SignTool.exe(签名工具)SignTool.exe (Sign Tool)

签名工具是一个命令行工具,用于对文件进行数字签名,以及验证文件和时间戳文件中的签名。Sign Tool is a command-line tool that digitally signs files, verifies signatures in files, and time-stamps files.

此工具会自动随 Visual Studio 一起安装。This tool is automatically installed with Visual Studio. 若要运行此工具,请使用开发人员命令提示(或 Windows 7 中的 Visual Studio 命令提示)。To run the tool, use the Developer Command Prompt (or the Visual Studio Command Prompt in Windows 7). 有关详细信息,请参阅命令提示For more information, see Command Prompts.

在命令提示符处,键入以下内容:At the command prompt, type the following:

语法Syntax

signtool [command] [options] [file_name | ...]  

参数Parameters

参数Argument 描述Description
command 指定要对文件执行的操作的四个命令(catdbsignTimestampVerify)之一。One of four commands (catdb, sign, Timestamp, or Verify) that specifies an operation to perform on a file. 有关每个命令的说明,请参见下一个表。For a description of each command, see the next table.
options 用于修改命令的选项。An option that modifies a command. 除全局 /q/v 选项之外,每个命令均支持一组唯一选项。In addition to the global /q and /v options, each command supports a unique set of options.
file_name 要进行签名的文件的路径。The path to a file to sign.

签名工具支持下列命令。The following commands are supported by Sign Tool. 每个命令均与不同的选项集结合使用,这些选项集已在其各自的节中列出。Each command is used with distinct sets of options, which are listed in their respective sections.

命令Command 描述Description
catdb 在目录数据库中添加或移除目录文件。Adds a catalog file to, or removes it from, a catalog database. 目录数据库用于自动查找目录文件,并由 GUID 标识。Catalog databases are used for automatic lookup of catalog files and are identified by GUID. 有关 catdb 命令支持的选项列表,请参阅 catdb 命令选项For a list of the options supported by the catdb command, see catdb Command Options.
sign 对文件进行数字签名。Digitally signs files. 数字签名可以阻止文件被篡改,并且使用户能够基于签名证书验证签名者。Digital signatures protect files from tampering, and enable users to verify the signer based on a signing certificate. 有关 sign 命令支持的选项列表,请参阅 sign 命令选项For a list of the options supported by the sign command, see sign Command Options.
Timestamp 为文件添加时间戳。Time-stamps files. 有关 TimeStamp 命令支持的选项列表,请参阅 TimeStamp 命令选项For a list of the options supported by the TimeStamp command, see TimeStamp Command Options.
Verify 通过确定签名证书是否由受信任的颁发机构颁发、是否已撤消签名证书,以及签名证书对于特定策略是否有效(可选)来验证文件的数字签名。Verifies the digital signature of files by determining whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy. 有关 Verify 命令支持的选项列表,请参阅 Verify 命令选项For a list of the options supported by the Verify command, see Verify Command Options.

下列选项适用于所有签名工具命令。The following options apply to all Sign Tool commands.

全局选项Global option 描述Description
/q/q 如果命令运行成功,则不显示输出;如果命令运行失败,则显示最小输出。Displays no output if the command runs successfully, and displays minimal output if the command fails.
/v/v 无论命令是否运行成功,都显示详细输出,并显示警告消息。Displays verbose output regardless of whether the command runs successfully or fails, and displays warning messages.
/debug/debug 显示调试信息。Displays debugging information.

catdb 命令选项catdb Command Options

下表列出了可与 catdb 命令一起使用的选项。The following table lists the options that can be used with the catdb command.

