Skip to main content

Sign binary commands

Learn how to use SMCTL commands to manage signatures (sign, verify signature, remove signature), using flags to define the command parameters.

For signing, we offer traditional tool-based signing and simple signing.

Note

Simple signing is a newly introduced feature. We're working to expand its capabilities, including adding supported file types and metadata capturing.

Traditional signing and simple signing

Traditional signing

Pros

Cons

  • Requires the use of established third-party signing tools and libraries, such as signtool,jarsigner, and osslsigncode.

  • May require DigiCert-specific components, such as KSP or PKCS11 modules.

  • Doesn't support bulk signing

Simple signing

Pros

Cons

  • Uses the --simple flag to sign without the need of third-party tools, extra libraries, or external signing infrastructure.

  • Uses the --unsigned to ensure that only unsigned files are signed, preventing unintended re-signing.

  • Supports bulk signing. To learn more, see Bulk signing.

  • Fewer file types are supported

  • Metadata data collection (timestamp, tool, checksums) isn't supported

Prerequisites

For traditional signing:

  • Tools used for signing must be present in the path variable of the operating system

  • A PKCS11 config file is mandatory for jarsigner, apksigner, and jSign.

  • Specify either a key pair alias (--keypair-alias) or a certificate fingerprint (--fingerprint) for signing.

For simple signing:

  • SMCTL

  • Access to signing key pairs

Configuration

For traditional signing:

  • Default tool selection: SMCTL selects the signing tool automatically based on your operating system.

  • Signature algorithm: Use the --sigalg string flag to specify the signature algorithm, depending on what the selected tool supports.

  • Digest algorithm: Use the the <--digalg string> flag to specify the digest algorithm, also based on the supported options of the tool.

  • Sign specific file: Use the <--tool string> flag to sign a specific file type.

    • For example, --tool apksigner signs only .apk files.

  • APK signer support: The minimum SDK version supported for apksigner is 18.

For simple signing:

  • No tool selection required: SMCTL handles the signing directly. You don't need to install or reference third-party tools.

  • No DigiCert libraries required: DigiCert KSP, PKCS11, or other local libraries aren't needed; only SMCTL is required.

Sign commands

Review the following two ways to begin a sign command:

smctl signature <keypair alias>

or

smctl sign <keypair alias >

Flags for simple signing

Review the following flags that can be used with the sign command for simple signing:

Table 1. Flags for simple signing

Flag

Description

--simple

This flag signs without the need of third-party signing tools and libraries and only applies to simplified signing workflows.

--unsigned

This flag only signs unsigned files and only applies to simplified signing workflows.


Flags for traditional signing

Review the following flags that can be used with the sign command for simple signing:

Table 2. Flags for traditional signing

Flag

Description

--all-metadata

Capture all signature metadata. Default is to capture all metadata.

--certificate string

Provide the path of the certificate to be used for signing. 

Format:

--certificate="<value>"

--checksum-after-signing

Capture the checksum in the signature metadata after signing the file. Leave blank to capture by default.

--checksum-before-signing

Capture the checksum in the signature metadata before signing the file. Leave blank to capture by default.

--config-file string

Provide the path to the PKCS11 config file. 

Format:

--config-file="<value>"

--deep

Sign all internal frameworks and plugins (This flag only applies to Apple codesign) (default true)

Note

This flag only applies to Apple codesign commands.

  • --digalg string

  • -d (shortcut)

Specify the digest algorithm to use for signing (default based on the tool used for signing).

Format:

--digalg="<value>"

--digest-algorithm

Capture the digest algorithm in the signature metadata. Leave blank to capture by default.

--digicert-ctk-app-path string

Provide the path to DigiCert SSM Signing Clients.app.

Note

This flag only applies to Apple codesign and productsign commands.

--digicert-ctk-cli-path string

Provide the path to DigiCert SSM Signing Clients.app's CLI.

Note

This flag only applies to Apple codesign and productsign commands.

--dryrun

Verify if the file can be signed without actually signing it (This flag only applies to Apple codesign)

--entitlements-file-path

Specify the entitlements file path.

Note

This flag only applies to Apple codesign commands.

--exit-non-zero-on-fail

Returns a non-zero status if any file within a folder or directory fails to be signed.

--failfast

Stops signing a folder or directory immediately upon encountering the first file that can't be signed.

