Signing Manager Controller (SMCTL)

Signing Manager Controller (SMCTL) provides a Command Line Interface (CLI) that facilitates manual and automated private key management, certificate management, and signing with or without the need for human intervention.

SMCTL comes with a built-in help function and provides instructions on all commands and subcommands to assist users in the CTL tool.

SMCTL provides secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.

Prerequisites

Commands

To view all SMCTL commands:

smctl --help

smctl -h

Subcommands

These subcommands specify the actions you can apply to commands when using SMCTL.

All SMCTL commands begin with:

smctl <subcommand>

Table 1. Subcommands in SMCTL

Shortcut	Subcommand	Description
cert	certificate	Manage certificates.
creds	credentials	Manage credentials for the OS credential store.
	gpg	Manage GPG keypairs and keyrings.
	healthcheck	View and confirm the validity of the credentials and tools configured. For Windows and Linux, run: smctl healthcheck For macOS, run: ./smctl-mac-x64 healthcheck
	hsm	Manage HSMs mapped to your Software Trust Manager account.
kp	keypair	Manage keypairs.
	logs	Manage logs.
	manual	Generates up-to-date man pages of Signing Manager’s command-line interface. By default, it creates the man page files in the man-pages directory under the current directory.
	notarization	Manage notarizations for Apple binaries. This command is only available on macOS.
rel	release	Manage releases.
sc	scan	Manage scans powered by ReversingLabs.
	sign	Sign, verify, or remove a signature from binaries, hashes, and SBOMs.
	user	Get user data.
	windows	Commands specific to Windows OS.

Flags

Flags are used to modify the behavior of a subcommand by specifying parameters. Apply these flags to the subcommands above when using SMCTL.

Table 2. Flags for SMCTL

Shortcut	Flag	Description
-v	--version	This flag displays the version of SMCTL.
Not applicable	--dir string	This flag specifies the directory where the man pages will be written, with the default being man-pages/. Format: --dir="<value>"
-h	--help	This flag displays help information for SMCTL.
Not applicable	--description	This flag: Sets the description for the signed content. Is only applicable when using Windows signtool. Maps to the /d flag in signtool.
Not applicable	--desc-url	This flag: Sets the URL for the description of the signed content. Is only applicable when using Windows signtool. Maps to the /du flag in signtool.

What signing tools can SMCTL integrate with?

SMCTL integrates with and enables secure hash-based signing with the following signing tools while maintaining key protection, permission-based access and reporting all signing activities:

Example 1. Windows

You can sign the following file types using these tools on Windows:

Table 3. File types supported for signing on Windows

Signing tool	File type
Apksigner	.aab
Apksigner	.apk
Jarsigner	.ear
	.jar
	.sar
	.war
Mage	.application
	.manifest
	.vsto
Nuget	.nupkg
Signtool (64-bit)	.appx
	.appxbundle
	.arx
	.cab
	.cat
	.cbx
	.cpl
	.crx (only MS-DOS EXE package format)
	.dbx
	.deploy
	.dll
	.drx
	.efi
	.exe
	.js
	.msi
	.msix
	.msixbundle
	.msm
	.msp
	.ocx
	.psi
	.psm1
	.stl
	.sys
	.vbs
	.vsix
	.vxd
	.wsf
	.xap
	.xsn
Signtool (32-bit)	.doc
	.docm
	.dot
	.dotm
	.mpp
	.mpt
	.pot
	.potm
	.ppa
	.ppam
	.pps
	.ppsm
	.ppt
	.pptm
	.pub
	.vdw*
	.vdx*
	.vsd*
	.vsdm
	.vss*
	.vssm
	.vst*
	.vstm
	.vsx*
	.vtx*
	.wiz*
	.xla
	.xlam
	.xls
	.xlsb
	.xlsm
	.xlt
	.xltm

Example 2. Linux

You can sign the following file types using these tools on Linux:

Table 4. File types supported for signing on Linux

Signing tool	File type
Apksigner	.aab
Apksigner	.apk
Jarsigner	.ear
	.jar
	.sar
	.war
Jsign (default)	.appx
	.appxbundle
	.arx
	.cab
	.cat
	.cbx
	.cpl
	.crx
	.dbx
	.deploy
	.dll
	.drx
	.efi
	.exe
	.js
	.msi
	.msix
	.msixbundle
	.msm
	.msp
	.ocx
	.ps1
	.psm1
	.stl
	.sys
	.vbs
	.vxd
	.wsf
	.xap
	.xlsm
	.xsn
osslsigncode	.exe
	.dll
	.sys
	.msi
	.msp
	.msm
	.ocx
	.cpl
	.arx
	.cbx
	.dbx
	.crx
	.drx
	.deploy

Example 3. Mac

You can sign the following file types using these tools on Mac:

Table 5. File types supported for signing on Mac

Signing tool	File type
Apksigner	.aab
Apksigner	.apk
Jarsigner	.ear
	.jar
	.sar
	.war
Jsign (default)	.appx
	.appxbundle
	.arx
	.cab
	.cat
	.cbx
	.cpl
	.deploy
	.dll
	.drx
	.efi
	.exe
	.js
	.msi
	.msix
	.msixbundle
	.msm
	.msp
	.ocx
	.ps1
	.psm1
	.stl
	.sys
	.vbs
	.vxd
	.wsf
	.xap
	.xlsm
	.xsn
Codesign Provided as part of the macOS	.app
Codesign Provided as part of the macOS	.dmg
Productsign Provided as part of the macOS	.pkg

Download SMCTL

In the Software Trust menu, go to Resources > Client tool repository.
Select the Client tools tab.
Select your operating system.
Click the download icon next to Signing Manager Controller (SMCTL).

Step 5: Verify that you are ready to sign

SMCTL will now show in the Installed section of DigiCert ONE Clients.

Find SMCTL in DigiCert ONE Clients.
Select Open.

Run the command:

smctl healthcheck

Review the following sample output:

--------- User credentials ------
Status: Connected

Username: john.doe
Accounts: Win The Customer, LLC
Authentication: 2FA
Environment: Prod
Credentials:
        Host: https://clientauth.one.digicert.com
        API key: 012345fe67a1234f56a7d8c911_055xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd6 (Pulled from OS credential store)
        Client certificate file path: C:\Users\John.Doe\.digicert-ucpc\certs\1ec2dcd3-c4d5-481a-67a1-b891cc0c1234\20260122133923-480f4000-f123-4567-bd89-1cde2d834567.p12
        Client certificate password: 1+cJxxxxxxmt (Pulled from OS credential store)
Privileges:
        Can sign: Yes
        Can approve release window: Yes
        Can revoke certificate: Yes

Permissions:
Account Manager:
        VIEW_AM_USER
        VIEW_AM_ORGANIZATION
        MANAGE_AM_PERMISSION
        VIEW_AM_ROLE
        VIEW_AM_ACCOUNT
        VIEW_AM_AUDIT_LOG

Keypairs:
        MANAGE_SM_KEYPAIR
        VIEW_SM_KEYPAIR

Certificates:
        VIEW_SM_CERTIFICATE
        REVOKE_SM_CERTIFICATE

Other permissions:
        MANAGE_SM_CC_API_KEY

--------- Signing tools ---------
Nuget:
        Mapped: No
Jarsigner:
        Mapped: No
Apksigner:
        Mapped: No
Signtool 32 bit:
        Mapped: No
Signtool:
        Mapped: Yes
        Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.33621.0\x64\signtool.exe
Mage:
        Mapped: No

Tip

If the check is successful, the output shows Status: Connected.

In this section: