署名を管理する
Learn how to use SMCTL commands to manage signatures (sign, verify signature, remove signature), using flags to define the command parameters.
For signing, we offer traditional tool-based signing and simple signing.
注記
Simple signing is a newly introduced feature. We're working to expand its capabilities, including adding supported file types and metadata capturing.Traditional signing and simple signing
Traditional signing
Pros | Cons |
|---|---|
|
|
Simple signing
Pros | Cons |
|---|---|
|
|
前提条件
For traditional signing:
すべての署名に使用するツールについて、OSのパス変数に実行形式が存在する必要があります。
jarsigner、apksigner、jSign では、PKCS11 の設定ファイルは必須です。
署名に使用する鍵ペアのエイリアスか証明書のフィンガープリントを指定してください。
For simple signing:
Access to signing key pairs
Configuration
For traditional signing:
Default tool selection: SMCTL selects the signing tool automatically based on your operating system.
Signature algorithm: Use the
--sigalg stringflag to specify the signature algorithm, depending on what the selected tool supports.Digest algorithm: Use the the
<--digalg string>flag to specify the digest algorithm, also based on the supported options of the tool.Sign specific file: Use the
<--tool string>flag to sign a specific file type.For example,
--tool apksignersigns only.apkfiles.
APK signer support: The minimum SDK version supported for apksigner is 18.
For simple signing:
No tool selection required: SMCTL handles the signing directly. You don't need to install or reference third-party tools.
No DigiCert libraries required: DigiCert KSP, PKCS11, or other local libraries aren't needed; only SMCTL is required.
Sign commands
Review the following two ways to begin a sign command:
smctl signature <keypair alias>
or
smctl sign <keypair alias >
Flags for simple signing
Review the following flags that can be used with the sign command for simple signing:
Flag | Description |
|---|---|
--simple | This flag signs without the need of third-party signing tools and libraries and only applies to simplified signing workflows. |
--unsigned | This flag only signs unsigned files and only applies to simplified signing workflows. |
Flags for traditional signing
Review the following flags that can be used with the sign command for simple signing:
フラグ | 説明 |
|---|---|
--all-metadata | すべての署名のメタデータをキャプチャします。デフォルトでは、すべてのメタデータをキャプチャします。 |
--certificate string | 署名に使用する証明書のパス。 形式: --certificate="<value>" |
--checksum-after-signing | 署名のメタデータをキャプチャ - 署名後のチェックサム。デフォルトでキャプチャするには空白のままにします。 |
--checksum-before-signing | 署名のメタデータをキャプチャ - 署名されていないファイルの署名前のチェックサム。デフォルトでは、キャプチャは空白のままです。 |
--config-file string | PKCS11設定ファイルのパス。 形式: --config-file="<value>" |
--deep | Sign all internal frameworks and plugins (This flag only applies to Apple codesign) (default true) 注記This flag only applies to Apple codesign commands. |
| Specify the digest algorithm to use for signing (default based on the tool used for signing). Format: --digalg="<value>" |
--digest-algorithm | Capture the digest algorithm in the signature metadata. Leave blank to capture by default. |
--digicert-ctk-app-path string | Provide the path to DigiCert SSM Signing Clients.app. 注記This flag only applies to Apple codesign and productsign commands. |
--digicert-ctk-cli-path string | Provide the path to DigiCert SSM Signing Clients.app's CLI. 注記This flag only applies to Apple codesign and productsign commands. |
--dryrun | Verify if the file can be signed without actually signing it (This flag only applies to Apple codesign) |
--entitlements-file-path | Specify the entitlements file path. 注記This flag only applies to Apple codesign commands. |
--exit-non-zero-on-fail | Returns a non-zero status if any file within a folder or directory fails to be signed. |