Catdb 选项Catdb option 描述Description
/d 指定更新默认目录数据库。Specifies that the default catalog database is updated. 如果 /d/g 选项都未使用,则签名工具会更新系统组件和驱动程序数据库。If neither the /d nor the /g option is used, Sign Tool updates the system component and driver database.
/g GUID/g GUID 指定由全局唯一标识符 GUID 标识的目录数据库已更新。Specifies that the catalog database identified by the globally unique identifier GUID is updated.
/r 从目录数据库中移除指定的目录。Removes the specified catalogs from the catalog database. 如果未指定该选项,签名工具将向目录数据库添加指定目录。If this option is not specified, Sign Tool adds the specified catalogs to the catalog database.
/u 指定自动为添加的目录文件生成唯一名称。Specifies that a unique name is automatically generated for the added catalog files. 如有必要,重命名目录文件以阻止与现有目录文件发生名称冲突。If necessary, the catalog files are renamed to prevent name conflicts with existing catalog files. 如果未指定该选项,签名工具将覆盖与所添加的目录同名的任何现有目录。If this option is not specified, Sign Tool overwrites any existing catalog that has the same name as the catalog being added.

sign 命令选项sign Command Options

下表列出了可与 sign 命令一起使用的选项。The following table lists the options that can be used with the sign command.

Sign 命令选项Sign command option 描述Description
/a 自动选择最佳签名证书。Automatically selects the best signing certificate. 签名工具将查找满足所有指定条件的所有有效证书,并选择有效时间最长的证书。Sign Tool will find all valid certificates that satisfy all specified conditions and select the one that is valid for the longest time. 如果未提供该选项,签名工具仅查找一个有效的签名证书。If this option is not present, Sign Tool expects to find only one valid signing certificate.
/ac file/ac file 将 file 中的其他证书添加到签名块。Adds an additional certificate from file to the signature block.
/as 追加此签名。Appends this signature. 如果不存在主签名,则改为使此签名成为主签名。If no primary signature is present, this signature is made the primary signature instead.
/c CertTemplateName/c CertTemplateName 指定用于对证书进行签名的证书模板名(一个 Microsoft 扩展)。Specifies the Certificate Template Name (a Microsoft extension) for the signing certificate.
/csp CSPName/csp CSPName 指定包含私钥容器的加密服务提供程序 (CSP)。Specifies the cryptographic service provider (CSP) that contains the private key container.
/d Desc/d Desc 指定已签名内容的说明。Specifies a description of the signed content.
/du URL/du URL 为已签名内容的详细说明指定统一资源定位器 (URL)。Specifies a Uniform Resource Locator (URL) for the expanded description of the signed content.
/f SignCertFile/f SignCertFile 指定文件中的签名证书。Specifies the signing certificate in a file. 如果文件采用个人信息交换 (PFX) 格式且受密码保护,则使用 /p 选项指定密码。If the file is in Personal Information Exchange (PFX) format and protected by a password, use the /p option to specify the password. 如果文件不包含私钥,则使用 /csp/kc 选项指定 CSP 和私钥容器名。If the file does not contain private keys, use the /csp and /kc options to specify the CSP and private key container name.
/fd 指定要用于创建文件签名的文件摘要算法。Specifies the file digest algorithm to use for creating file signatures. 默认值为 SHA1。The default is SHA1.
/i IssuerName/i IssuerName 指定签名证书的颁发者的名称。Specifies the name of the issuer of the signing certificate. 该值可以是整个颁发者名称的子字符串。This value can be a substring of the entire issuer name.
/kc PrivKeyContainerName/kc PrivKeyContainerName 指定私钥容器名。Specifies the private key container name.
/n SubjectName/n SubjectName 指定签名证书的主题的名称。Specifies the name of the subject of the signing certificate. 该值可以是整个主题名称的子字符串。This value can be a substring of the entire subject name.
/nph 如果支持,则取消可执行文件的页面哈希。If supported, suppresses page hashes for executable files. 默认值由 SIGNTOOL_PAGE_HASHES 环境变量和 wintrust.dll 版本决定。The default is determined by the SIGNTOOL_PAGE_HASHES environment variable and by the wintrust.dll version. 对于非 PE 文件,忽略此选项。This option is ignored for non-PE files.
/p Password/p Password 指定打开 PFX 文件时要使用的密码。Specifies the password to use when opening a PFX file. (使用 /f 选项指定 PFX 文件。)(Use the /f option to specify a PFX file.)
/p7 Path/p7 Path 指定为每个指定的内容文件生成的公钥加密标准 (PKCS) #7 文件。Specifies that a Public Key Cryptography Standards (PKCS) #7 file is produced for each specified content file. PKCS #7 文件命名为 path\filename.p7。PKCS #7 files are named path\filename.p7.
/p7ce Value/p7ce Value 为已签名的 PKCS #7 内容指定选项。Specifies options for the signed PKCS #7 content. 将 Value 设置为“嵌入的”,可将已签名内容嵌入到 PKCS #7 文件中;如果设置为“DetachedSignedData”,则可生成分离的 PKCS #7 文件的已签名数据部分。Set Value to "Embedded" to embed the signed content in the PKCS #7 file, or to "DetachedSignedData" to produce the signed data portion of a detached PKCS #7 file. 如果未使用 /p7ce 选项,默认情况下将嵌入已签名的内容。If the /p7ce option is not used, the signed content is embedded by default.
/p7co <OID>/p7co <OID> 指定标识已签名的 PKCS #7 内容的对象标识符 (OID)。Specifies the object identifier (OID) that identifies the signed PKCS #7 content.
/ph 如果支持,则生成可执行文件的页面哈希。If supported, generates page hashes for executable files.
/r RootSubjectName/r RootSubjectName 指定签名证书必须链接到的根证书的主题名称。Specifies the name of the subject of the root certificate that the signing certificate must chain to. 该值可以是根证书的整个主题名称的子字符串。This value may be a substring of the entire subject name of the root certificate.
/s StoreName/s StoreName 指定要在搜索证书时打开的存储。Specifies the store to open when searching for the certificate. 如果未指定该选项,则打开 My 存储。If this option is not specified, the My store is opened.
/sha1 Hash/sha1 Hash 指定签名证书的 SHA1 哈希。Specifies the SHA1 hash of the signing certificate. 当多个证书满足剩余开关指定的条件时,通常会指定 SHA1 哈希。The SHA1 hash is commonly specified when multiple certificates satisfy the criteria specified by the remaining switches.
/sm 指定使用计算机存储,而不是用户存储。Specifies that a machine store, instead of a user store, is used.
/t URL/t URL 指定时间戳服务器的 URL。Specifies the URL of the time stamp server. 如果该选项(或 /tr)不存在,将不会对签名文件执行时间戳操作。If this option (or /tr) is not present, the signed file will not be time stamped. 如果时间戳操作失败,将生成一个警告。A warning is generated if time stamping fails. 此选项不能与 /tr 选项一起使用。This option cannot be used with the /tr option.
/td alg/td alg 将此选项与 /tr 选项一起使用可请求 RFC 3161 时间戳服务器使用的摘要算法。Used with the /tr option to request a digest algorithm used by the RFC 3161 time stamp server.
/tr URL/tr URL 指定 RFC 3161 时间戳服务器的 URL。Specifies the URL of the RFC 3161 time stamp server. 如果该选项(或 /t)不存在,将不会对签名文件执行时间戳操作。If this option (or /t) is not present, the signed file will not be time stamped. 如果时间戳操作失败,将生成一个警告。A warning is generated if time stamping fails. 此选项不能与 /t 选项一起使用。This option cannot be used with the /t option.
/u Usage/u Usage 指定签名证书中必须存在的增强型密钥用法 (EKU)。Specifies the enhanced key usage (EKU) that must be present in the signing certificate. 可以通过 OID 或字符串指定该用法的值。The usage value can be specified by OID or string. 默认用法为“代码签名”(1.3.6.1.5.5.7.3.3)。The default usage is "Code Signing" (1.3.6.1.5.5.7.3.3).
/uw 指定“Windows 系统组件验证”(1.3.6.1.4.1.311.10.3.6) 的用法。Specifies usage of "Windows System Component Verification" (1.3.6.1.4.1.311.10.3.6).

有关用法示例,请参阅 Using SignTool to Sign a File(使用 SignTool 为文件签名)。For usage examples, see Using SignTool to Sign a File.

TimeStamp 命令选项TimeStamp Command Options

下表列出了可与 TimeStamp 命令一起使用的选项。The following table lists the options that can be used with the TimeStamp command.

