Signcode (the File Signing utility) signs a portable executable (PE) file with requested permissions to give developers more detailed control over the security restrictions placed on their component. You can sign a component or an assembly. If you are distributing an assembly rather than individual components (i.e., .dlls or .exes), you should sign the assembly, not the individual components. If signcode is run without any options, it launches a wizard to help with signing.
For more information on permissions granted through code access security, see Permissions.
signcode [options] filename
Argument | Description |
---|---|
filename | The name of the assembly or component to be signed. |
Option | Description |
---|---|
-$ authority | Signing authority of the certificate, either individual or commercial. The default is using the certificate's highest permission. |
-a algorithm | Hashing algorithm for signing, either md5 or sha1 (the default is md5). |
-c file | Software publishing certificate file. |
-cn name | The common name of the certificate. |
-i info | Place to get more information on content (usually a URL). |
-j dllName | Name of a DLL that returns an array of authenticated attributes for signing files. The user can specify more than one DLL by repeating the -j option. |
-jp param | Parameter to be passed for the preceding DLL (specified using the /j option). |
-k keyname | Key container name. |
-ky keytype | Key type (signature | exchange | integer). |
-n name | Text name representing content of the file to be signed. |
-p provider | Name of the cryptographic provider on the system. |
-r location | Location of the certificate store in the registry, either localMachine.or currentUser. The default is currentUser. |
-s store | Certificate store containing signing certificates. |
-sha1 thumbprint | The thumbprint is the sha1 hash of the signing certificate included in the certificate store. |
-sp policy | Add all the certificates in the chain or add only to SPC store (the default is chain). |
-spc file | SPC file containing software publishing certificates. |
-t URL | Timestamp server's http address. |
-tr number | The number of timestamp trials until success; defaults to 1. |
-tw number | The delay (in number of seconds) between each timestamp. Defaults to 0. |
-v pvkFile | PVK filename containing the private key. |
-x | Do not sign the file. Only timestamp the file. |
-y type | Cryptographic provider type to use. |
-? | Displays command-line help. |
To sign with a software publisher certificate (SPC) file, the required options are /spc and /v if your private key is in a PVK file. If your private key in is a registry key container, /spc and /k are the required options. If you sign with an SPC file, you should create the SPC file using makecert and cert2spc.
The following signs XYZ.exe using the XYZ.spc Software Publisher Certificate.
signcode /spc XYZ.spc /k XYZ XYZ.exe
The following signs an assembly using the certificate in myCertificate.spc and the private key in myKey.pvk.
signcode /spc myCertificate.spc /v myKey.pvk myAssembly
Permissions