Sign command

Sign command

The sign command allows you to sign one or more files using a certificate stored on the Signotaur server. It supports advanced options such as timestamping, verifying signatures, and fallback timestamp servers for reliability. It can handle multiple files efficiently with wildcard support.

Usage

SignotaurTool.exe sign [options] <files>

Files Parameter

  • A list of file paths to sign. You can specify individual file paths or use wildcards to match multiple files. This parameter supports the following wildcard patterns:

    • *: Matches zero or more characters within a file name. For example, *.exe will match all executable files in the specified directory.
    • ?: Matches a single character. For instance, file?.dll will match file1.dll, file2.dll, but not file12.dll.
    • **: Indicates a recursive search across all subdirectories. For example, **/*.exe will match all .exe files found in the current directory and all its subdirectories.

  • Examples:

    • *.exe: Matches all executable files in the specified directory.
    • C:\Projects\**\*.dll: Matches all dynamic link library files in the C:\Projects directory and any of its subdirectories.
    • C:\MyFiles\file?.exe: Matches any executable files that start with "file" followed by a single character.

  • Notes:

    • Ensure that the directory paths are correctly specified, as the function will attempt to find matching files based on the directory provided in conjunction with the wildcards.
    • If you need to sign a large number of files, you can use the --file-list option to specify the path to a file containing the list of file paths.

Options

  • -a, --api-key <APIKey>
    Required. Specifies the Signotaur API key needed to authenticate with the Signotaur service.

  • -s, --sign-server <URL>
    Required. Specifies the URL of the Signotaur server that will handle the signing operation.

  • --allow-untrusted
    Allows signing using a Signotaur server that is bound to an untrusted or invalid certificate. Use this option with caution, as it may expose you to security risks.

  • -t, --thumbprint <Thumbprint>
    Specifies the certificate thumbprint to be used for signing. You can obtain this thumbprint from the Signotaur certificate page. Either a thumbprint or subject is required to identify the signing certificate.

  • --sb, --subject <Subject>
    Specifies the certificate subject. Either subject or thumbprint is required to identify the signing certificate.

  • -d, --description <Description>
    Specifies a description of the signed content. This description will be embedded in the signature and should provide context about the content being signed.

  • --du, --description-url <URL>
    Specifies a URL for an expanded description of the signed content. This URL can point to a webpage or document that provides more detailed information about the signed files.

  • --fd, --file-digest <Algorithm>
    Required. Specifies the file digest algorithm to use for creating file signatures. Supported algorithms include: SHA256, SHA384, SHA512.

  • --ph, --page-hashing
    Enables the generation of page hashes for executable files if supported by the file type. This is useful for ensuring the integrity of the executable's pages and can help detect tampering.

  • --nph, --no-page-hashing
    Suppresses the generation of page hashes for executable files if supported. Use this option if you do not want to include page hashes in the signature.

  • --tr, --timestamp-server <TimeStampServer>
    Specifies the URL of the RFC 3161 timestamp server. Time stamping is important for proving when a file was signed. If this option is not included, the signed file will not be timestamped, and a warning will be generated if timestamping fails.

  • --td, --timestamp-digest <DigestAlgorithm>
    Specifies the digest algorithm used by the RFC 3161 timestamp server. This option is required if the --tr option is provided. Supported algorithms include SHA256, SHA384, and SHA512.

  • --fb, --fallback-timestamp-server <FallbackTimeStampServers>
    Specifies one or more URLs for RFC 3161-compliant timestamp servers to use as fallbacks if the primary timestamp server (--tr) fails. Provide multiple servers by repeating this option. The servers are tried sequentially, stopping at the first successful response.

  • --st, --separate-timestamp
    Enables a separate time-stamping step after signing. This option is automatically activated if any fallback timestamp servers (--fb) are specified.

  • --ac, --additional-certs <CertList>
    Adds additional certificates from file paths to the signature block. You can provide a comma-separated list of certificate file paths. This is useful for including intermediate or root certificates that may be necessary for validation.

  • --as, --append-signature
    Appends this signature to the file. If no primary signature exists, this signature will become the primary one. This is useful for signing files multiple times without overwriting existing signatures. Note that appending signatures requires Windows 11 or later.

  • --rm, --revocation-mode <Mode> Specify the revocation check mode when building the certificate chain. By default, the chain-building process may try to check the certificate status against online Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) responders. If these URLs are inaccessible or slow to respond — possibly due to firewall restrictions, then changing the revocation mode can improve signing performance. The parameter accepts the following <Mode> values:

    • Online (default): Performs live revocation checks.
    • Offline: Skips online checks and uses cached data.
    • NoCheck: Disables all revocation validation, increasing the risk of using revoked certificates.

    Note: Software signed with a revoked certificate may trigger trust warnings or be blocked by operating systems. We therefore recommend checking and adjusting your firewall settings first. Ensure that it permits outbound HTTP (port 80) and HTTPS (port 443) traffic to the CRL and OCSP URLs specified in your certificates.

  • --vf, --verify
    Verifies the signature after signing to ensure it is valid.

  • --ignore-untrusted-root
    Ignores untrusted root errors when verifying a file signed with a self-signed certificate.

  • -m, --max-degree-of-parallelism <MDOP>
    Specifies the maximum number of concurrent file signing operations. This setting allows you to control the degree of parallelism to optimize performance. The default value is 4, but you can adjust this based on the capabilities of your machine.

  • --fl, --file-list <FileName>
    Specifies the path to a file containing a list of files to sign. This is useful for batch signing multiple files without specifying them individually on the command line.

    Each line in the file must follow this format:

    FilePath|Description|URL
    • FilePath (required): The path to the file to be signed. This can be a specific file path or use wildcards (*, ?, **) to match multiple files. The tool will interpret each path just as it does for the Files parameter.
    • Description (optional): A description of the signed content. Overrides the -d or --description option for the specified file or matching files.
    • URL (optional): A URL for an expanded description of the signed content. Overrides the -du or --description-ul option for the specified file or matching files.

    Quoting and escaping rules

    • Quotes are optional unless a field contains a pipe (|) or a double quote (").
    • If a field contains a pipe (|) or a double quote ("), it must be enclosed in double quotes ("").
    • Double quotes inside a quoted field must be escaped using a backslash (\").
    • Backslashes (\) must be escaped (\\) inside a quoted field, but remain unchanged if unquoted.

    Example entries

    C:\Folder\*.exe
/home/user/*.so|Sample description
"C:\Projects\**\file.dll"|"A \"quoted\" description"|"http://example.com"
"C:\Dev\drivers\*.sys"|"System drivers"|http://example.com
"*.dll"|"This description contains a | pipe character"|http://example.com
"E:\Publish\App\app.exe"|Description with spaces|https://example.com

  • --continue-on-fail
    Continues signing subsequent files even if an error occurs while signing a file. This option is useful for batch signing scenarios where you want to attempt to sign all files regardless of individual failures.

  • --encoding <Encoding>
    Specifies the output encoding. Set to one of UTF8, UTF16, OEMCodePage or CodePage### where ### is the number of the code page to use. Defaults to UTF8.

  • --nb, --no-banner
    Hides the banner in the output, which may be useful for scripting or logging purposes where you want a clean output.

  • -v, --verbose
    Enables verbose logging for the signing operation, providing detailed output of the signing process, which can be useful for debugging.

  • --request-timeout <TimeoutInSeconds>
    Specifies the request timeout for server requests in seconds. If the server takes longer than the specified time to respond, the operation will be aborted. Default is 0 for automatic timeout calculation based on number of files

  • --skip-signed
    Skips any files that have been previously signed.

  • --help
    Displays help information and usage instructions for this command.

Examples

  1. Sign multiple files with a specified thumbprint:

    SignotaurTool.exe sign -a <APIKey> -s <SignServer> -t <Thumbprint> file1.exe file2.dll

  2. Sign files with timestamping:

    SignotaurTool.exe sign -a <APIKey> -s <SignServer> -t <Thumbprint> --tr <TimeStampServer> --td SHA256 file1.exe file2.dll

  3. Sign files with timestamping and verification:

    SignotaurTool.exe sign -a <APIKey> -s <SignServer> -t <Thumbprint> --tr <TimeStampServer> --td SHA256 --vf file1.exe file2.   ```

Exit Codes

The following exit codes indicate the result of the operation performed by SignotaurTool.exe:

