Sign binary commands
This section covers commands that you use in SMCTL to manage signatures. These commands are: sign, verify signature, and remove signature. Use flags to specify command parameters.
Prerequisites
Executables must be present in the path variable of the operating system for all tools used for signing.
PKCS11 config file is mandatory for jarsigner, apksigner, and jSign.
Provide either keypair alias or certificate fingerprint for signing.
Configuration
The default tool used for signing will be based on the operating system. For example:
Signature algorithm can be configured by using the <--sigalg string> flag (applied based on available options provided by the tool used for signing).
Digest algorithm can be configured by using the <--digalg string> flag (applied based on available options provided by the tool used for signing).
When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).
When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).
The minimum SDK version supported for APK signer is 18.
Sign
Sign commands begin with:
smctl signature <keypair alias>
or
smctl sign <keypair alias >
Flags
The sign command supports these flags:
Shortcut | Flag | Description |
---|---|---|
--all-metadata | Capture all signature metadata. Default is to capture all metadata. | |
--certificate string | Provide the path of the certificate to be used for signing. Format: --certificate="<value>" | |
--checksum-after-signing | Capture the checksum in the signature metadata after signing the file. Leave blank to capture by default. | |
--checksum-before-signing | Capture the checksum in the signature metadata before signing the file. Leave blank to capture by default. | |
--config-file string | Provide the path to the PKCS11 config file. Format: --config-file="<value>" | |
--deep | Sign all internal frameworks and plugins (This flag only applies to Apple codesign) (default true) NotaThis flag only applies to Apple codesign commands. | |
-d | --digalg string | Specify the digest algorithm to use for signing (default based on the tool used for signing). Format: --digalg="<value>" |
--digest-algorithm | Capture the digest algorithm in the signature metadata. Leave blank to capture by default. | |
--digicert-ctk-app-path string | Provide the path to DigiCert SSM Signing Clients.app. NotaThis flag only applies to Apple codesign and productsign commands. | |
--digicert-ctk-cli-path string | Provide the path to DigiCert SSM Signing Clients.app's CLI. NotaThis flag only applies to Apple codesign and productsign commands. | |
--dryrun | Verify if the file can be signed without actually signing it (This flag only applies to Apple codesign) | |
--entitlements-file-path | Specify the entitlements file path. NotaThis flag only applies to Apple codesign commands. | |
--exit-non-zero-on-fail | Returns a non-zero status if any files fail to be signed during bulk signing. | |
--failfast | Stops bulk signing immediately upon encountering the first file that cannot be signed. | |
--file-location | Capture the file location in the signature metadata. Leave blank to capture by default. | |
--file-name | Capture the file name in the signature metadata. Leave blank to capture by default. | |
-f | --fingerprint string | Provide the fingerprint of the certificate to be used for signing. Format: --fingerprint="<value>" NotaFor Apple codesign and productsign, after the key is added to the token. |
--force | Replace existing signatures (default value 'true'). NotaThis flag only applies to Apple codesign commands. | |
--identity string | Specify the apple developer or installer certificate that you will use to sign with. This information can be found using security export-smartcard. NotaThis flag only applies to Apple codesign commands, after the key is added to the token. | |
-i | --input string | Provide the path to the file or folder to be signed. If you specify a folder, all files inside the folder will be signed. Format: --input="<value>" |
--keychain-path string | Provide the path to Keychain (This flag only applies to Apple productsign) | |
-k | --keypair-alias string | Keypair alias to be used for signing. Format: --keypair-alias="<value>" |
--output-file | Signed package file (should be different than input file) NotaThis flag is compulsory for Apple productsign. | |
--openssl-pkcs11-engine string | Provide the path to the OpenSSL PKCS11 engine. NotaThis flag only applies to osslsigncode. | |
--pkcs11-module string | Provide the absolute path to the DigiCert® Software Trust Manager PKCS11 library. | |
--preserve-metadata | Preserve the metadata. NotaThis flag only applies to Apple codesign commands. | |
-s | --sigalg string | Signature algorithm to use (default based on the tool used for signing). Format: --sigalg="<value>" |
--signing-tool | Capture the signing tool in the signature metadata. Leave blank to capture by default. | |
--timestamp | Use this flag to enable or disable timestamping for your signature. The syntax is | |
--timestamp-flag | Capture the timestamp in the signature metadata. Leave blank to capture by default. | |
-t | --tool string | Specify the tool to use for signing (leave it blank to sign with the default signing tool based on the file extension). Format: --tool="<value>" |
--tsa-url | Capture the timestamp (TSA) URL in the signature metadata. Leave blank to capture by default. | |
-v | --verbose | Verbose logging for signing. |
-h | --help | Help for signing. |
Subcommands
The sign command supports these subcommands:
smctl signature <subcommand>
or
smctl sign <subcommand>
Subcommand | Description |
---|---|
remove | Remove signature |
verify | Verify signed binary. |
Sign hashes. | |
Verify hashes. | |
Sign and verify JSON SBOMs using in-toto functionality. |