File Signing Tool (Signcode.exe)

The File Signing tool signs a portable executable (PE) file (.dll or .exe file) with an Authenticode digital signature. You can sign either an assembly or an individual file contained in a multifile assembly. If you are distributing an assembly, you should sign the assembly rather than the individual files. Running Signcode.exe without specifying any options launches a wizard that helps with signing.

The File Signing Tool only ships with the .NET Framework SDK version 1.0 and 1.1. In later versions, use the Sign Tool (SignTool.exe) utility instead.

signcode [options] filename | assemblyname

Parameters

Argument Description

filename

The name of the PE file to sign.

assemblyname

The name of the assembly to sign. This file must contain an assembly manifest.

Option Description

-$ authority

Specifies the signing authority of the certificate, which must be either individual or commercial. By default, Signcode.exe uses the certificate's highest permission.

-a algorithm

Specifies the hashing algorithm for signing, which must be either md5 (the default) or sha1.

-c file

Specifies the file that contains the encoded software publishing certificate.

-cn name

Specifies the common name of the certificate.

-i info

Specifies a place to get more information on content (usually a URL).

-j dllName

Specifies the name of a DLL that returns an array of authenticated attributes for signing files. You can specify more than one DLL by repeating the -j option.

-jp param

Specifies a parameter to be passed for the preceding DLL. For example: -j dll1 -jp dll1Param. The tool allows only one parameter per DLL.

-k keyname

Specifies the key container name.

-ky keytype

Specifies the key type, which must be signature, exchange, or an integer (such as 4).

-n name

Specifies a text name that represents the content of the file to sign.

-p provider

Specifies the name of the cryptographic provider on the system.

-r location

Specifies the location of the certificate store in the registry, which must be either currentuser (the default) or localmachine.

-s store

Specifies the certificate store that contains the signing certificate. The default is my store.

-sha1 thumbprint

Specifies the thumbprint, which is the sha1 hash of the signing certificate included in the certificate store.

-sp policy

Sets the certificate store policy, which must be either spcStore (the default) or chain. If you specify chain, all certificates in the verification chain, including self-signed certificates, are added to the signature. If you specify spcStore, trusted, self-signed certificates are not included with the certificates in the chain that are added to the signature.

-spc file

Specifies the SPC file that contains software publishing certificates.

-t URL

Indicates that the file is to be timestamped by the timestamp server at the specified http address.

-tr number

Specifies the maximum number of timestamp trials until success; defaults to 1.

-tw number

Specifies the delay (in number of seconds) between each timestamp trial. Defaults to 0.

-v pvkFile

Specifies the private key (.pvk) file name that contains the private key.

-x

Timestamps, but does not sign, the file.

-y type

Specifies the cryptographic provider type to use.

A cryptographic provider contains implementations of cryptographic standards and algorithms. For a list of the default provider types, see "Microsoft Cryptographic Service Providers" in the Platform SDK.

-?

Displays command syntax and options for the tool.

Remarks

To sign with a software publisher certificate (SPC) file, you must specify the -spc and -v options if your private key is in a PVK file. If your private key is in a registry key container, you must specify the -spc and -k options. If you want to sign your file with an SPC file, you should create the SPC file using the Certificate Creation tool and the Software Publisher Certificate Test tool.

Examples

The following command signs XYZ.exe using the XYZ.spc Software Publisher Certificate and the private key in the registry key container XYZ.

signcode /spc XYZ.spc /k XYZ XYZ.exe

The following command signs the assembly myAssembly using the certificate in myCertificate.spc and the private key in myKey.pvk.

signcode /spc myCertificate.spc /v myKey.pvk  myAssembly

See Also

Reference

.NET Framework Tools
Certificate Creation Tool (Makecert.exe)
Software Publisher Certificate Test Tool (Cert2spc.exe)
SDK Command Prompt

Concepts

Security Permissions