--file-location

Capture the file location in the signature metadata. Leave blank to capture by default.

--file-name

Capture the file name in the signature metadata. Leave blank to capture by default.

  • --fingerprint string

  • -f (shortcut)

Provide the fingerprint of the certificate to be used for signing. 

Format:

--fingerprint="<value>"

Note

For Apple codesign and productsign, after the key is added to the token.

--force

Replace existing signatures (default value 'true').

Note

This flag only applies to Apple codesign commands.

--identity string

Specify the apple developer or installer certificate that you'll use to sign with. This information can be found using a security export-smartcard.

Note

This flag only applies to Apple codesign commands, after the key is added to the token.

  • --input string

  • -i (shortcut)

Provide the path to the file or folder to be signed. If you specify a folder, all files inside the folder will be signed. 

Format:

--input="<value>"

--keychain-path string

Provide the path to Keychain (This flag only applies to Apple productsign)

  • --keypair-alias string

  • -k (shortcut)

Keypair alias to be used for signing. 

Format:

--keypair-alias="<value>"

--output-file

Signed package file (should be different than input file)

Note

This flag is compulsory for Apple productsign.

--openssl-pkcs11-engine string

Provide the path to the OpenSSL PKCS11 engine.

Note

This flag only applies to osslsigncode.

--pkcs11-module string

Provide the absolute path to the DigiCert​​®​​ Software Trust Manager PKCS11 library.

--preserve-metadata

Preserve the metadata.

Note

This flag only applies to Apple codesign commands.

  • --sigalg string

  • -s (shortcut)

Signature algorithm to use (default based on the tool used for signing). 

Format:

--sigalg="<value>"

--signing-tool

Capture the signing tool in the signature metadata. Leave blank to capture by default.

--timestamp

Use this flag to enable or disable timestamping for your signature. The syntax is --timestamp=false to disable timestamping. By default, the timestamp is enabled (TRUE).

--timestamp-flag

Capture the timestamp in the signature metadata. Leave blank to capture by default.

  • --tool string

  • -t (shortcut)

Specify the tool to use for signing (leave it blank to sign with the default signing tool based on the file extension).

Format:

--tool="<value>"

--tsa-url

Capture the timestamp (TSA) URL in the signature metadata. Leave blank to capture by default.

  • --verbose

  • -v (shortcut)

Verbose logging for signing.

  • --help

  • -h (shortcut)

Help for signing.


Subcommands for traditional signing

The sign command supports the following subcommands:

smctl signature <subcommand>

or

smctl sign <subcommand>

Table 3. Subcommands for managing signatures

Subcommand

Description

remove

Remove signature

verify

Verify signed binary.

sign-hash

Sign hashes.

verify-hash

Verify hashes.

in-toto

Sign and verify JSON SBOMs using in-toto functionality.


Sample commands

Review the following sample command for traditional signing:

smctl sign MyKeyAlias --input="MyApp.exe" --tool=signtool --certificate="path/to/cert.pem" --config-file="path/to/pkcs11.cfg" --sigalg="SHA256" --digalg="SHA256" --all-metadata --timestamp --verbose

Review the following sample command for simple signing:

smctl sign MyKeyAlias --input="MyApp.exe" --simple --sigalg="SHA256" --digalg="SHA256" --verbose

Bulk signing

Note

Bulk signing only works with simple signing.

Note

By default, bulk signing is disabled. To enable, contact your Account Manager.

Bulk signing enables you to sign multiple files in a single operation. Instead of processing each file sequentially, where each file is signed one after another, bulk signing allows you to submit a batch of files to be signed simultaneously. If you are dealing with large sets of files, this feature reduces signing time and improves efficiency.

At a high level, bulk signing offers:

  • Faster processing

    • Sign large batches of files more quickly than with traditional (sequential) signing.

  • Simplified workflow

    • Run a single signing action instead of repeating the process for each file.

  • Consistent handling

    • The same signing policy and certificate is applied to all files in the batch.

  • Error handling

    • Invalid or unsupported files are automatically skipped, with a status report for each file in the batch.

Bulk signing commands

Use the --simple and --bulk flags in your command:

smctl sign --simple --keypair-alias <keypair alias> --input <path to unsigned files or folder> --bulk

Review the following sample command:

smctl sign --simple --keypair-alias kp3 --input C:\Users\Name\Desktop\folder_or_files_to_sign --bulk
: