Sign commands
This section covers commands that you use in SMCTL to manage signatures. These commands are: sign, verify signature, and remove signature. Use flags to specify command parameters.
Prerequisites
Executables must be present in the path variable of the operating system for all tools used for signing.
PKCS11 config file is mandatory for jarsigner, apksigner, and jSign.
Provide either keypair alias or certificate fingerprint for signing.
Configuration
The default tool used for signing will be based on the operating system. For example:
Signtool will be used on Windows.
Jsign will be used on Linux for Authenticode signing.
Signature algorithm can be configured by using the <--sigalg string> flag (applied based on available options provided by the tool used for signing).
Digest algorithm can be configured by using the <--digalg string> flag (applied based on available options provided by the tool used for signing).
When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).
When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).
The minimum SDK version supported for APK signer is 18.
Help commands
To list all the available actions to manage signatures, insert the following command:
smctl signature --help
or
smctl signature -h
or
smctl sign --help
or
smctl sign -h
Sign
Sign commands begin with:
smctl signature <keypair alias>
or
smctl sign <keypair alias >
Flags
The sign command supports these flags:
Shortcut | Flag | Description |
---|---|---|
--all-metadata | Capture all signature metadata. Default is to capture all metadata. | |
--certificate string | Provide the path of the certificate to be used for signing. Format: --certificate="<value>" | |
--checksum-after-signing | Capture the checksum in the signature metadata after signing the file. Leave blank to capture by default. | |
--checksum-before-signing | Capture the checksum in the signature metadata before signing the file. Leave blank to capture by default. | |
--config-file string | Provide the path to the PKCS11 config file. Format: --config-file="<value>" | |
--digicert-ctk-app-path string | Provide the path to DigiCert SSM Signing Clients.app. NotaThis flag only applies to Apple codesign and productsign commands. | |
--digicert-ctk-cli-path string | Provide the path to DigiCert SSM Signing Clients.app's CLI. NotaThis flag only applies to Apple codesign and productsign commands. | |
-d | --digalg string | Specify the digest algorithm to use for signing (default based on the tool used for signing). Format: --digalg="<value>" |
--digest-algorithm | Capture the digest algorithm in the signature metadata. Leave blank to capture by default. | |
--entitlements-file-path | Specify the entitlements file path. NotaThis flag only applies to Apple codesign commands. | |
--file-location | Capture the file location in the signature metadata. Leave blank to capture by default. | |
--file-name | Capture the file name in the signature metadata. Leave blank to capture by default. | |
-f | --fingerprint string | Provide the fingerprint of the certificate to be used for signing. Format: --fingerprint="<value>" NotaFor Apple codesign and productsign, after the key is added to the token. |
--force | Replace existing signatures (default value 'true'). NotaThis flag only applies to Apple codesign commands. | |
--deep | Sign all internal frameworks and plugins (default value 'true'). NotaThis flag only applies to Apple codesign commands. | |
--dryrun | Verify if the file can be signed without actually signing it (default value 'false'). NotaThis flag only applies to Apple codesign commands. | |
--identity string | Specify the apple developer or installer certificate that you will use to sign with. This information can be found using security export-smartcard. NotaThis flag only applies to Apple codesign commands, after the key is added to the token. | |
-i | --input string | Provide the path to the file or folder to be signed. If you specify a folder, all files inside the folder will be signed. Format: --input="<value>" |
-k | --keypair-alias string | Keypair alias to be used for signing. Format: --keypair-alias="<value>" |
--output-file | Signed package file (should be different than input file) NotaThis flag is compulsory for Apple productsign. | |
--openssl-pkcs11-engine string | Provide the path to the OpenSSL PKCS11 engine. NotaThis flag only applies to osslsigncode. | |
--pkcs11-module string | Provide the absolute path to the DigiCert® Software Trust Manager PKCS11 library. | |
--preserve-metadata | Preserve the metadata. NotaThis flag only applies to Apple codesign commands. | |
-s | --sigalg string | Signature algorithm to use (default based on the tool used for signing). Format: --sigalg="<value>" |
--signing-tool | Capture the signing tool in the signature metadata. Leave blank to capture by default. | |
--timestamp | Enable or disable timestamp. Default is enabled. | |
--timestamp-flag | Capture the timestamp in the signature metadata. Leave blank to capture by default. | |
-t | --tool string | Specify the tool to use for signing (leave it blank to sign with the default signing tool based on the file extension). Format: --tool="<value>" |
--tsa-url | Capture the timestamp (TSA) URL in the signature metadata. Leave blank to capture by default. | |
-v | --verbose | Verbose logging for signing. |
-h | --help | Help for signing. |
Examples
Description: Sign the files or folders specified with the provided keypair and certificate.
Command:
smctl sign --keypair-alias=<keypair alias> --config-file <path to config file> --input <path to file or folder to be signed>
Command sample:
smctl sign --keypair-alias=keypair-dynamic-kp1 --config-file C:\Users\Name\Desktop\smctl\pkcs11properties.cfg --input C:\Users\Name\Desktop\folder_or_files_to_sign
Description: Sign the specified files or folders with the keypair that is referred to by its alias. This command will only work in Windows.
