Sign binary commands
This section covers commands that you use in SMCTL to manage signatures. These commands are: sign, verify signature, and remove signature. Use flags to specify command parameters.
Prerequisites
Executables must be present in the path variable of the operating system for all tools used for signing.
PKCS11 config file is mandatory for jarsigner and jSign.
Provide either keypair alias or certificate fingerprint for signing.
Configuration
The default tool used for signing will be based on the operating system. For example:
Signature algorithm can be configured by using the <--sigalg string> flag (applied based on available options provided by the tool used for signing).
Digest algorithm can be configured by using the <--digalg string> flag (applied based on available options provided by the tool used for signing).
When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).
When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).
The minimum SDK version supported for APK signer is 18.
Sign
Sign commands begin with:
smctl signature <keypair alias>
or
smctl sign <keypair alias >
Flags
The sign command supports these flags:
Shortcut | Flag | Description |
---|---|---|
--all-metadata | Capture all signature metadata. Default is to capture all metadata. | |
--certificate string | Provide the path of the certificate to be used for signing. Format: --certificate="<value>" | |
--checksum-after-signing | Capture the checksum in the signature metadata after signing the file. Leave blank to capture by default. | |
--checksum-before-signing | Capture the checksum in the signature metadata before signing the file. Leave blank to capture by default. | |
--config-file string | Provide the path to the PKCS11 config file. Format: --config-file="<value>" | |
-d | --digalg string | Specify the digest algorithm to use for signing (default based on the tool used for signing). Format: --digalg="<value>" |
--digest-algorithm | Capture the digest algorithm in the signature metadata. Leave blank to capture by default. | |
--exit-non-zero-on-fail | Returns a non-zero status if any files fail to be signed during bulk signing. | |
--failfast | Stops bulk signing immediately upon encountering the first file that cannot be signed. | |
--file-location | Capture the file location in the signature metadata. Leave blank to capture by default. | |
--file-name | Capture the file name in the signature metadata. Leave blank to capture by default. | |
-i | --input string | Provide the path to the file or folder to be signed. If you specify a folder, all files inside the folder will be signed. Format: --input="<value>" |
--keychain-path string | Provide the path to Keychain (This flag only applies to Apple productsign) | |
-k | --keypair-alias string | Keypair alias to be used for signing. Format: --keypair-alias="<value>" |
--openssl-pkcs11-engine string | Provide the path to the OpenSSL PKCS11 engine. NotaThis flag only applies to osslsigncode. | |
--pkcs11-module string | Provide the absolute path to the PKCS11 library. | |
-s | --sigalg string | Signature algorithm to use (default based on the tool used for signing). Format: --sigalg="<value>" |
--signing-tool | Capture the signing tool in the signature metadata. Leave blank to capture by default. | |
--timestamp | Use this flag to enable or disable timestamping for your signature. The syntax is | |
--timestamp-flag | Capture the timestamp in the signature metadata. Leave blank to capture by default. | |
-t | --tool string | Specify the tool to use for signing (leave it blank to sign with the default signing tool based on the file extension). Format: --tool="<value>" |
--tsa-url | Capture the timestamp (TSA) URL in the signature metadata. Leave blank to capture by default. | |
-v | --verbose | Verbose logging for signing. |
-h | --help | Help for signing. |
Subcommands
The sign command supports these subcommands:
smctl signature <subcommand>
or
smctl sign <subcommand>
Subcommand | Description |
---|---|
remove | Remove signature |
verify | Verify signed binary. |