Signing Manager Controller (SMCTL)

Signing Manager Controller (SMCTL) provides a Command Line Interface (CLI) that facilitates manual and automated private key management, certificate management, and signing with or without the need for human intervention.

SMCTL comes with a built-in help function and provides instructions on all commands and subcommands to assist users in the CTL tool. See SMCTL command manual.

SMCTL provides secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.

Prerequisites

Commands

To view all SMCTL commands:

smctl --help

smctl -h

Subcommands

These subcommands specify the actions you can apply to commands when using SMCTL.

All SMCTL commands begin with:

smctl <subcommand>

tabla 1. Subcommands in SMCTL

Shortcut	Subcommand	Description
cert	certificate	Manage certificates.
creds	credentials	Manage credentials for the OS credential store.
	gpg	Manage GPG keypairs and keyrings.
	healthcheck	View and confirm the validity of the credentials and tools configured.
	hsm	Manage HSMs mapped to your Software Trust Manager account.
kp	keypair	Manage keypairs.
	logs	Manage logs.
	manual	Generates up-to-date man pages of Signing Manager’s command-line interface. By default, it creates the man page files in the man-pages directory under the current directory.
	notarization	Manage notarizations for Apple binaries. This command is only available on macOS.
rel	release	Manage releases.
sc	scan	Manage scans powered by ReversingLabs.
	sign	Sign, verify, or remove a signature from binaries, hashes, and SBOMs.
	user	Get user data.
	windows	Commands specific to Windows OS.

Flags

Flags are used to modify the behavior of a subcommand by specifying parameters. Apply these flags to the subcommands above when using SMCTL.

tabla 2. Flags for SMCTL

Shortcut	Flag	Description
-v	--version	Version of SMCTL.
	--dir string	Specify the directory to write the man pages. Default is man-pages/. Format: --dir="<value>"
-h	--help	Help for SMCTL.

What signing tools can SMCTL integrate with?

SMCTL integrates with and enables secure hash-based signing with the following signing tools while maintaining key protection, permission-based access and reporting all signing activities:

ejemplo 1. Windows

You can sign the following file types using these tools on Windows:

tabla 3. File types supported for signing on Windows

Signing tool	File type
Apksigner	.aab
Apksigner	.apk
Jarsigner	.ear
	.jar
	.sar
	.war
Mage	.application
	.manifest
	.vsto
Nuget	.nupkg
Signtool (64-bit)	.appx
	.appxbundle
	.arx
	.cab
	.cat
	.cbx
	.cpl
	.crx (only MS-DOS EXE package format)
	.dbx
	.deploy
	.dll
	.drx
	.efi
	.exe
	.js
	.msi
	.msix
	.msixbundle
	.msm
	.msp
	.ocx
	.psi
	.psm1
	.stl
	.sys
	.vbs
	.vsix
	.vxd
	.wsf
	.xap
	.xsn
Signtool (32-bit)	.doc
	.docm
	.dot
	.dotm
	.mpp
	.mpt
	.pot
	.potm
	.ppa
	.ppam
	.pps
	.ppsm
	.ppt
	.pptm
	.pub
	.vdw*
	.vdx*
	.vsd*
	.vsdm
	.vss*
	.vssm
	.vst*
	.vstm
	.vsx*
	.vtx*
	.wiz*
	.xla
	.xlam
	.xls
	.xlsb
	.xlsm
	.xlt
	.xltm

ejemplo 2. Linux

You can sign the following file types using these tools on Linux:

tabla 4. File types supported for signing on Linux

Signing tool	File type
Apksigner	.aab
Apksigner	.apk
Jarsigner	.ear
	.jar
	.sar
	.war
Jsign (default)	.appx
	.appxbundle
	.arx
	.cab
	.cat
	.cbx
	.cpl
	.crx
	.dbx
	.deploy
	.dll
	.drx
	.efi
	.exe
	.js
	.msi
	.msix
	.msixbundle
	.msm
	.msp
	.ocx
	.ps1
	.psm1
	.stl
	.sys
	.vbs
	.vxd
	.wsf
	.xap
	.xlsm
	.xsn
osslsigncode	.exe
	.dll
	.sys
	.msi
	.msp
	.msm
	.ocx
	.cpl
	.arx
	.cbx
	.dbx
	.crx
	.drx
	.deploy

ejemplo 3. Mac

You can sign the following file types using these tools on Mac:

tabla 5. File types supported for signing on Mac

Signing tool	File type
Apksigner	.aab
Apksigner	.apk
Jarsigner	.ear
	.jar
	.sar
	.war
Jsign (default)	.appx
	.appxbundle
	.arx
	.cab
	.cat
	.cbx
	.cpl
	.deploy
	.dll
	.drx
	.efi
	.exe
	.js
	.msi
	.msix
	.msixbundle
	.msm
	.msp
	.ocx
	.ps1
	.psm1
	.stl
	.sys
	.vbs
	.vxd
	.wsf
	.xap
	.xlsm
	.xsn
Codesign Provided as part of the macOS	.app
Codesign Provided as part of the macOS	.dmg
Productsign Provided as part of the macOS	.pkg

Download SMCTL

Sign in to DigiCert ONE.
Navigate to DigiCert® Software Trust Manager > Resources > Client tool repository.
Select your operating system.
Click the download icon next to Signing Manager Controller (SMCTL).

Set up environment variables

Follow the instructions in one of the following articles based on the operating system you will use to sign:

Verify connection

To verify that your client can properly authenticate to the DigiCert® Software Trust Manager service:

Open smctl.exe.
Run:
```
smctl healthcheck
```

Obtain latest versions of SMCTL and other client tools

Review the following table to understand how to obtain the latest version of SMCTL and other client tools:

tabla 6.

SMCTL or client tools	Sample command
SMCTL (with auth)	`curl -X GET -o C:\test\STM_DL/smtools-windows-x64.msi https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%"`
SMCTL (without auth)	`curl -X GET -o C:\test\STM_DL\smtools-windows-x64.msi https://one.digicert.com/signingmanager/api-ui/v1/releases/noauth/smtools-windows-x64.msi/download`
JCE	`curl -X GET -o C:\test\STM_DL\client-tools/digicert-jce-1.0.zip https://one.digicert.com/signingmanager/api-ui/v1/releases/noauth/digicert-jce-1.0.zip/download`

En esta sección: