MDOP>
    Specifies the maximum number of concurrent file signing operations. This setting allows you to control the degree of parallelism to optimize performance. The default value is 4, but you can adjust this based on the capabilities of your machine.

  • --encoding <Encoding>
    Specifies the output encoding. Set to one of UTF8, UTF16, OEMCodePage or CodePage### where ### is the number of the code page to use. Defaults to UTF8.

  • -v, --verbose
    Enables verbose logging for the signing operation, providing detailed output of the signing process, which can be useful for debugging.

  • --nb, --no-banner
    Hides the banner in the output, which may be useful for scripting or logging purposes where you want a clean output.

  • --help
    Displays help information and usage instructions for this command.

Examples

  1. Sign multiple files with a specified thumbprint:

    SignotaurTool.exe sign -a <APIKey> -s <SignServer> -t <Thumbprint> file1.exe file2.dll

  2. Sign files with timestamping:

    SignotaurTool.exe sign -a <APIKey> -s <SignServer> -t <Thumbprint> --tr <TimeStampServer> --td SHA256 file1.exe file2.dll

  3. Sign files with timestamping and verification:

    SignotaurTool.exe sign -a <APIKey> -s <SignServer> -t <Thumbprint> --tr <TimeStampServer> --td SHA256 --vf file1.exe file2.   ```

Supported File Types

The sign command supports signing the following file types: .appx, .appxbundle, .cab, .cat, .cdxml, .dll, .eappx, .eappxbundle, .emsix, .emsixbundle, .exe, .msi, .msix, .msixbundle, .msm, .msp, .mst, .ocx, .ps1, .ps1xml, .psd1, .psm1, .stl, .sys, .vbs, .vxd, .winmd. Additional PE file types may also be signed automatically.

ClickOnce or VSTO Signing

If the input includes a .application file (ClickOnce deployment manifest), or a .vsto file (Visual Studio Tools for Office add-in manifest), the sign command automatically detects, hashes and signs all related application files and manifests in the required order.
This ensures the entire ClickOnce/VSTO deployment package is properly signed, including:

  • The deployment manifest (.application or .vsto file itself)
  • The associated application manifest (.manifest)
  • All referenced application files required for deployment

This recursive signing makes ClickOnce deployments seamless and secure, with no need to manually list each file.

Exit Codes

The following exit codes indicate the result of the operation performed by SignotaurTool.exe:

