Smctl で署名する
SignTool、jarsigner、apksigner、NuGet、Mage、jsign で smctL を使用して署名することができます。
You can integrate third-party signing tools with SMCTL for simplified signing. For other SMCTL commands, refer to the SMCTL command manual.
ヒント
SMCTL does not support all characters in sign commands, review the following:
Supported characters:
@ % ( ) - _ = [ ] { } ;Unsupported characters:
| ` $ > < # ! ' & + ^Note: Jarsigner supports the
^character in sign commands.
To avoid errors, remove unsupported characters from file paths before attempting to sign or sign directly via the third party tool.
Prerequisites
DigiCert ONE client authentication certificate
Keypair and default certificate
File or folder to be signed
Download and integrate third-party signing tools
Refer to the article below to identify the third-party signing tools that you require based on your operating system and the types of files you need to sign:
ツールをセットアップする
Operating systems use the environment variable called PATH to determine where executable files are stored on your system.
Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.
鍵ペアエイリアスと証明書ファイルパスを提供する
証明書を同期させ、鍵ペアエイリアスと証明書ファイルのパスを入力してください。
To sync the default certificate associated with the specified keypair alias:
smctl windows certsync --keypair-alias=<keypair alias>
注記
For more information refer to the Windows command manual.
Sign with SMCTL
When you do not specify a signing tool in the sign command, SMCTL selects the default signing tool based on your operating system and the type of file you are trying to sign. Alternatively, specify the signing tool you want SMCTL to sign with.
注記
For more information refer to the sign command manual.
Sign with the default signing tool
You can sign using the keypair alias or the certificate fingerprint.
ヒント
Signing with the keypair alias is preferred because the certificate fingerprint is only compatible for signing with the KSP library and the certificate has been synced to the certificate store.
Keypair alias method
To sign using the keypair alias, use the following:
smctl sign --keypair-alias <keypair alias> --input <path to unsigned file or folder>
Command sample:
smctl sign --keypair-alias kp3 --input C:\Users\Name\Desktop\folder_or_files_to_sign
注記
Specifying the --certificate parameter in the sign command is required if you are using SMCTL version 1.20 or lower.
Certificate fingerprint method
To sign using the certificate fingerprint, use the following command:
smctl sign --fingerprint <certificate fingerprint> --input <path to unsigned file or folder>
Command sample
smctl sign --fingerprint aa42b7d92f826d0ad6d23aa0d778c8cbfab7d61d --input C:\Users\Name\Desktop\folder_or_files_to_sign
Sign using SMCTL and a third-party signing tool
To sign using SMCTL and a third-party tool:
Synchronize your certificate. Run the following command:
smctl windows certsync --keypair-alias=<your keypair alias>
Review the following success message:
Syncing certificate for alias: <your keypair alias>, ID: <your certificate ID> and SHA1 Fingerprint: <your certificate SHA1 fingerprint>
Sign based on your third-party tool:
To sign a single file with SignTool, run the following command:
smctl sign --fingerprint <your certificate SHA1 fingerprint> --input <file you want to sign>
Review the following success message:
signCommand command for file <file you signed> was SUCCESSFUL
To sign multiple files with SignTool, place the files in a folder, and then run the following command:
smctl sign --fingerprint <your certificate SHA1 fingerprint> --input <folder containing your files>
To sign a single file with JarSigner, run the following command:
smctl sign --keypair-alias=<your keypair alias> --config-file <path to pkcs11properties.cfg> --input <unsigned file path>
Review the following success message:
signCommand command for file <file you signed> was SUCCESSFUL
To sign multiple files with JarSigner, place the files in a folder, and then run the following command:
smctl sign --keypair-alias=<your keypair alias> --config-file <path to pkcs11properties.cfg> --input <folder containing your files>
To sign using osslsigncode, or jsign, include the PKCS#11 library flag:
smctl sign --keypair-alias <keypair alias> --certificate <path to code signing certificate> --config-file <path to PKCS11 config file> --input <path to unsigned file or folder> --tool <tool>
Review the following sample command:
smctl sign --keypair-alias=dynamic-kp1 --certificate C:\Users\John.Doe\Desktop\smctl\certificate.pem --config-file C:\Users\John.Doe\Desktop\smctl\pkcs11properties.cfg --input C:\Users\John.Doe\Desktop\folder_or_files_to_sign --tool jsign
ヒント
Multiple signatures may occur for different Android versions when you sign with Apksigner. To avoid multiple signatures, sign directly with Apksigner.
検証する
To verify a single file, run the following command:
smctl sign verify --input <signed file>
To verify multiple files, run the following command:
smctl sign verify --input <folder containing your signed file>
削除する
指定されたパスにあるすべてのファイルを検索してそのファイルに基づく署名を削除するには、以下を使用します。
smctl sign remove --input <path to signed file or folder>
注記
For more information refer to the remove signature command manual.