Command:
smctl sign --keypair-alias=<keypair alias> --input <path to file or folder to be signed>
Command sample:
smctl sign --keypair-alias=keypair-dynamic-kp1 -i C:\Users\Name\Desktop\folder_or_files_to_sign
Nota
It is no longer necessary to add the <--certificate string> flag to the command because the certificate is automatically downloaded when you specify the keypair alias.
Apple examples
Description: Codesign a .app file using the keypair alias of the Apple certificate.
Command:
smctl-mac-x64 sign --keypair-alias <keypair_alias of apple certificate> --input <path_of_app or dmg_file_to_be_signed>
Command sample:
smctl-mac-x64 sign -k apple_codesign --verbose=true --input /Users/Name/Downloads/Example.app
Description: Verify if the file can be signed using codesign.
Command:
smctl-mac-x64 sign --keypair-alias <keypair_alias of apple certificate keypair> --dryrun=true --input <path_of_app/dmg_file_to_be_signed>
Command sample:
smctl-mac-x64 sign -k apple_codesign --verbose=true –dryrun=true --input /Users/Name/Downloads//Example.app
Description: Verify if .app file was signed.
Command:
smctl-mac-x64 sign verify --input <path_of_signed_app/dmg_file>
Command sample
smctl-mac-x64 sign verify --input /Users/Name/Downloads//Example.app
Description: Sign .pkg file using productsign.
Command:
smctl-mac-x64 sign --keypair-alias < keypair_alias of apple certificate > --verbose --input <path_of_pkg_file_to_be_signed>
Command sample:
smctl-mac-x64 sign -k apple_installer_productsign --verbose=true --input /Users/Name/Downloads/test.pkg
Description: Verify if .pkg file was signed.
Command:
smctl-mac-x64 sign verify --verbose --input <path_of_signed_pkg_file>
Command sample
smctl-mac-x64 sign verify --verbose=true --input /Users/Name/Downloads/test.pkg
Subcommands
The sign command supports these subcommands:
smctl signature <subcommand>
or
smctl sign <subcommand>
Subcommand | Description |
---|---|
Remove signature | |
Verify signed binary. | |
Sign hashes. | |
Verify hashes. | |
Sign and verify JSON SBOMs using in-toto functionality. |
Remove signature
Remove signature command begins with:
smctl sign remove
Flags
Remove signature command supports these flags:
Shortcut | Flag | Description |
---|---|---|
-i | --input string | Specify a file or folder. If you specify a folder, all files inside a folder will have their signature removed (only signtool is supported). Format: --input="<value>" |
-h | --help | Help for remove. |
Example
Description: Remove digital signatures for specified file or files within specified folders.
Command:
smctl sign remove --input <path to file or folder to be signed>
Command sample:
smctl sign remove -i C:\Users\Name\Desktop\file_or_folder_with_files_to_be_signed
Verify signed binary
Verify signature commands begin with:
smctl signature verify
or
smctl sign verify
Flags
Verify signature commands support these flags:
Shortcut | Flag | Description |
---|---|---|
-f | --fingerprint string | Fingerprint of the certificate to be used for verification. This will be applied based on the options available for the tool used. Format: --fingerprint="<value>" |
-i | --input string | Specify a file or folder. If you specify a folder, all files inside a folder will be verified. Format: --input="<value>" |
-t | --tool | Specify the signing tool to be used for signing files. Omit this parameter to allow SMCTL to select an appropriate signing tool based on the file extension. |
-q | --quiet | Specify this parameter to limit the output of the command to a simple one confirmation of success or failure. |
-v | --verbose | Specify this parameter to enable detailed output of the command, providing comprehensive information about the signing process, including success and failure details. |
-h | --help | Help for verify. |
Example
Description: Verify the signature referred to by the certificate fingerprint located in specified file path.
Command:
smctl sign verify --fingerprint <certificate fingerprint> --input <path to file or folder to be verified>
Command sample:
smctl sign verify --fingerprint da39a3ee5e6b4b0d3255bfef95601890afd80709 -i C:\Users\Name\Desktop\file_or_folder_with_files_to_be_verified
Sign-hash commands
This section covers commands that you use in SMCTL to sign a hash.
Sign-hash
Sign-hash commands begin with:
smctl sign sign-hash <keypair ID>
Subcommands
The sign-hash command supports these subcommands:
Shortcut | Flag | Description |
---|---|---|
--binary | Signature in binary (default is Base64). | |
--file string | File path. | |
--hash string | Base64 hash. | |
--hash-algorithm string | Hash algorithm. (default "SHA-256") | |
--signature-algorithm string | Signature algorithm. (default "SHA256withRSA"). | |
--signature-file string | Signature file path. | |
-h | --help | Help for sign-hash commands. |
Command example
Description: Sign hash.