  • 0 (Success): Operation completed successfully (S_OK).
  • 1 (NotFound): One or more specified files were not found. Ensure that the file paths provided are correct (ERROR_FILE_NOT_FOUND).
  • 2 (Aborted): The operation was aborted (E_ABORT).
  • 3 (AccessDenied): Access denied. You might not have the required permissions (E_ACCESSDENIED).
  • 4 (Failure): General failure. An unspecified error occurred (E_FAIL).
  • 5 (InvalidHandle): Invalid handle. The referenced resource is not valid (E_HANDLE).
  • 6 (InvalidArgument): Invalid argument. One or more parameters are incorrect (E_INVALIDARG).
  • 7 (NoInterface): No such interface supported (E_NOINTERFACE).
  • 8 (NotImplemented): The requested feature is not implemented (E_NOTIMPL).
  • 9 (OutOfMemory): Out of memory. The system could not allocate the required resources (E_OUTOFMEMORY).
  • 10 (InvalidPointer): Invalid pointer. A memory reference was invalid (E_POINTER).
  • 11 (UnexpectedFailure): Unexpected catastrophic failure (E_UNEXPECTED).
  • 12 (AdditionalCertNotFound): Additional certificate not found (CRYPT_E_NOT_FOUND).
  • 13 (FileListError): An error occurred while processing the file list (custom mapping).
  • 14 (SharingViolation): Sharing violation. Check if the file is locked by another process (ERROR_SHARING_VIOLATION).
  • 15 (UnknownResult): An unknown result occurred. The error code was not recognized.
  • 16 (NoSignature): No signature found (TRUST_E_NOSIGNATURE).
  • 17 (ExplicitDistrust): The signature is explicitly distrusted (TRUST_E_EXPLICIT_DISTRUST).
  • 18 (SubjectNotTrusted): The subject is not trusted (TRUST_E_SUBJECT_NOT_TRUSTED).
  • 19 (InvalidPolicy): The certificate policy is invalid or not allowed (CERT_E_INVALID_POLICY).
  • 20 (UntrustedRoot): The certificate chain terminates in a root certificate that is not trusted (CERT_E_UNTRUSTEDROOT).
  • 21 (CertificateExpired): The certificate has expired (CERT_E_EXPIRED).
  • 22 (Malformed): The certificate is malformed or corrupted (CERT_E_MALFORMED).
  • 23 (CertificateRevoked): The certificate has been revoked (CERT_E_REVOKED).
  • 24 (FileError): A file error occurred while reading or writing (CRYPT_E_FILE_ERROR).
  • 25 (ProviderUnknown): Unknown trust provider (TRUST_E_PROVIDER_UNKNOWN).
  • 26 (SubjectFormUnknown): Unknown trust subject form (TRUST_E_SUBJECT_FORM_UNKNOWN).
  • 27 (ActionUnknown): Unknown trust action (TRUST_E_ACTION_UNKNOWN).
  • 28 (TrustFailure): Trust verification failed (TRUST_E_FAIL).
  • 29 (CertificateIssuerChaining): The certificate issuer chaining is incorrect (CERT_E_ISSUERCHAINING).
  • 30 (CertificateValidityPeriodNesting): The certificate validity period nesting is incorrect (CERT_E_VALIDITYPERIODNESTING).
  • 31 (CertificateRole): A certificate is being used in an invalid role (CERT_E_ROLE).
  • 32 (CertificatePathLenConst): A path length constraint in the certification chain has been exceeded (CERT_E_PATHLENCONST).
  • 33 (CertificateCritical): A certificate has an unrecognized critical extension (CERT_E_CRITICAL).
  • 34 (CertificatePurpose): The certificate is being used for an invalid purpose (CERT_E_PURPOSE).
  • 35 (CertificateUntrustedTestRoot): A test root certificate is not trusted (CERT_E_UNTRUSTEDTESTROOT).
  • 36 (CertificateRevocationFailure): The certificate revocation check could not continue (CERT_E_REVOCATION_FAILURE).
  • 37 (CertificateCNNoMatch): The certificate's common name does not match (CERT_E_CN_NO_MATCH).
  • 38 (CertificateWrongUsage): The certificate is used for the wrong purpose (CERT_E_WRONG_USAGE).
  • 39 (CertificateUntrustedCA): The issuing certificate authority is not trusted (CERT_E_UNTRUSTEDCA).
  • 40 (CertificateInvalidName): The certificate name is invalid (CERT_E_INVALID_NAME).
  • 41 (CertificateChaining): A certificate chain could not be built to a trusted root authority (CERT_E_CHAINING).
  • 42 (SecuritySettings): The cryptographic operation was blocked by security policy or settings (CRYPT_E_SECURITY_SETTINGS).
  • 43 (PlatformNotSupported): The operation is not supported on this platform.
  • 44 (TrustSystemError): A system-level trust error occurred (TRUST_E_SYSTEM_ERROR).
  • 45 (TrustNoSignerCert): No signer certificate was found (TRUST_E_NO_SIGNER_CERT).
  • 46 (CannotInstallProvider): The certificate's signature could not be verified (TRUST_E_PROVIDER_UNKNOWN_ACTION).
  • 47 (TimeStampError): Invalid timestamp signature or certificate (TRUST_E_TIME_STAMP).
  • 48 (BadDigest): The object's digital signature did not verify (TRUST_E_BAD_DIGEST).
  • 49 (InvalidBasicConstraints): The certificate's basic constraints extension is invalid or missing (CERT_E_INVALID_BASIC_CONSTRAINTS).
  • 50 (CounterSignerError): The countersignature or timestamp could not be verified (TRUST_E_COUNTER_SIGNER).
  • 51 (NoRevocationCheck): The revocation function was unable to check revocation (CRYPT_E_NO_REVOCATION_CHECK).
  • 52 (RevocationOffline): The revocation server was offline and the certificate status could not be determined (CRYPT_E_REVOCATION_OFFLINE).
  • 53 (NoUpdate): No update available (when checking for client updates).
  • 53 (BadFormat): The file or data has an incorrect or invalid format (ERROR_BAD_FORMAT).

Typically a more specific message will be displayed before an error exit code is returned.

Troubleshooting

  1. Server Connection Issues:

    • Ensure the Signotaur server URL is reachable.
    • Verify the server certificate is trusted unless using --allow-untrusted.

  2. Certificate Not Found:

    • Double-check the thumbprint or subject name.
    • Verify the certificate exists in the server’s store.

  3. File Signing Errors:

    • Ensure the file path is correct.
    • Check permissions for accessing files and server resources.

Further Information

See Migrating from Signtool to SignotaurTool.