--failfast | Stops signing a folder or directory immediately upon encountering the first file that can't be signed. |
--file-location | 署名キャプチャのメタデータ - ファイルの場所。デフォルトでキャプチャするには空白のままにします。 |
--file-name | 署名キャプチャのメタデータ - ファイル名。デフォルトでキャプチャするには空白のままにします。 |
| 署名に使用する証明書のフィンガープリント。 形式: --fingerprint="<value>" 注記For Apple codesign and productsign, after the key is added to the token. |
--force | Replace existing signatures (default value 'true'). 注記This flag only applies to Apple codesign commands. |
--identity string | Specify the apple developer or installer certificate that you'll use to sign with. This information can be found using a security export-smartcard. 注記This flag only applies to Apple codesign commands, after the key is added to the token. |
| 入力ファイルまたはフォルダのパス。フォルダを指定した場合は、そのフォルダ内のすべてのファイルに署名されます。 形式: --input="<value>" |
--keychain-path string | Provide the path to Keychain (This flag only applies to Apple productsign) |
| 署名に使用する鍵ペアのエイリアス。 形式: --keypair-alias="<value>" |
--output-file | Signed package file (should be different than input file) 注記This flag is compulsory for Apple productsign. |
--openssl-pkcs11-engine string | Provide the path to the OpenSSL PKCS11 engine. 注記This flag only applies to osslsigncode. |
--pkcs11-module string | Provide the absolute path to the DigiCert® Software Trust Manager PKCS11 library. |
--preserve-metadata | Preserve the metadata. 注記This flag only applies to Apple codesign commands. |
| 使用する署名アルゴリズム(デフォルトは、署名に使用したツールに基づく)。 形式: --sigalg="<value>" |
--signing-tool | 署名キャプチャのメタデータ - 署名ツール。デフォルトでキャプチャするには空白のままにします。 |
--timestamp | タイムスタンプの有効・無効を設定します。デフォルトは有効です。 |
--timestamp-flag | 署名のメタデータを取得する。(タイムスタンプが実行されたかどうか)デフォルトでキャプチャするには空白のままにします。 |
| 署名に使用するツール(空白のままだと拡張子で署名されます)。 形式: --tool="<value>" |
--tsa-url | 署名のメタデータをキャプチャ - TSA URL (タイムスタンプURLを使用します)。デフォルトでキャプチャするには空白のままにします。 |
| 署名の冗長ロギング。 |
| 署名に関するヘルプ。 |
サブコマンド
署名コマンドは、これらサブコマンドをサポートしています。
smctl signature <subcommand>
or
smctl sign <subcommand>
サブコマンド | 説明 |
|---|---|
署名を削除する | |
署名を検証する | |
Sign hashes. | |
Verify hashes. | |
Sign and verify JSON SBOMs using in-toto functionality. |
Sample commands
Review the following sample command for traditional signing:
smctl sign MyKeyAlias --input="MyApp.exe" --tool=signtool --certificate="path/to/cert.pem" --config-file="path/to/pkcs11.cfg" --sigalg="SHA256" --digalg="SHA256" --all-metadata --timestamp --verbose
Review the following sample command for simple signing:
smctl sign MyKeyAlias --input="MyApp.exe" --simple --sigalg="SHA256" --digalg="SHA256" --verbose
Bulk signing
注記
Bulk signing only works with simple signing.
注記
By default, bulk signing is disabled. To enable, contact your Account Manager.
Bulk signing enables you to sign multiple files in a single operation. Instead of processing each file sequentially, where each file is signed one after another, bulk signing allows you to submit a batch of files to be signed simultaneously. If you are dealing with large sets of files, this feature reduces signing time and improves efficiency.
At a high level, bulk signing offers:
Faster processing
Sign large batches of files more quickly than with traditional (sequential) signing.
Simplified workflow
Run a single signing action instead of repeating the process for each file.
Consistent handling
The same signing policy and certificate is applied to all files in the batch.
Error handling
Invalid or unsupported files are automatically skipped, with a status report for each file in the batch.
Bulk signing commands
Use the --simple and --bulk flags in your command:
smctl sign --simple --keypair-alias <keypair alias> --input <path to unsigned files or folder> --bulk
Review the following sample command:
smctl sign --simple --keypair-alias kp3 --input C:\Users\Name\Desktop\folder_or_files_to_sign --bulk