Command:
smct sign sign-hash --file <file path> --hash-algorithm <hash algorithm> --signature-algorithm <algorithm> <keypair ID> --signature-file <signature file path> --binary
Command sample:
smct sign sign-hash --file UNSIGNED_JAR.jar --hash-algorithm SHA-512 --signature-algorithm MLDSA44 c16f3975-101b-4837-8de5-42160e791220 --signature-file mldsasign44.txt --binary
Verify-hash commands
This section covers commands that you use in SMCTL to verify a hash.
Verify-hash
Verify-hash commands begin with:
smctl sign verify-hash <keypair ID>
Subcommands
The verify-hash command supports these subcommands:
Shortcut | Flag | Description |
---|---|---|
--file string | File path. | |
--hash string | Base64 hash. | |
--hash-algorithm string | Hash algorithm. (default "SHA-256") | |
--signature string | Base64 Signature. | |
--signature-algorithm string | Signature algorithm. (default "SHA256withRSA"). | |
--signature-file string | Signature file path. | |
-h | --help | Help for sign-hash commands. |
Command example
Description: Verify hash.
Command:
smctl sign verify-hash --file <file path> --hash-algorithm <hash algorithm> --signature-algorithm <signature algorithm> --signature-file <path to signature file> <keypair ID>
Command sample:
smctl sign verify-hash --file UNSIGNED_JAR.jar --hash-algorithm SHA-512 --signature-algorithm MLDSA44 --signature-file mldsasign44.txt c16f3975-101b-4837-8de5-42160e791220
Sign in-toto commands
This section covers commands that you use in SMCTL to manage signatures. These commands are: sign, verify signature, and remove signature. Use flags to specify command parameters.
Nota
SHA3 digest signing and verification is not currently supported for RSA keys.
Sign
Sign commands begin with:
smctl sign in-toto <subcommand>
Subcommands
The sign command supports these subcommands:
Sign CycloneDX JSON SBOMs
Sign CycloneDX JSON SBOMs commands begins with:
smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>
Flags
The CycloneDX signature command supports these flags:
Shortcut | Flag | Description |
---|---|---|
| --artifact-digest string | SHA256 digest of the artifact for which this SBOM was generated. |
--hash-algorithm string | Hash algorithm for the signature (default "SHA256"). NotaSHA3 digest signing is not currently supported for RSA keys. | |
--signed-file string | File name of the signed SBOM (default "signed_"+InputFileName) | |
-h | --help | Help for signing CycloneDX JSON SBOMs. |
Example
Description: Sign CycloneDX JSON SBOM.
Command:
smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>
Command sample:
smctl sign in-toto cyclonedx C:\Workspace\sbom-signing\golang.cyclonedx.json fcfecdeb-4412-4796-962a-1c135948a15f
Sign SPDX JSON SBOMs
Sign SPDX JSON SBOMs commands begins with:
smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>
Flags
The SPDX signature command supports these flags:
Shortcut | Flag | Description |
---|---|---|
--artifact-digest string | SHA256 digest of the artifact for which this SBOM was generated. | |
--hash-algorithm string | Hash algorithm for the signature (default "SHA256"). NotaSHA3 digest signing is not currently supported for RSA keys. | |
--signed-file string | File name of the signed SBOM (default "signed_"+InputFileName) | |
-h | --help | Help for signing SPDX JSON SBOMs. |
Example
Description: Sign SPDX JSON SBOM.
Command:
smctl sign in-toto spdx <sbom file path> <keypair ID or alias>
Command sample:
smctl sign in-toto spdx C:\Workspace\sbom-signing\golang.spdx.json 30dbb169-b120-4df6-b8fc-16e995909107
Verify JSON SBOMs command
Nota
SHA3 digest verification is not currently supported for RSA keys.
Verify JSON SBOMs commands begins with:
smctl sign in-toto verify
Subcommands
The verify JSON SBOM signature command supports these subcommands:
Shortcut | Flag | Description |
---|---|---|
keypair-id | Verify a signed JSON SBOM using the hash algorithm and keypair ID. | |
public-key | Verify a signed JSON SBOM using the hash algorithm and public key present in a PEM or DER file. | |
-h | --help | Help for verifying JSON SBOMs. |
Example
Description: Verify a signed JSON SBOM using the hash algorithm and keypair ID.
Command:
smctl sign in-toto verify keypair-id <signed file> <hash algorithm> <keypair ID or alias>
Command sample:
smctl sign in-toto verify keypair-id C:\Workspace\sbom-signing\signed_golang.cyclonedx.json SHA256 fcfecdeb-4412-4796-962a-1c135948a15f
Example
Description: Verify a signed JSON SBOM using the hash algorithm and public key present in a PEM or DER file.
Command:
smctl sign in-toto verify public-key <path to public key> <hash algorithm> <keypair ID or alias>
Command sample:
smctl sign in-toto verify public-key C:\Workspace\sbom-signing\signed_golang.cyclonedx.json SHA256 new-keypair.pem