  • 0 (Success): The operation completed successfully without any errors.
  • 1 (NotFound): One or more specified files were not found. Ensure that the file paths provided are correct.
  • 2 (Aborted): The operation was aborted by the user or due to an unrecoverable error during execution.
  • 3 (AccessDenied): The operation could not be completed due to insufficient permissions. Check that you have the necessary access rights for the files or directories involved.
  • 4 (Failure): A general failure occurred during the operation. The specifics of the error are logged as a message.
  • 5 (InvalidHandle): An invalid handle was encountered. This usually indicates a problem with a resource that was expected to be valid but is not.
  • 6 (InvalidArgument): One or more arguments provided to the command are invalid. Verify the input parameters and their formats.
  • 7 (NoInterface): The requested interface is not available. This typically indicates an issue with the underlying implementation.
  • 8 (NotImplemented): The requested feature or operation has not been implemented.
  • 9 (OutOfMemory): The operation could not be completed due to insufficient memory. Try closing other applications or freeing up system resources.
  • 10 (InvalidPointer): An invalid pointer was encountered. This suggests that a reference to an object or memory location was not valid.
  • 11 (UnexpectedFailure): An unexpected failure occurred, which is not classified under the other exit codes. This usually indicates a bug or an unforeseen issue.
  • 12 (AdditionalCertNotFound): One or more additional certificates specified for signing were not found. Ensure the paths to the certificates are correct.
  • 13 (FileListError): An error occurred while processing the file list. This may indicate issues with the format or accessibility of the file list provided.
  • 14 (SharingViolation): A sharing violation occurred. Check if the file is locked by another process.
  • 15 (UnknownResult): The result of the operation is unknown. This could occur if the operation was not completed properly or if an unexpected state was encountered.
  • 16 (NoSignature): No signature found in the file. The file is not signed.
  • 17 (ExplicitDistrust): The signature is present but specifically disallowed. The file is explicitly distrusted.
  • 18 (SubjectNotTrusted): The signature is present but not trusted.
  • 19 (InvalidPolicy): The certificate policy is invalid.
  • 20 (UntrustedRoot): The certificate chain terminates in a root certificate that is not trusted.
  • 21 (CertificateExpired): The certificate has expired.
  • 22 (Malformed): The certificate is malformed.
  • 23 (CertificateRevoked): The certificate has been revoked.
  • 24 (FileError): A file error occurred. The file cannot be opened or read.
  • 25 (ProviderUnknown): The provider is unknown.
  • 26 (SubjectFormUnknown): The subject form is unknown.
  • 27 (ActionUnknown): The action is unknown.
  • 28 (TrustFailure): A trust failure occurred.
  • 29 (CertificateIssuerChaining): The certificate issuer chaining is incorrect.
  • 30 (CertificateValidityPeriodNesting): The certificate validity period nesting is incorrect.
  • 31 (CertificateRole): The certificate role is incorrect.
  • 32 (CertificatePathLenConst): The certificate path length constraint is incorrect.
  • 33 (CertificateCritical): The certificate is marked as critical.
  • 34 (CertificatePurpose): The certificate is used for an incorrect purpose.
  • 35 (CertificateUntrustedTestRoot): The certificate has an untrusted test root.
  • 36 (CertificateRevocationFailure): The certificate revocation check failed.
  • 37 (CertificateCNNoMatch): The certificate common name does not match the expected value.
  • 38 (CertificateWrongUsage): The certificate is used for the wrong purpose.
  • 39 (CertificateUntrustedCA): The certificate authority is untrusted.
  • 40 (CertificateInvalidName): The certificate name is invalid.
  • 41 (CertificateChaining): The certificate chaining is incorrect.
  • 42 (SecuritySettings): The signature or publisher was not explicitly trusted, and admin policy disabled user trust.
  • 43 (PlatformNotSupported): The operation is not supported on this platform.

Troubleshooting

  1. Server Connection Issues:

    • Ensure the Signotaur server URL is reachable.
    • Verify the server certificate is trusted unless using --allow-untrusted.

  2. Certificate Not Found:

    • Double-check the thumbprint or subject name.
    • Verify the certificate exists in the server’s store.

  3. File Signing Errors:

    • Ensure the file path is correct.
    • Check permissions for accessing files and server resources.

Further Information

See Migrating from Signtool to SignotaurTool.