Usage: signtool [options] Valid commands: sign -- Sign files using an embedded signature. signwizard -- Launch the signing wizard. timestamp -- Timestamp previously-signed files. verify -- Verify embedded or catalog signatures. catdb -- Modify a catalog database. For help on a specific command, enter "signtool /?" Usage: signtool sign [options] Use the "sign" command to sign files using embedded signatures. Signing protects a file from tampering, and allows users to verify the signer (you) based on a signing certificate. The options below allow you to specify signing parameters and to select the signing certificate you wish to use. Certificate selection options: /a Select the best signing cert automatically. SignTool will find all valid certs that satisfy all specified conditions and select the one that is valid for the longest. If this option is not present, SignTool will expect to find only one valid signing cert. /c Specify the Certificate Template Name (Microsoft extension) of the signing cert. /f Specify the signing cert in a file. If this file is a PFX with a password, the password may be supplied with the "/p" option. If the file does not contain private keys, use the "/csp" and "/k" options to specify the CSP and container name of the private key. /i Specify the Issuer of the signing cert, or a substring. /n Specify the Subject Name of the signing cert, or a substring. /p Specify a password to use when opening the PFX file. /r Specify the Subject Name of a Root cert that the signing cert must chain to. /s Specify the Store to open when searching for the cert. The default is the "MY" Store. /sm Open a Machine store instead of a User store. /sha1 Specify the SHA1 hash of the signing cert. /u Specify the Enhanced Key Usage that must be present in the cert. The parameter may be specified by OID or by string. The default usage is "Code Signing" (1.3.6.1.5.5.7.3.3). /uw Specify usage of "Windows System Component Verification" (1.3.6.1.4.1.311.10.3.6). Private Key selection options: /csp Specify the CSP containing the Private Key Container. /k Specify the Key Container Name of the Private Key. Signing parameter options: /d Provide a description of the signed content. /du Provide a URL with more information about the signed content. /t Specify the timestamp server's URL. If this option is not present, the signed file will not be timestamped. A warning is generated if timestamping fails. Other options: /q No output on success and minimal output on failure. As always, SignTool returns 0 on success, 1 on failure, and 2 on warning. /v Print verbose success and status messages. This may also provide slightly more information on error. Usage: signtool signwizard [options] Use the "signwizard" command to sign files using a wizard. Options: /q No output on success and minimal output on failure. As always, SignTool returns 0 on success and 1 on failure. /v Print verbose success and status messages. This may also provide slightly more information on error. Usage: signtool timestamp [options] Use the "timestamp" command to add a timestamp to a previously-signed file. The "/t" option is required. /q No output on success and minimal output on failure. As always, SignTool returns 0 on success and 1 on failure. /t Specify the timestamp server's URL. This option is required. /v Print verbose success and status messages. This may also provide slightly more information on error. Usage: signtool verify [options] Use the "verify" command to verify embedded or catalog signatures. Verification determines if the signing certificate was issued by a trusted party, whether that certificate has been revoked, and whether the certificate is valid under a specific policy. Options allow you to specify requirements that must be met and to specify how to find the catalog, if appropriate. Catalogs are used by Microsoft and others to sign many files very efficiently. Catalog options: /a Automatically attempt to verify the file using all methods. First search for a catalog using all catalog databases. If the file is not signed in any catalog, attempt to verify the embedded signature. When verifying files that may or may not be signed in a catalog, such as Windows files and drivers, this option is the easiest way to ensure that the signature is found. /ad Find the catalog automatically using the default catalog database. /as Find the catalog automatically using the system component (driver) catalog database. /ag Find the catalog automatically in the specified catalog database. Catalog databases are identified by GUID. Example GUID: {F750E6C3-38EE-11D1-85E5-00C04FC295EE} /c Specify the catalog file. /o When verifying a file that is in a signed catalog, verify that the file is valid for the specified platform. Parameter format is: PlatformID:VerMajor.VerMinor.BuildNumber SignTool uses the "Windows Driver" Verification Policy by default. The options below to use alternate Policies may not be used with any catalog options. Verification Policy options: /pa Use the "Default Authenticode" Verification Policy. /pg Specify the verification policy by GUID (also called ActionID). Signature requirement options: /r Specify the Subject Name of a Root cert that the signing cert must chain to. /tw Generate a Warning if the signature is not timestamped. Other options: /q No output on success and minimal output on failure. As always, SignTool returns 0 on success, 1 on failure, and 2 on warning. /v Print verbose success and status messages. This may also provide slightly more information on error. If you want to see information about the signer, you should use this option. Usage: signtool catdb [options] Use the "catdb" command to add or remove catalog files to or from a catalog database. Catalog databases are used for automatic lookup of catalog files, and are identified by GUID. Catalog Database options allow you to select which catalog database to operate on. If you do not specify a catalog database, SignTool operates on the system component (driver) database. Catalog Database options: /d Operate on the default catalog database instead of the system component (driver) catalog database. /g Operate on the specified catalog database. Other options specify what to do with the selected catalog database, and other behavior. If you do not specify any other options, SignTool will add the specified catalogs to the catalog database, replacing any existing catalog which has the same name. Other options: /q No output on success and minimal output on failure. As always, SignTool returns 0 on success and 1 on failure. /r Remove the specified catalogs from the catalog database. /u Automatically generate a unique name for the added catalogs. The catalog files will be renamed if necessary to prevent name conflicts with existing catalog files. /v Print verbose success and status messages. This may also provide slightly more information on error.