Sign binary commands
This section covers commands that you use in SMCTL to manage signatures. These commands are: sign, verify signature, and remove signature. Use flags to specify command parameters.
Prerequisites
Executables must be present in the path variable of the operating system for all tools used for signing.
PKCS11 config file is mandatory for jarsigner and jSign.
Provide either keypair alias or certificate fingerprint for signing.
Configuration
The default tool used for signing will be based on the operating system. For example:
Signtool will be used on Windows.
Jsign will be used on Linux for Authenticode signing.
Signature algorithm can be configured by using the <--sigalg string> flag (applied based on available options provided by the tool used for signing).
Digest algorithm can be configured by using the <--digalg string> flag (applied based on available options provided by the tool used for signing).
When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).
When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).
The minimum SDK version supported for APK signer is 18.
Help commands
To list all the available actions to manage signatures, insert the following command:
smctl signature --help
or
smctl signature -h
or
smctl sign --help
or
smctl sign -h
Sign
Sign commands begin with:
smctl signature <keypair alias>
or
smctl sign <keypair alias >
Flags
The sign command supports these flags:
Shortcut | Flag | Description |
---|---|---|
--all-metadata | Capture all signature metadata. Default is to capture all metadata. | |
--certificate string | Provide the path of the certificate to be used for signing. Format: --certificate="<value>" | |
--checksum-after-signing | Capture the checksum in the signature metadata after signing the file. Leave blank to capture by default. | |
--checksum-before-signing | Capture the checksum in the signature metadata before signing the file. Leave blank to capture by default. | |
--config-file string | Provide the path to the PKCS11 config file. Format: --config-file="<value>" | |
-d | --digalg string | Specify the digest algorithm to use for signing (default based on the tool used for signing). Format: --digalg="<value>" |
--digest-algorithm | Capture the digest algorithm in the signature metadata. Leave blank to capture by default. | |
--exit-non-zero-on-fail | Returns a non-zero status if any files fail to be signed during bulk signing. | |
--failfast | Stops bulk signing immediately upon encountering the first file that cannot be signed. | |
--file-location | Capture the file location in the signature metadata. Leave blank to capture by default. | |
--file-name | Capture the file name in the signature metadata. Leave blank to capture by default. | |
-i | --input string | Provide the path to the file or folder to be signed. If you specify a folder, all files inside the folder will be signed. Format: --input="<value>" |
--keychain-path string | Provide the path to Keychain (This flag only applies to Apple productsign) | |
-k | --keypair-alias string | Keypair alias to be used for signing. Format: --keypair-alias="<value>" |
--openssl-pkcs11-engine string | Provide the path to the OpenSSL PKCS11 engine. OpmerkingThis flag only applies to osslsigncode. | |
--pkcs11-module string | Provide the absolute path to the PKCS11 library. | |
-s | --sigalg string | Signature algorithm to use (default based on the tool used for signing). Format: --sigalg="<value>" |
--signing-tool | Capture the signing tool in the signature metadata. Leave blank to capture by default. | |
--timestamp | Enable or disable timestamp. (default value 'true') | |
--timestamp-flag | Capture the timestamp in the signature metadata. Leave blank to capture by default. | |
-t | --tool string | Specify the tool to use for signing (leave it blank to sign with the default signing tool based on the file extension). Format: --tool="<value>" |
--tsa-url | Capture the timestamp (TSA) URL in the signature metadata. Leave blank to capture by default. | |
-v | --verbose | Verbose logging for signing. |
-h | --help | Help for signing. |
Examples
Description: Sign the files or folders specified with the provided keypair and certificate.
Command:
smctl sign --keypair-alias=<keypair alias> --config-file <path to config file> --input <path to file or folder to be signed>
Command sample:
smctl sign --keypair-alias=keypair-dynamic-kp1 --config-file C:\Users\Name\Desktop\smctl\pkcs11properties.cfg --input C:\Users\Name\Desktop\folder_or_files_to_sign
Description: Sign the specified files or folders with the keypair that is referred to by its alias. This command will only work in Windows.
Command:
smctl sign --keypair-alias=<keypair alias> --input <path to file or folder to be signed>
Command sample:
smctl sign --keypair-alias=keypair-dynamic-kp1 -i C:\Users\Name\Desktop\folder_or_files_to_sign
Opmerking
It is no longer necessary to add the <--certificate string> flag to the command because the certificate is automatically downloaded when you specify the keypair alias.
Subcommands
The sign command supports these subcommands:
smctl signature <subcommand>
or
smctl sign <subcommand>
Remove signature from binary
Remove signature command begins with:
smctl sign remove
Flags
Remove signature command supports these flags:
Shortcut | Flag | Description |
---|---|---|
-i | --input string | Specify a file or folder. If you specify a folder, all files inside a folder will have their signature removed (only signtool is supported). Format: --input="<value>" |
-h | --help | Help for remove. |
Example
Description: Remove digital signatures for specified file or files within specified folders.
Command:
smctl sign remove --input <path to file or folder to be signed>
Command sample:
smctl sign remove -i C:\Users\Name\Desktop\file_or_folder_with_files_to_be_signed
Verify signed binary
Verify signature commands begin with:
smctl signature verify
or
smctl sign verify
Flags
Verify signature commands support these flags:
Shortcut | Flag | Description |
---|---|---|
-f | --fingerprint string | Fingerprint of the certificate to be used for verification. This will be applied based on the options available for the tool used. Format: --fingerprint="<value>" |
-i | --input string | Specify a file or folder. If you specify a folder, all files inside a folder will be verified. Format: --input="<value>" |
-t | --tool | Specify the signing tool to be used for signing files. Omit this parameter to allow SMCTL to select an appropriate signing tool based on the file extension. |
-q | --quiet | Specify this parameter to limit the output of the command to a simple one confirmation of success or failure. |
-v | --verbose | Specify this parameter to enable detailed output of the command, providing comprehensive information about the signing process, including success and failure details. |
-h | --help | Help for verify. |
Example
Description: Verify the signature referred to by the certificate fingerprint located in specified file path.
Command:
smctl sign verify --fingerprint <certificate fingerprint> --input <path to file or folder to be verified>
Command sample:
smctl sign verify --fingerprint da39a3ee5e6b4b0d3255bfef95601890afd80709 -i C:\Users\Name\Desktop\file_or_folder_with_files_to_be_verified