Skip to main content

Sign binary commands

This section covers commands that you use in SMCTL to manage signatures. These commands are: sign, verify signature, and remove signature. Use flags to specify command parameters.

Prerequisites

  • Executables must be present in the path variable of the operating system for all tools used for signing.

  • PKCS11 config file is mandatory for jarsigner, apksigner, and jSign.

  • Provide either keypair alias or certificate fingerprint for signing.

Configuration

The default tool used for signing will be based on the operating system. For example:

  • Signature algorithm can be configured by using the <--sigalg string> flag (applied based on available options provided by the tool used for signing).

  • Digest algorithm can be configured by using the <--digalg string> flag (applied based on available options provided by the tool used for signing).

  • When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).

  • When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).

  • The minimum SDK version supported for APK signer is 18.

Sign

Sign commands begin with:

smctl signature <keypair alias>

or

smctl sign <keypair alias >

Flags

The sign command supports these flags:

Table 1. Flags for managing signatures

Shortcut

Flag

Description

--all-metadata

Capture all signature metadata. Default is to capture all metadata.

--certificate string

Provide the path of the certificate to be used for signing. 

Format:

--certificate="<value>"

--checksum-after-signing

Capture the checksum in the signature metadata after signing the file. Leave blank to capture by default.

--checksum-before-signing

Capture the checksum in the signature metadata before signing the file. Leave blank to capture by default.

--config-file string

Provide the path to the PKCS11 config file. 

Format:

--config-file="<value>"

--deep

Sign all internal frameworks and plugins (This flag only applies to Apple codesign) (default true)

Note

This flag only applies to Apple codesign commands.

-d

--digalg string

Specify the digest algorithm to use for signing (default based on the tool used for signing).

Format:

--digalg="<value>"

--digest-algorithm

Capture the digest algorithm in the signature metadata. Leave blank to capture by default.

--digicert-ctk-app-path string

Provide the path to DigiCert SSM Signing Clients.app.

Note

This flag only applies to Apple codesign and productsign commands.

--digicert-ctk-cli-path string

Provide the path to DigiCert SSM Signing Clients.app's CLI.

Note

This flag only applies to Apple codesign and productsign commands.

--dryrun

Verify if the file can be signed without actually signing it (This flag only applies to Apple codesign)

--entitlements-file-path

Specify the entitlements file path.

Note

This flag only applies to Apple codesign commands.

--exit-non-zero-on-fail

Returns a non-zero status if any files fail to be signed during bulk signing.

--failfast

Stops bulk signing immediately upon encountering the first file that cannot be signed.

--file-location

Capture the file location in the signature metadata. Leave blank to capture by default.

--file-name

Capture the file name in the signature metadata. Leave blank to capture by default.

-f

--fingerprint string

Provide the fingerprint of the certificate to be used for signing. 

Format:

--fingerprint="<value>"

Note

For Apple codesign and productsign, after the key is added to the token.

--force

Replace existing signatures (default value 'true').

Note

This flag only applies to Apple codesign commands.

--identity string

Specify the apple developer or installer certificate that you will use to sign with. This information can be found using security export-smartcard.

Note

This flag only applies to Apple codesign commands, after the key is added to the token.

-i

--input string

Provide the path to the file or folder to be signed. If you specify a folder, all files inside the folder will be signed. 

Format:

--input="<value>"

--keychain-path string

Provide the path to Keychain (This flag only applies to Apple productsign)

-k

--keypair-alias string

Keypair alias to be used for signing. 

Format:

--keypair-alias="<value>"

--output-file

Signed package file (should be different than input file)

Note

This flag is compulsory for Apple productsign.

--openssl-pkcs11-engine string

Provide the path to the OpenSSL PKCS11 engine.

Note

This flag only applies to osslsigncode.

--pkcs11-module string

Provide the absolute path to the DigiCert​​®​​ Software Trust Manager PKCS11 library.

--preserve-metadata

Preserve the metadata.

Note

This flag only applies to Apple codesign commands.

-s

--sigalg string

Signature algorithm to use (default based on the tool used for signing). 

Format:

--sigalg="<value>"

--signing-tool

Capture the signing tool in the signature metadata. Leave blank to capture by default.

--timestamp

Use this flag to enable or disable timestamping for your signature. The syntax is --timestamp=false to disable timestamping. By default, the timestamp is enabled (TRUE).

--timestamp-flag

Capture the timestamp in the signature metadata. Leave blank to capture by default.

-t

--tool string

Specify the tool to use for signing (leave it blank to sign with the default signing tool based on the file extension).

Format:

--tool="<value>"

--tsa-url

Capture the timestamp (TSA) URL in the signature metadata. Leave blank to capture by default.

-v

--verbose

Verbose logging for signing.

-h

--help

Help for signing.


Subcommands

The sign command supports these subcommands:

smctl signature <subcommand>

or

smctl sign <subcommand>

Table 2. Subcommands for managing signatures

Subcommand

Description

remove

Remove signature

verify

Verify signed binary.

sign-hash

Sign hashes.

verify-hash

Verify hashes.

in-toto

Sign and verify JSON SBOMs using in-toto functionality.