Sign hashes with SMCTL
DigiCert® Signing Manager Controller (SMCTL) is a Command Line Interface (CLI) that facilitates manual and automated private key management, certificate management, and signing with or without the need for human intervention.
Hash signing ensures data integrity by generating unique cryptographic signatures for files, offering an extra layer of security against tampering and unauthorized modifications throughout the software distribution process.
You can integrate third-party signing tools with SMCTL for simplified signing. For other SMCTL commands, refer to the SMCTL command manual.
Tip
SMCTL does not support all characters in sign commands, review the following:
Supported characters:
@ % ( ) - _ = [ ] { } ;
Unsupported characters:
| ` $ > < # ! ' & + ^
Note: Jarsigner supports the
^
character in sign commands.
To avoid errors, remove unsupported characters from file paths before attempting to sign or sign directly via the third party tool.
Prerequisites
SMCTL version 1.44.0 or higher
DigiCert ONE client authentication certificate
Keypair and default certificate
Hash to be signed
Download and integrate third-party signing tools
Refer to the article below to identify the third-party signing tools that you require based on your operating system and the types of files you need to sign:
Set PATH environment variables
Operating systems use the environment variable called PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.
Sign hash with SMCTL
Command:
smctl sign sign-hash --file <file path> --hash-algorithm <hash algorithm> --signature-algorithm <algorithm> <keypair ID> --signature-file <signature file path> --binary
Command sample:
smctl sign sign-hash --file UNSIGNED_JAR.jar --hash-algorithm SHA-512 --signature-algorithm MLDSA44 c16f3975-101b-4837-8de5-42160e791220 --signature-file mldsasign44.txt --binary
Note
For more information refer to the sign-hash command manual.
Verify signed hash with SMCTL
Command:
smctl sign verify-hash --file <file path> --hash-algorithm <hash algorithm> --signature-algorithm <signature algorithm> --signature-file <path to signature file> <keypair ID>
Command sample:
smctl sign verify-hash --file UNSIGNED_JAR.jar --hash-algorithm SHA-512 --signature-algorithm MLDSA44 --signature-file mldsasign44.txt c16f3975-101b-4837-8de5-42160e791220
Note
For more information refer to the verify-hash command manual.