Skip to main content

Sign binary commands

This section covers commands that you use in SMCTL to manage signatures. These commands are: sign, verify signature, and remove signature. Use flags to specify command parameters.

Prerequisites

  • Executables must be present in the path variable of the operating system for all tools used for signing.

  • PKCS11 config file is mandatory for jarsigner and jSign.

  • Provide either keypair alias or certificate fingerprint for signing.

Configuration

The default tool used for signing will be based on the operating system. For example:

  • Signtool will be used on Windows.

  • Jsign will be used on Linux for Authenticode signing.

  • Signature algorithm can be configured by using the <--sigalg string> flag (applied based on available options provided by the tool used for signing).

  • Digest algorithm can be configured by using the <--digalg string> flag (applied based on available options provided by the tool used for signing).

  • When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).

  • When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).

  • The minimum SDK version supported for APK signer is 18.

Help commands

To list all the available actions to manage signatures, insert the following command:

smctl signature --help

or

smctl signature -h

or

smctl sign --help

or

smctl sign -h

Sign

Sign commands begin with:

smctl signature <keypair alias>

or

smctl sign <keypair alias >

Flags

The sign command supports these flags:

Tabela 1. Flags for managing signatures

Shortcut

Flag

Description

--all-metadata

Capture all signature metadata. Default is to capture all metadata.

--certificate string

Provide the path of the certificate to be used for signing. 

Format:

--certificate="<value>"

--checksum-after-signing

Capture the checksum in the signature metadata after signing the file. Leave blank to capture by default.

--checksum-before-signing

Capture the checksum in the signature metadata before signing the file. Leave blank to capture by default.

--config-file string

Provide the path to the PKCS11 config file. 

Format:

--config-file="<value>"

-d

--digalg string

Specify the digest algorithm to use for signing (default based on the tool used for signing).

Format:

--digalg="<value>"

--digest-algorithm

Capture the digest algorithm in the signature metadata. Leave blank to capture by default.

--exit-non-zero-on-fail

Returns a non-zero status if any files fail to be signed during bulk signing.

--failfast

Stops bulk signing immediately upon encountering the first file that cannot be signed.

--file-location

Capture the file location in the signature metadata. Leave blank to capture by default.

--file-name

Capture the file name in the signature metadata. Leave blank to capture by default.

-i

--input string

Provide the path to the file or folder to be signed. If you specify a folder, all files inside the folder will be signed. 

Format:

--input="<value>"

--keychain-path string

Provide the path to Keychain (This flag only applies to Apple productsign)

-k

--keypair-alias string

Keypair alias to be used for signing. 

Format:

--keypair-alias="<value>"

--openssl-pkcs11-engine string

Provide the path to the OpenSSL PKCS11 engine.

Nota

This flag only applies to osslsigncode.

--pkcs11-module string

Provide the absolute path to the PKCS11 library.

-s

--sigalg string

Signature algorithm to use (default based on the tool used for signing). 

Format:

--sigalg="<value>"

--signing-tool

Capture the signing tool in the signature metadata. Leave blank to capture by default.

--timestamp

Enable or disable timestamp. (default value 'true')

--timestamp-flag

Capture the timestamp in the signature metadata. Leave blank to capture by default.

-t

--tool string

Specify the tool to use for signing (leave it blank to sign with the default signing tool based on the file extension).

Format:

--tool="<value>"

--tsa-url

Capture the timestamp (TSA) URL in the signature metadata. Leave blank to capture by default.

-v

--verbose

Verbose logging for signing.

-h

--help

Help for signing.


Examples

Description: Sign the files or folders specified with the provided keypair and certificate.

Command:

smctl sign --keypair-alias=<keypair alias> --config-file <path to config file> --input <path to file or folder to be signed>

Command sample:

smctl sign --keypair-alias=keypair-dynamic-kp1 --config-file C:\Users\Name\Desktop\smctl\pkcs11properties.cfg --input C:\Users\Name\Desktop\folder_or_files_to_sign

Description: Sign the specified files or folders with the keypair that is referred to by its alias. This command will only work in Windows.

Command:

smctl sign --keypair-alias=<keypair alias> --input <path to file or folder to be signed>

Command sample:

smctl sign --keypair-alias=keypair-dynamic-kp1 -i C:\Users\Name\Desktop\folder_or_files_to_sign

Nota

It is no longer necessary to add the <--certificate string> flag to the command because the certificate is automatically downloaded when you specify the keypair alias.

Subcommands

The sign command supports these subcommands:

smctl signature <subcommand>

or

smctl sign <subcommand>

Tabela 2. Subcommands for managing signatures

Subcommand

Description

remove

Remove signature

verify

Verify signed binary.


Remove signature from binary

Remove signature command begins with:

smctl sign remove

Flags

Remove signature command supports these flags:

Tabela 3. Flags for removing a signature

Shortcut

Flag

Description

-i

--input string

Specify a file or folder. If you specify a folder, all files inside a folder will have their signature removed (only signtool is supported). 

Format:

--input="<value>"

-h

--help

Help for remove.


Example

Description: Remove digital signatures for specified file or files within specified folders.

Command:

smctl sign remove --input <path to file or folder to be signed>

Command sample:

smctl sign remove -i C:\Users\Name\Desktop\file_or_folder_with_files_to_be_signed

Verify signed binary

Verify signature commands begin with:

smctl signature verify

or

smctl sign verify

Flags

Verify signature commands support these flags:

Tabela 4. Flags for verifying a signature

Shortcut

Flag

Description

-f

--fingerprint string

Fingerprint of the certificate to be used for verification. This will be applied based on the options available for the tool used. 

Format:

--fingerprint="<value>"

-i

--input string

Specify a file or folder. If you specify a folder, all files inside a folder will be verified. 

Format:

--input="<value>"

-t

--tool

Specify the signing tool to be used for signing files. Omit this parameter to allow SMCTL to select an appropriate signing tool based on the file extension.

-q

--quiet

Specify this parameter to limit the output of the command to a simple one confirmation of success or failure.

-v

--verbose

Specify this parameter to enable detailed output of the command, providing comprehensive information about the signing process, including success and failure details.

-h

--help

Help for verify.


Example

Description: Verify the signature referred to by the certificate fingerprint located in specified file path.

Command:

smctl sign verify --fingerprint <certificate fingerprint> --input <path to file or folder to be verified>

Command sample:

smctl sign verify --fingerprint da39a3ee5e6b4b0d3255bfef95601890afd80709 -i C:\Users\Name\Desktop\file_or_folder_with_files_to_be_verified
Nesta secção: