Signtool Tool (Compact 7)
3/12/2014
This tool enables you to digitally sign files using an embedded signature, to verify signatures in files, or to timestamp files.
Syntax
signtool sign | timestamp | verify | catdb [options] filename[s]
Parameters
sign
Digitally signs files using an embedded signature.Certificate selection options
- /a
Selects the best signing certificate automatically. SignTool finds all valid certificates that satisfy all specified conditions and selects the one that is valid for the longest time. This option is required if more than one valid signing certificate is present.
- /ac <file>
Adds an additional certificate from the specified file to the signature block.
- /c <name>
Specifies the Certificate Template Name (a Microsoft extension) of the signing certificate.
- /f <file>
Specifies the file that contains the signing certificate. If this is a .pfx file with a password, the password can be supplied with the /p option. If the file does not contain private keys, use the /csp and /kc options to specify the cryptographic service provider (CSP) and container name of the private key.
- /i <name>
Specifies the issuer of the signing certificate, or a substring of it.
- /n <name>
Specifies the subject name of the signing certificate, or a substring of it.
- /p <password>
Specifies a password to use when opening the .pfx file.
- /r <name>
Specifies the subject name of a root certificate to which the signing certificate chains.
- /s <name>
Specifies the store to open when searching for the certificate. The default is the "MY" store.
- /sm
Opens a machine store instead of a user store.
- /sha1 <hash>
Specifies the SHA1 hash of the signing certificate.
- /fd
Specifies the file digest algorithm to use to create file signatures. The default is SHA1.
- /u <usage>
Specifies the enhanced key usage (EKU) that must be present in the certificate. The parameter can be specified by object identifier (OID) or by string. The default usage is "Code Signing" (1.3.6.1.5.5.7.3.3).
- /uw
Specifies usage of "Windows System Component Verification" (1.3.6.1.4.1.311.10.3.6).
Private key selection options
- /csp <name>
Specifies the cryptographic service providers (CSPs) that contain the private key container.
- /kc <name>
Specifies the key container name of the private key.
Signing parameter options
- /d <description>
Provides a description of the signed content.
- /du <URL>
Provides a URL with more information about the signed content.
- /t <URL>
Specifies the URL of the timestamp server. If this option is not present, the signed file is not timestamped. A warning is generated if timestamping fails.
- /tr <URL>
Specifies the URL of the RFC 3161 timestamp server. If this option or the /t option is not specified, the signed file is not timestamped. A warning is generated if timestamping fails. This switch cannot be used with the /t switch.
- /td <algorithm>
Used with the /tr option to request a digest algorithm used by the RFC 3161 timestamp server.
Other options
- /ph
Generates page hashes for executable files if they are supported.
- /nph
Suppresses page hashes for executable files if they are supported. The default is determined by the SIGNTOOL_PAGE_HASHES environment variable and the wintrust.dll version.
- /q
Generates no status messages on success and minimal status messages on failure.
- /v
Generates verbose success and status messages. This option may also provide slightly more information when errors occur.
- /a
timestamp
Timestamps previously signed files. The /t or /tr option is required.- /q
Quiet. Generates no message on success and minimal status messages on failure.
- /t <URL>
Specifies the URL of the timestamp server. Either this option or the /tr option is required.
- /tr <URL>
Specifies the URL of the RFC 3161 timestamp server. Either this option or the /t option is required.
- /td <algorithm>
Used with the /tr switch to request a digest algorithm used by the RFC 3161 timestamp server.
- /v
Generates verbose success and status messages. This option may also provide slightly more information when errors occur.
- /q
verify
Verifies embedded or catalog signatures. Catalogs are used to improve the efficiency of signing multiple files.Catalog options
- /a
Automatically attempts to verify the file using all methods. First, this option searches for a catalog using all catalog databases. If the file is not signed in any catalog, it attempts to verify the embedded signature. When verifying files that may or may not be signed in a catalog, such as Windows files and drivers, this option is the easiest way to ensure that the signature is found.
- /ad
Finds the catalog automatically using the default catalog database.
- /as
Finds the catalog automatically using the system component (driver) catalog database.
- /ag <GUID>
Finds the catalog automatically in the specified catalog database. Catalog databases are identified by GUID.
- /c <file>
Specifies the catalog file.
- /o <version>
When verifying a file that is in a signed catalog, verifies that the file is valid for the specified platform. Parameter format is PlatformID:VerMajor.VerMinor.BuildNumber.
SignTool uses the "Windows Driver" verification policy by default. The following options allow you to use alternate policies.
Verification policy options
- /pa
Uses the "Default Authenticode" verification policy.
- /pg <GUID>
Specifies the verification policy by GUID (also called ActionID).
Signature requirement options
- /r <name>
Specifies the Subject Name of a root certificate to which the signing certificate must chain.
- /tw
Generates a warning if the signature is not timestamped.
Other options
- /kp
Performs the verification with the kernel-mode driver signing policy.
- /q
Generates no status message on success and minimal messages on failure.
- /v
Generates verbose success and status messages. This option may also provide slightly more information when errors occur. Use this option to see information about the signer.
- /ph
Prints and verifies page hash values.
- /d
Prints Description and Description URL.
- /a
catdb
Modifies a catalog database. If you do not specify a catalog database, SignTool operates on the system component (driver) database.Catalog Database options
- /d
Operates on the default catalog database instead of the system component (driver) catalog database.
- /g <GUID>
Operates on the specified catalog database.
Other options
If you do not specify any other options, SignTool adds the specified catalogs to the catalog database, replacing any existing catalog that has the same name.
- /q
Quiet. Generates no message on success and minimal messages on failure.
- /r
Removes the specified catalogs from the catalog database.
- /u
Automatically generates a unique name for the added catalogs. If necessary, the catalog files are renamed to prevent name conflicts with existing catalog files.
- /v
Generates verbose success and status messages. This option may also provide slightly more information when errors occur.
- /d
- filename[s]
One or more file names for SignTool to act on.
Return Value
Returns 0 on success, 1 on failure, and 2 on warning.