Sign Tool (SignTool.exe)
The Sign Tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files.
Note
The Sign Tool is not supported on Microsoft Windows NT, Windows Me, Windows 98, or Windows 95.
signtool [command] [options] [file_name | ...]
Parameters
| Argument | Description |
|---|---|
command |
One of the command flags that specifies an operation to perform on a file. |
options |
One of the option flags that modifies a command flag. |
file_name |
The path to a file to sign. |
The following commands are supported by Sign Tool.
| Command | Description |
|---|---|
catdb |
Adds or removes a catalog file to or from a catalog database. |
sign |
Digitally signs files. |
signwizard |
Launches the signing wizard. Only a single file can be specified for the file name command-line argument. |
timestamp |
Time stamps files. |
verify |
Verifies the digital signature of files. |
The following options apply to the catdb ** command.
| Catdb option | Description |
|---|---|
/d |
Specifies that the default catalog database is updated. If neither the /d nor /g option is used, Sign Tool updates the system component and driver database. |
/g GUID |
Specifies that the catalog database identified by the globally unique identifier (GUID) is updated. |
/r |
Removes the specified catalog from the catalog database. If this option is not specified, Sign Tool will add the specified catalog to the catalog database. |
/u |
Specifies that a unique name is automatically generated for the added catalog files. If necessary, the catalog files will be renamed to prevent name conflicts with existing catalog files. If this option is not specified, Sign Tool will overwrite any existing catalog that has the same name as the catalog being added. |
Note
Catalog databases are used for automatic lookup of catalog files.
The following options apply to the ** sign ** command.
| Sign option | Description |
|---|---|
/a |
Automatically selects the best signing certificate. If this option is not present, Sign Tool expects to find only one valid signing certificate. |
/c CertTemplateName |
Specifies the Certificate Template Name (a Microsoft extension) for the signing certificate. |
/csp CSPName |
Specifies the cryptographic service provider (CSP) that contains the private key container. |
/d Desc |
Specifies a description of the signed content. |
/du URL |
Specifies a Uniform Resource Locator (URL) for the expanded description of the signed content. |
/f SignCertFile |
Specifies the signing certificate in a file. If the file is in Personal Information Exchange (PFX) format and protected by a password, use the /p option to specify the password. If the file does not contain private keys, use the /csp and /k options to specify the CSP and private key container name, respectively. |
/i IssuerName |
Specifies the name of the issuer of the signing certificate. This value can be a substring of the entire issuer name. |
/k PrivKeyContainerName |
Specifies the private key container name. |
/n SubjectName |
Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name. |
/p Password |
Specifies the password to use when opening a PFX file. A PFX file can be specified by using the /f option. |
/r RootSubjectName |
Specifies the name of the subject of the root certificate that the signing certificate must chain to. This value may be a substring of the entire subject name of the root certificate. |
/s StoreName |
Specifies the store to open when searching for the certificate. If this option is not specified, the My store is opened. |
/sha1 Hash |
Specifies the SHA1 hash of the signing certificate. |
/sm |
Specifies that a computer store, instead of a user store, is used. |
/t URL |
Specifies the URL of the time stamp server. If this option is not present, the signed file will not be time stamped. A warning is generated if time stamping fails. |
/u Usage |
Specifies the enhanced key usage (EKU) that must be present in the signing certificate. The usage value can be specified by OID or string. The default usage is "Code Signing" (1.3.6.1.5.5.7.3.3). |
The following option applies to the ** timestamp command.
| Timestamp option | Description |
|---|---|
/t URL |
Required. Specifies the URL of the time stamp server. The file being time stamped must have previously been signed. |
The following options apply to the verify command.
| Sign option | Description |
|---|---|
/a |
Specifies that all methods can be used to verify the file. First, the catalog databases are searched to determine whether the file is signed in a catalog. If the file is not signed in any catalog, Sign Tool attempts to verify the file's embedded signature. This option is recommended when verifying files that may or may not be signed in a catalog. Examples of files that may or may not be signed include Windows files or drivers. |
/ad |
Finds the catalog using the default catalog database. |
/as |
Finds the catalog using the system component (driver) catalog database. |
/ag CatDBGUID |
Finds the catalog in the catalog database identified by the GUID. |
/c CatFile |
Specifies the catalog file by name. |
/o Version |
Verifies the file by operating system version. The version parameter is of the form: PlatformID:VerMajor.VerMinor.BuildNumber |
/pa |
Specifies that the Default Authentication Verification Policy is used. If the /pa option is not specified, Sign Tool uses the Windows Driver Verification Policy. This option cannot be used with the catdb options. |
/pg PolicyGUID |
Specifies a verification policy by GUID. The GUID corresponds to the ActionID of the verification policy. This option cannot be used with the catdb options. |
/r RootSubjectName |
Specifies the name of the subject of the root certificate that the signing certificate must chain to. This value can be a substring of the entire subject name of the root certificate. |
/tw |
Specifies that a warning is generated if the signature is not time stamped. |
The following options apply to all Sign Tool commands.
| Global option | Description |
|---|---|
/q |
No output on successful execution and minimal output for failed execution. |
/v |
Verbose output for successful execution, failed execution, and warning messages. |
Remarks
Sign Tool requires that the CAPICOM 2.0 redistributable be installed on the local computer. The CAPICOM 2.0 redistributable is available from https://www.microsoft.com/msdownload/platformsdk/sdkupdate/psdkredist.htm.
The Sign Tool verify command determines whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.
Sign Tool returns an exit code of zero for successful execution, one for failed execution, and two for execution that completed with warnings.
Examples
The command demonstrates how to sign a file automatically using the best certificate.
signtool sign /a MyFile.exe