TimeStamp 选项TimeStamp option 描述Description
/p7 对 PKCS #7 文件执行时间戳操作。Time stamps PKCS #7 files.
/t URL/t URL 指定时间戳服务器的 URL。Specifies the URL of the time stamp server. 要执行时间戳操作的文件必须在以前已进行签名。The file being time stamped must have previously been signed. 需要 /t/tr 选项。Either the /t or the /tr option is required.
/td alg/td alg 请求 RFC 3161 时间戳服务器使用的摘要算法。Requests a digest algorithm used by the RFC 3161 time stamp server. /td/tr 选项一起使用。/td is used with the /tr option.
/tp index/tp index 对 index 处的签名进行时间戳操作。Time stamps the signature at index.
/tr URL/tr URL 指定 RFC 3161 时间戳服务器的 URL。Specifies the URL of the RFC 3161 time stamp server. 要执行时间戳操作的文件必须在以前已进行签名。The file being time stamped must have previously been signed. 需要 /tr/t 选项。Either the /tr or the /t option is required.

有关使用示例,请参阅 Adding Time Stamps to Previously Signed Files(向之前已签名的文件添加时间戳)。For a usage example, see Adding Time Stamps to Previously Signed Files.

Verify 命令选项Verify Command Options

Verify 选项Verify option 描述Description
/a 指定可以使用所有方法来验证文件。Specifies that all methods can be used to verify the file. 首先,搜索目录数据库以确定是否在目录中对文件进行签名。First, the catalog databases are searched to determine whether the file is signed in a catalog. 如果未在任何目录中对文件进行签名,签名工具将尝试验证文件的嵌入签名。If the file is not signed in any catalog, Sign Tool attempts to verify the file's embedded signature. 验证可以或不能在目录中进行签名的文件时,建议使用该选项。This option is recommended when verifying files that may or may not be signed in a catalog. 这些文件的示例包括 Windows 文件或驱动程序。Examples of these files include Windows files or drivers.
/ad 使用默认的目录数据库查找目录。Finds the catalog by using the default catalog database.
/ag CatDBGUID/ag CatDBGUID 在由 CatDBGUID 标识的目录数据库中查找目录。Finds the catalog in the catalog database that is identified by the CatDBGUID.
/all 验证包含多个签名的文件中的所有签名。Verifies all signatures in a file that includes multiple signatures.
/as 使用系统组件(驱动程序)目录数据库查找目录。Finds the catalog by using the system component (driver) catalog database.
/c CatFile/c CatFile 通过名称指定目录文件。Specifies the catalog file by name.
/d 指定签名工具应打印描述和描述 URL。Specifies that Sign Tool should print the description and the description URL.
/ds Index/ds Index 验证指定位置的签名。Verifies the signature at a specified position.
/hash (SHA1 SHA256)/hash (SHA1|SHA256) 指定在目录中搜索文件时要使用的可选哈希算法。Specifies an optional hash algorithm to use when searching for a file in a catalog.
/kp 指定应使用内核模式驱动程序签名策略执行验证。Specifies that verification should be performed with the kernel-mode driver signing policy.
/ms 使用多个验证语义。Uses multiple verification semantics. 这是 Windows 8Windows 8 和更高版本上的 WinVerifyTrust 调用的默认行为。This is the default behavior of a WinVerifyTrust call on Windows 8Windows 8 and above.
/o Version/o Version 按操作系统版本验证文件。Verifies the file by operating system version. Version 具有以下形式:PlatformID:VerMajor.VerMinor.BuildNumber。Version has the following form: PlatformID:VerMajor.VerMinor.BuildNumber. PlatformID 表示 PlatformID 枚举成员的基础值。PlatformID represents the underlying value of a PlatformID enumeration member. 重要提示:建议使用 /o 开关。Important: The use of the /o switch is recommended. 如果未指定 /o,SignTool.exe 可能会返回意外的结果。If /o is not specified, SignTool.exe may return unexpected results. 例如,如果你未将 /o 开关包含在内,则能在旧版操作系统上正确验证的系统目录可能在新版操作系统上无法正确验证。For example, if you do not include the /o switch, system catalogs that validate correctly on an older operating system may not validate correctly on a newer operating system.
/p7 验证 PKCS #7 文件。Verifies PKCS #7 files. 无现有策略用于 PKCS #7 验证。No existing policies are used for PKCS #7 validation. 该签名处于选中状态,并为签名证书生成了链。The signature is checked and a chain is built for the signing certificate.
/pa 指定应使用默认认证码验证策略。Specifies that the Default Authenticode Verification Policy should be used. 如果未指定 /pa 选项,签名工具将使用 Windows 驱动程序验证策略。If the /pa option is not specified, Sign Tool uses the Windows Driver Verification Policy. 此选项不能与 catdb 选项一起使用。This option cannot be used with the catdb options.
/pg PolicyGUID/pg PolicyGUID 通过 GUID 指定验证策略。Specifies a verification policy by GUID. PolicyGUID 相当于验证策略的 ActionID。The PolicyGUID corresponds to the ActionID of the verification policy. 此选项不能与 catdb 选项一起使用。This option cannot be used with the catdb options.
/ph 指定签名工具应打印并验证页面哈希值。Specifies that Sign Tool should print and verify page hash values.
/r RootSubjectName/r RootSubjectName 指定签名证书必须链接到的根证书的主题名称。Specifies the name of the subject of the root certificate that the signing certificate must chain to. 该值可以是根证书的整个主题名称的子字符串。This value can be a substring of the entire subject name of the root certificate.
/tw 指定在未对签名进行时间戳操作时应生成警告。Specifies that a warning should be generated if the signature is not time stamped.

