NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

File Signing Utility (signcode.exe)

Signcode (the File Signing utility) signs a portable executable (PE) file with requested permissions to give developers more detailed control over the security restrictions placed on their component. You can sign a component or an assembly. If you are distributing an assembly rather than individual components (i.e., .dlls or .exes), you should sign the assembly, not the individual components. If signcode is run without any options, it launches a wizard to help with signing.

For more information on permissions granted through code access security, see Permissions.

signcode [options] filename
Argument Description  
filename The name of the assembly or component to be signed.
Option Description  
-$ authority Signing authority of the certificate, either individual or commercial. The default is using the certificate's highest permission.
-a algorithm Hashing algorithm for signing, either md5 or sha1 (the default is md5).
-c file Software publishing certificate file.
-cn name The common name of the certificate.
-i info Place to get more information on content (usually a URL).
-j dllName Name of a DLL that returns an array of authenticated attributes for signing files. The user can specify more than one DLL by repeating the -j option.
-jp param Parameter to be passed for the preceding DLL (specified using the /j option).
-k keyname Key container name.
-ky keytype Key type (signature | exchange | integer).
-n name Text name representing content of the file to be signed.
-p provider Name of the cryptographic provider on the system.
-r location Location of the certificate store in the registry, either localMachine.or currentUser. The default is currentUser.
-s store Certificate store containing signing certificates.
-sha1 thumbprint The thumbprint is the sha1 hash of the signing certificate included in the certificate store.
-sp policy Add all the certificates in the chain or add only to SPC store (the default is chain).
-spc file SPC file containing software publishing certificates.
-t URL Timestamp server's http address.
-tr number The number of timestamp trials until success; defaults to 1.
-tw number The delay (in number of seconds) between each timestamp. Defaults to 0.
-v pvkFile PVK filename containing the private key.
-x Do not sign the file. Only timestamp the file.
-y type Cryptographic provider type to use.
-? Displays command-line help.

Remarks

To sign with a software publisher certificate (SPC) file, the required options are /spc and /v if your private key is in a PVK file. If your private key in is a registry key container, /spc and /k are the required options. If you sign with an SPC file, you should create the SPC file using makecert and cert2spc.

Examples

The following signs XYZ.exe using the XYZ.spc Software Publisher Certificate.

signcode /spc XYZ.spc /k XYZ XYZ.exe

The following signs an assembly using the certificate in myCertificate.spc and the private key in myKey.pvk.

signcode /spc myCertificate.spc /v myKey.pvk  myAssembly

See Also

Permissions