Sign binary commands
This section covers commands that you use in SMCTL to manage signatures. These commands are: sign, verify signature, and remove signature. Use flags to specify command parameters.
Prerequisites
Executables must be present in the path variable of the operating system for all tools used for signing.
PKCS11 config file is mandatory for jarsigner, apksigner, and jSign.
Provide either keypair alias or certificate fingerprint for signing.
Configuration
The default tool used for signing will be based on the operating system. For example:
Signtool will be used on Windows.
Jsign will be used on Linux for Authenticode signing.
Signature algorithm can be configured by using the <--sigalg string> flag (applied based on available options provided by the tool used for signing).
Digest algorithm can be configured by using the <--digalg string> flag (applied based on available options provided by the tool used for signing).
When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).
When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).
The minimum SDK version supported for APK signer is 18.
Help commands
To list all the available actions to manage signatures, insert the following command:
smctl signature --help
or
smctl signature -h
or
smctl sign --help
or
smctl sign -h
Sign
Sign commands begin with:
smctl signature <keypair alias>
or
smctl sign <keypair alias >
Flags
The sign command supports these flags:
Shortcut | Flag | Description |
|---|---|---|
--all-metadata | Capture all signature metadata. Default is to capture all metadata. | |
--certificate string | Provide the path of the certificate to be used for signing. Format: --certificate="<value>" | |
--checksum-after-signing | Capture the checksum in the signature metadata after signing the file. Leave blank to capture by default. | |
--checksum-before-signing | Capture the checksum in the signature metadata before signing the file. Leave blank to capture by default. | |
--config-file string | Provide the path to the PKCS11 config file. Format: --config-file="<value>" | |
--deep | Sign all internal frameworks and plugins (This flag only applies to Apple codesign) (default true) NotaThis flag only applies to Apple codesign commands. | |
-d | --digalg string | Specify the digest algorithm to use for signing (default based on the tool used for signing). Format: --digalg="<value>" |
--digest-algorithm | Capture the digest algorithm in the signature metadata. Leave blank to capture by default. | |
--digicert-ctk-app-path string | Provide the path to DigiCert SSM Signing Clients.app. NotaThis flag only applies to Apple codesign and productsign commands. | |
--digicert-ctk-cli-path string | Provide the path to DigiCert SSM Signing Clients.app's CLI. NotaThis flag only applies to Apple codesign and productsign commands. | |
--dryrun | Verify if the file can be signed without actually signing it (This flag only applies to Apple codesign) | |
--entitlements-file-path | Specify the entitlements file path. NotaThis flag only applies to Apple codesign commands. | |
--exit-non-zero-on-fail | Returns a non-zero status if any files fail to be signed during bulk signing. | |
--failfast | Stops bulk signing immediately upon encountering the first file that cannot be signed. | |
--file-location | Capture the file location in the signature metadata. Leave blank to capture by default. | |
--file-name | Capture the file name in the signature metadata. Leave blank to capture by default. | |
-f | --fingerprint string | Provide the fingerprint of the certificate to be used for signing. Format: --fingerprint="<value>" NotaFor Apple codesign and productsign, after the key is added to the token. |
--force | Replace existing signatures (default value 'true'). NotaThis flag only applies to Apple codesign commands. | |
--identity string | Specify the apple developer or installer certificate that you will use to sign with. This information can be found using security export-smartcard. NotaThis flag only applies to Apple codesign commands, after the key is added to the token. | |
-i | --input string | Provide the path to the file or folder to be signed. If you specify a folder, all files inside the folder will be signed. Format: --input="<value>" |
--keychain-path string | Provide the path to Keychain (This flag only applies to Apple productsign) | |
-k | --keypair-alias string | Keypair alias to be used for signing. Format: --keypair-alias="<value>" |
--output-file | Signed package file (should be different than input file) NotaThis flag is compulsory for Apple productsign. | |
--openssl-pkcs11-engine string | Provide the path to the OpenSSL PKCS11 engine. NotaThis flag only applies to osslsigncode. | |
--pkcs11-module string | Provide the absolute path to the DigiCert® Software Trust Manager PKCS11 library. | |
--preserve-metadata | Preserve the metadata. NotaThis flag only applies to Apple codesign commands. | |
-s | --sigalg string | Signature algorithm to use (default based on the tool used for signing). Format: --sigalg="<value>" |
--signing-tool | Capture the signing tool in the signature metadata. Leave blank to capture by default. | |
--timestamp | Enable or disable timestamp. (default value 'true') | |
--timestamp-flag | Capture the timestamp in the signature metadata. Leave blank to capture by default. | |
-t | --tool string | Specify the tool to use for signing (leave it blank to sign with the default signing tool based on the file extension). Format: --tool="<value>" |
--tsa-url | Capture the timestamp (TSA) URL in the signature metadata. Leave blank to capture by default. | |
-v | --verbose | Verbose logging for signing. |
-h | --help | Help for signing. |
Examples
Description: Sign the files or folders specified with the provided keypair and certificate.
Command:
smctl sign --keypair-alias=<keypair alias> --config-file <path to config file> --input <path to file or folder to be signed>
Command sample:
smctl sign --keypair-alias=keypair-dynamic-kp1 --config-file C:\Users\Name\Desktop\smctl\pkcs11properties.cfg --input C:\Users\Name\Desktop\folder_or_files_to_sign
Description: Sign the specified files or folders with the keypair that is referred to by its alias. This command will only work in Windows.
Command:
smctl sign --keypair-alias=<keypair alias> --input <path to file or folder to be signed>
Command sample:
smctl sign --keypair-alias=keypair-dynamic-kp1 -i C:\Users\Name\Desktop\folder_or_files_to_sign
Nota
It is no longer necessary to add the <--certificate string> flag to the command because the certificate is automatically downloaded when you specify the keypair alias.
Apple examples
Description: Codesign a .app file using the keypair alias of the Apple certificate.
Command:
smctl-mac-x64 sign --keypair-alias <keypair_alias of apple certificate> --input <path_of_app or dmg_file_to_be_signed>
Command sample:
smctl-mac-x64 sign -k apple_codesign --verbose=true --input /Users/Name/Downloads/Example.app
Description: Verify if the file can be signed using codesign.
Command:
smctl-mac-x64 sign --keypair-alias <keypair_alias of apple certificate keypair> --dryrun=true --input <path_of_app/dmg_file_to_be_signed>
Command sample:
smctl-mac-x64 sign -k apple_codesign --verbose=true –dryrun=true --input /Users/Name/Downloads//Example.app
Description: Verify if .app file was signed.
Command:
smctl-mac-x64 sign verify --input <path_of_signed_app/dmg_file>
Command sample
smctl-mac-x64 sign verify --input /Users/Name/Downloads//Example.app
Description: Sign .pkg file using productsign.
Command:
smctl-mac-x64 sign --keypair-alias < keypair_alias of apple certificate > --verbose --input <path_of_pkg_file_to_be_signed>
Command sample:
smctl-mac-x64 sign -k apple_installer_productsign --verbose=true --input /Users/Name/Downloads/test.pkg
Description: Verify if .pkg file was signed.
Command:
smctl-mac-x64 sign verify --verbose --input <path_of_signed_pkg_file>
Command sample
smctl-mac-x64 sign verify --verbose=true --input /Users/Name/Downloads/test.pkg
Subcommands
The sign command supports these subcommands:
smctl signature <subcommand>
or
smctl sign <subcommand>
Subcommand | Description |
|---|---|
Remove signature | |
Verify signed binary. | |
Sign hashes. | |
Verify hashes. | |
Sign and verify JSON SBOMs using in-toto functionality. |
Remove signature from binary
Remove signature command begins with:
smctl sign remove
Flags
Remove signature command supports these flags:
Shortcut | Flag | Description |
|---|---|---|
-i | --input string | Specify a file or folder. If you specify a folder, all files inside a folder will have their signature removed (only signtool is supported). Format: --input="<value>" |
-h | --help | Help for remove. |
Example
Description: Remove digital signatures for specified file or files within specified folders.
Command:
smctl sign remove --input <path to file or folder to be signed>
Command sample:
smctl sign remove -i C:\Users\Name\Desktop\file_or_folder_with_files_to_be_signed
Verify signed binary
Verify signature commands begin with:
smctl signature verify
or
smctl sign verify
Flags
Verify signature commands support these flags:
Shortcut | Flag | Description |
|---|---|---|
-f | --fingerprint string | Fingerprint of the certificate to be used for verification. This will be applied based on the options available for the tool used. Format: --fingerprint="<value>" |
-i | --input string | Specify a file or folder. If you specify a folder, all files inside a folder will be verified. Format: --input="<value>" |
-t | --tool | Specify the signing tool to be used for signing files. Omit this parameter to allow SMCTL to select an appropriate signing tool based on the file extension. |
-q | --quiet | Specify this parameter to limit the output of the command to a simple one confirmation of success or failure. |
-v | --verbose | Specify this parameter to enable detailed output of the command, providing comprehensive information about the signing process, including success and failure details. |
-h | --help | Help for verify. |
Example
Description: Verify the signature referred to by the certificate fingerprint located in specified file path.
Command:
smctl sign verify --fingerprint <certificate fingerprint> --input <path to file or folder to be verified>
Command sample:
smctl sign verify --fingerprint da39a3ee5e6b4b0d3255bfef95601890afd80709 -i C:\Users\Name\Desktop\file_or_folder_with_files_to_be_verified