Sign binary commands

This section covers commands that you use in SMCTL to manage signatures. These commands are: sign, verify signature, and remove signature. Use flags to specify command parameters.

Prerequisites

Executables must be present in the path variable of the operating system for all tools used for signing.
PKCS11 config file is mandatory for jarsigner, apksigner, and jSign.
Provide either keypair alias or certificate fingerprint for signing.

Configuration

The default tool used for signing will be based on the operating system. For example:

Signature algorithm can be configured by using the <--sigalg string> flag (applied based on available options provided by the tool used for signing).
Digest algorithm can be configured by using the <--digalg string> flag (applied based on available options provided by the tool used for signing).
When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).
When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).
The minimum SDK version supported for APK signer is 18.

Sign

Sign commands begin with:

smctl signature <keypair alias>

smctl sign <keypair alias >

Flags

The sign command supports these flags:

Tabella 1. Flags for managing signatures

Shortcut	Flag	Description
	--all-metadata	Capture all signature metadata. Default is to capture all metadata.
	--certificate string	Provide the path of the certificate to be used for signing. Format: --certificate="<value>"
	--checksum-after-signing	Capture the checksum in the signature metadata after signing the file. Leave blank to capture by default.
	--checksum-before-signing	Capture the checksum in the signature metadata before signing the file. Leave blank to capture by default.
	--config-file string	Provide the path to the PKCS11 config file. Format: --config-file="<value>"
	--deep	Sign all internal frameworks and plugins (This flag only applies to Apple codesign) (default true) Nota This flag only applies to Apple codesign commands.
-d	--digalg string	Specify the digest algorithm to use for signing (default based on the tool used for signing). Format: --digalg="<value>"
	--digest-algorithm	Capture the digest algorithm in the signature metadata. Leave blank to capture by default.
	--digicert-ctk-app-path string	Provide the path to DigiCert SSM Signing Clients.app. Nota This flag only applies to Apple codesign and productsign commands.
	--digicert-ctk-cli-path string	Provide the path to DigiCert SSM Signing Clients.app's CLI. Nota This flag only applies to Apple codesign and productsign commands.
	--dryrun	Verify if the file can be signed without actually signing it (This flag only applies to Apple codesign)
	--entitlements-file-path	Specify the entitlements file path. Nota This flag only applies to Apple codesign commands.
	--exit-non-zero-on-fail	Returns a non-zero status if any files fail to be signed during bulk signing.
	--failfast	Stops bulk signing immediately upon encountering the first file that cannot be signed.
	--file-location	Capture the file location in the signature metadata. Leave blank to capture by default.
	--file-name	Capture the file name in the signature metadata. Leave blank to capture by default.
-f	--fingerprint string	Provide the fingerprint of the certificate to be used for signing. Format: --fingerprint="<value>" Nota For Apple codesign and productsign, after the key is added to the token.
	--force	Replace existing signatures (default value 'true'). Nota This flag only applies to Apple codesign commands.
	--identity string	Specify the apple developer or installer certificate that you will use to sign with. This information can be found using security export-smartcard. Nota This flag only applies to Apple codesign commands, after the key is added to the token.
-i	--input string	Provide the path to the file or folder to be signed. If you specify a folder, all files inside the folder will be signed. Format: --input="<value>"
	--keychain-path string	Provide the path to Keychain (This flag only applies to Apple productsign)
-k	--keypair-alias string	Keypair alias to be used for signing. Format: --keypair-alias="<value>"
	--output-file	Signed package file (should be different than input file) Nota This flag is compulsory for Apple productsign.
	--openssl-pkcs11-engine string	Provide the path to the OpenSSL PKCS11 engine. Nota This flag only applies to osslsigncode.
	--pkcs11-module string	Provide the absolute path to the DigiCert® Software Trust Manager PKCS11 library.
	--preserve-metadata	Preserve the metadata. Nota This flag only applies to Apple codesign commands.
-s	--sigalg string	Signature algorithm to use (default based on the tool used for signing). Format: --sigalg="<value>"
	--signing-tool	Capture the signing tool in the signature metadata. Leave blank to capture by default.
	--timestamp	Use this flag to enable or disable timestamping for your signature. The syntax is `--timestamp=false` to disable timestamping. By default, the timestamp is enabled (TRUE).
	--timestamp-flag	Capture the timestamp in the signature metadata. Leave blank to capture by default.
-t	--tool string	Specify the tool to use for signing (leave it blank to sign with the default signing tool based on the file extension). Format: --tool="<value>"
	--tsa-url	Capture the timestamp (TSA) URL in the signature metadata. Leave blank to capture by default.
-v	--verbose	Verbose logging for signing.
-h	--help	Help for signing.

Subcommands

The sign command supports these subcommands:

smctl signature <subcommand>

smctl sign <subcommand>

Tabella 2. Subcommands for managing signatures

Subcommand	Description
remove	Remove signature
verify	Verify signed binary.
sign-hash	Sign hashes.
verify-hash	Verify hashes.
in-toto	Sign and verify JSON SBOMs using in-toto functionality.

In questa sezione:

Sign binary commands

Prerequisites

Configuration

Sign

Nota

Nota

Nota

Nota

Nota

Nota

Nota

Nota

Nota

Nota

Subcommands

Risultati della ricerca