Signcode Tool (Compact 7)
3/12/2014
The Signcode tool (Signcode.exe) is a command-line tool that you use to sign a file with a certificate.
Syntax
signcode [options] <filename>
Parameters
- -spc < file>
Specifies the public key (.spc) file that contains software publishing certificates.
- -v < pvkFile>
Specifies the private key (.pvk) file name that contains the private key.
- -k < KeyName>
Specifies the key container name.
- -n < name>
Specifies a text name that represents the content of the file to be signed.
- -i < info>
Specifies a place to get more information about content, typically a URL.
- -p < provider>
Specifies the name of the cryptographic provider on the system.
- -y < type>
Specifies the cryptographic provider type to use.
- -ky < keytype>
Specifies the key type, which must be either signature, exchange, or an integer.
-$ < authority>
Specifies the signing authority of the certificate, which must be either individual or commercial.By default, Signcode.exe uses the certificate's highest permission.
-a < algorithm>
Specifies the hashing algorithm for signing, which must be either md5 or sha1.By default, this is set to md5.
- -t < URL>
Specifies that the file is to be timestamped by the timestamp server at the specified http address.
- -tr < number>
Specifies the maximum number of timestamp trials allowed until success. By default, this is set to to 1.
- -tw < number>
Specifies the delay, in seconds, between each timestamp trial. By default, this is set to 0.
- -j < dllName>
Specifies the name of the .dll file that provides an array of authenticated attributes for signing files. You can specify more than one .dll file by repeating this option.
- -jp < param>
Specifies the parameter to be passed to the preceding .dll file, which is specified in turn by the -j parameter. You can only use one parameter per .dll file.
- -c < file>
Specifies the X509 file that contains the encoded software publishing certificate.
- -s < store>
Specifies the certificate store that contains the signing certificate. By default, this is set to my store.
-r < location>
Specifies the location of the certificate store in the registry, which must be either currentuser or localmachine.By default, this is set to to currentuser.
-sp < policy>
Sets the certificate store policy, which must be either spcStore or chain. If you specify chain, all certificates in the verification chain, including self-signed certificates, are added to the signature. If you specify spcStore, trusted, self-signed certificates are not included with the certificates in the chain that are added to the signature.By default, this is set to spcStore.
- -cn < name>
Specifies the common name of the certificate.
- -sha1 < thumbPrint>
Specifies the sha1 hash of the certificate.
- -x
Specifies that the file is timestamped, but not signed.
- -ph
Specifies that page hashes should be included.
- -nph
Specifies that page hashes should be excluded.
Note
If your private key is in a .pvk file, to sign a file using an.spc file, the required options are -spc and -v. If your private key is in a registry key container, you must use -spc and -k.
Example
signcode -spc exepriv.cer -v exepriv.pvk -n "Signed using exepriv.cer" -a sha1 myapp.exe