有关用法示例,请参阅 Using SignTool to Verify a File Signature(使用 SignTool 验证文件签名)。For usage examples, see Using SignTool to Verify a File Signature.

返回值Return Value

当其终止时,签名工具将返回下列退出代码之一。Sign Tool returns one of the following exit codes when it terminates.

退出代码Exit code 描述Description
00 执行成功。Execution was successful.
11 执行失败。Execution has failed.
22 执行完成,但出现警告。Execution has completed with warnings.

示例Examples

以下命令将目录文件 MyCatalogFileName.cat 添加到系统组件和驱动程序数据库中。The following command adds the catalog file MyCatalogFileName.cat to the system component and driver database. 如有必要阻止替换名为 /u 的现有目录文件,MyCatalogFileName.cat 选项会生成唯一名称。The /u option generates a unique name if necessary to prevent replacing an existing catalog file named MyCatalogFileName.cat.

signtool catdb /v /u MyCatalogFileName.cat  

以下命令通过使用最佳证书对文件进行自动签名。The following command signs a file automatically by using the best certificate.

signtool sign /a MyFile.exe  

以下命令使用存储在受密码保护的 PFX 文件中的证书对文件进行数字签名。The following command digitally signs a file by using a certificate stored in a password-protected PFX file.

signtool sign /f MyCert.pfx /p MyPassword MyFile.exe  

以下命令对文件进行数字签名并加盖时间戳。The following command digitally signs and time-stamps a file. 用于对文件进行签名的证书存储在 PFX 文件中。The certificate used to sign the file is stored in a PFX file.

signtool sign /f MyCert.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll MyFile.exe  

以下命令通过使用位于 My 存储中的证书对文件进行签名,该证书的主题名为 My Company CertificateThe following command signs a file by using a certificate located in the My store that has a subject name of My Company Certificate.

signtool sign /n "My Company Certificate" MyFile.exe  

以下命令对 ActiveX 控件进行签名,并提供在系统提示用户安装此控件时由 Internet Explorer 显示的信息。The following command signs an ActiveX control and provides information that is displayed by Internet Explorer when the user is prompted to install the control.

Signtool sign /f MyCert.pfx /d: "MyControl" /du http://www.example.com/MyControl/info.html MyControl.exe  

以下命令对已进行数字签名的文件加盖时间戳。The following command time-stamps a file that has already been digitally signed.

signtool timestamp /t http://timestamp.verisign.com/scripts/timstamp.dll MyFile.exe  

以下命令确认文件已签名。The following command verifies that a file has been signed.

signtool verify MyFile.exe  

以下命令验证可能已在目录中签名的系统文件。The following command verifies a system file that may be signed in a catalog.

signtool verify /a SystemFile.dll  

以下命令验证已在名为 MyCatalog.cat 目录中签名的系统文件。The following command verifies a system file that is signed in a catalog named MyCatalog.cat.

signtool verify /c MyCatalog.cat SystemFile.dll  

请参阅See Also

工具Tools
命令提示Command Prompts