Sign binaries with SMCTL
DigiCert® Signing Manager Controller (SMCTL) is a Command Line Interface (CLI) that facilitates manual and automated private key management, certificate management, and signing with or without the need for human intervention.
You can integrate third-party signing tools with SMCTL for simplified signing. For other SMCTL commands, refer to the SMCTL command manual.
Sugerencia
SMCTL does not support all characters in sign commands, review the following:
Supported characters:
@ % ^ ( ) - _ = [ ] { } ;Unsupported characters:
| ` $ > < # ! ' & +.
To avoid errors, remove unsupported characters from file paths before attempting to sign.
Prerequisites
Download and integrate third-party signing tools
Refer to the article below to identify the third-party signing tools that you require based on your operating system and the types of files you need to sign:
Set PATH environment variables
Operating systems use the environment variable called PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.
Sync certificates (Windows only)
Before attempting to sign with Signtool, Mage, and NuGet using the certificate fingerprint, run this command to sync your certificates to the Windows certificate store.
To sync the default certificate associated with the specified keypair alias:
smctl windows certsync --keypair-alias=<keypair alias>
Nota
For more information refer to the Windows command manual.
Sign with SMCTL
When you do not specify a signing tool in the sign command, SMCTL selects the default signing tool based on your operating system and the type of file you are trying to sign. Alternatively, specify the signing tool you want SMCTL to sign with.
Nota
For more information refer to the sign command manual.
Sign with the default signing tool
To sign using the certificate fingerprint, use: (recommended)
smctl sign --fingerprint <certificate fingerprint> --input <path to unsigned file or folder>
To sign using the keypair alias, use:
smctl sign --keypair-alias <keypair alias> --certificate <Path to code signing certificate> --input <path to unsigned file or folder>
Nota
Specifying the --certificate parameter in the sign command is optional if you are using SMCTL version 1.20 or higher.
Sign and specific signing tool
To sign using a specific third-party tool:
smctl sign --keypair-alias <keypair alias> --certificate <path to code signing certificate> --input <path to unsigned file or folder> --tool <tool>
Command sample:
smctl sign --keypair-alias=dynamic-kp1 --certificate C:\Users\John.Doe\Desktop\smctl\certificate.pem --input C:\Users\John.Doe\Desktop\folder_or_files_to_sign --tool jsign
To sign using jarsigner, osslsigncode, apksigner, or jsign, include the PKCS11 library flag:
smctl sign --keypair-alias <keypair alias> --certificate <path to code signing certificate> --config-file <path to PKCS11 config file> --input <path to unsigned file or folder> --tool <tool>
Command sample:
smctl sign --keypair-alias=dynamic-kp1 --certificate C:\Users\John.Doe\Desktop\smctl\certificate.pem --config-file C:\Users\John.Doe\Desktop\smctl\pkcs11properties.cfg --input C:\Users\John.Doe\Desktop\folder_or_files_to_sign --tool jsign
Sugerencia
Multiple signatures may occur for different Android versions when you sign with Apksigner. To avoid multiple signatures, sign directly with Apksigner.
Verify signature with SMCTL
To find all files in the specified path and verify signatures, use:
smctl sign verify --input <path to signed file or folder>
Nota
For more information refer to the verify signature command manual.
Remove signature with SMCTL
To find all files in the specified path and remove signatures based on the file, use:
smctl sign remove --input <path to signed file or folder>
Nota
For more information refer to the remove signature command manual.