SignTool.exe (簽署工具)SignTool.exe (Sign Tool)

簽署工具是一項命令列工具,會以數位方式簽署檔案、驗證檔案中的簽章以及為檔案加上時間戳記。Sign Tool is a command-line tool that digitally signs files, verifies signatures in files, and time-stamps files.

此工具會自動與 Visual Studio 一起安裝。This tool is automatically installed with Visual Studio. 若要執行此工具,請使用 [Visual Studio 開發人員命令提示字元] (或 Windows 7 中的 [Visual Studio 命令提示字元])。To run the tool, use the Developer Command Prompt for Visual Studio (or the Visual Studio Command Prompt in Windows 7). 如需詳細資訊,請參閱命令提示字元For more information, see Command Prompts.

在命令提示字元下輸入下列命令:At the command prompt, type the following:

語法Syntax

signtool [command] [options] [file_name | ...]  

參數Parameters

引數Argument 描述Description
command 四個命令之一 (catdbsignTimestampVerify),指定要對檔案執行的操作。One of four commands (catdb, sign, Timestamp, or Verify) that specifies an operation to perform on a file. 如需每個命令的描述,請參閱下一個表格。For a description of each command, see the next table.
options 修改命令的選項。An option that modifies a command. 除了全域 /q/v 選項外,每個命令支援一組唯一的選項。In addition to the global /q and /v options, each command supports a unique set of options.
file_name 要簽署之檔案的路徑。The path to a file to sign.

簽署工具支援下列命令。The following commands are supported by Sign Tool. 每個命令都會搭配一組獨特選項使用,這些選項列於個別區段中。Each command is used with distinct sets of options, which are listed in their respective sections.

命令Command 描述Description
catdb 在目錄資料庫中加入或移除目錄檔。Adds a catalog file to, or removes it from, a catalog database. 目錄資料庫可以用來自動查閱目錄檔,並且是由 GUID 所識別。Catalog databases are used for automatic lookup of catalog files and are identified by GUID. 如需 catdb 命令支援選項的清單,請參閱 catdb 命令選項For a list of the options supported by the catdb command, see catdb Command Options.
sign 數位簽署檔案。Digitally signs files. 數位簽章可以防止檔案遭到篡改,而且可讓使用者根據簽署憑證確認簽署者。Digital signatures protect files from tampering, and enable users to verify the signer based on a signing certificate. 如需 sign 命令支援選項的清單,請參閱 sign 命令選項For a list of the options supported by the sign command, see sign Command Options.
Timestamp 為檔案加上時間戳記。Time-stamps files. 如需 TimeStamp 命令支援選項的清單,請參閱 TimeStamp 命令選項For a list of the options supported by the TimeStamp command, see TimeStamp Command Options.
Verify 藉由判斷簽署憑證是否由受信任的授權單位所發佈、簽署憑證是否已撤銷,以及簽署憑證是否為特定原則的有效憑證,來驗證檔案的數位簽章。Verifies the digital signature of files by determining whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy. 如需 Verify 命令支援選項的清單,請參閱 Verify 命令選項For a list of the options supported by the Verify command, see Verify Command Options.

下列選項適用於所有簽署工具命令。The following options apply to all Sign Tool commands.

Global 選項Global option 描述Description
/q/q 如果命令成功執行則不顯示任何輸出,如果命令失敗則顯示最少的輸出。Displays no output if the command runs successfully, and displays minimal output if the command fails.
/v/v 不論命令執行成功或失敗,都顯示詳細資訊輸出,並顯示警告訊息。Displays verbose output regardless of whether the command runs successfully or fails, and displays warning messages.
/debug/debug 顯示偵錯資訊。Displays debugging information.

catdb 命令選項catdb Command Options

下表列出可以搭配 catdb 命令使用的選項。The following table lists the options that can be used with the catdb command.

Catdb 選項Catdb option 描述Description
/d 指示預設目錄資料庫已經更新。Specifies that the default catalog database is updated. 如果未使用 /d/g 選項,簽署工具就會更新系統元件和驅動程式資料庫。If neither the /d nor the /g option is used, Sign Tool updates the system component and driver database.
/g GUID/g GUID 指定由全域唯一識別項 GUID 所識別的目錄資料庫已更新。Specifies that the catalog database identified by the globally unique identifier GUID is updated.
/r 從目錄資料庫移除指定的目錄。Removes the specified catalogs from the catalog database. 如果沒有指定這個選項,簽署工具就會在目錄資料庫中加入指定的目錄。If this option is not specified, Sign Tool adds the specified catalogs to the catalog database.
/u 指定為加入的目錄檔自動產生一個唯一的名稱。Specifies that a unique name is automatically generated for the added catalog files. 必要時,目錄檔會重新命名,以避免與現有的目錄檔發生名稱衝突。If necessary, the catalog files are renamed to prevent name conflicts with existing catalog files. 如果沒有指定這個選項,簽署工具會覆寫具有與所要加入之目錄相同名稱的所有現有目錄。If this option is not specified, Sign Tool overwrites any existing catalog that has the same name as the catalog being added.

Sign 命令選項sign Command Options

下表列出可以搭配 sign 命令使用的選項。The following table lists the options that can be used with the sign command.

Sign 命令選項Sign command option 描述Description
/a 自動選取最佳的簽署憑證。Automatically selects the best signing certificate. 簽署工具會找到滿足所有指定條件的所有有效憑證,並且選取有效時間最長的一個。Sign Tool will find all valid certificates that satisfy all specified conditions and select the one that is valid for the longest time. 如果沒有這個選項,簽署工具只需要找出一個有效的簽署憑證。If this option is not present, Sign Tool expects to find only one valid signing certificate.
/ac file/ac file file 將其他憑證加入至簽章區塊。Adds an additional certificate from file to the signature block.
/as 附加這個簽章。Appends this signature. 如果主要簽章不存在,則會設定這個簽章做為主要簽章。If no primary signature is present, this signature is made the primary signature instead.
/c CertTemplateName/c CertTemplateName 指定適用於簽署憑證的「憑證範本名稱」(Certificate Template Name),這是一個 Microsoft 擴充功能。Specifies the Certificate Template Name (a Microsoft extension) for the signing certificate.
/csp CSPName/csp CSPName 指定包含私密金鑰容器的密碼編譯服務提供者 (Cryptographic Service Provider,CSP)。Specifies the cryptographic service provider (CSP) that contains the private key container.
/d Desc/d Desc 指定簽署內容的描述。Specifies a description of the signed content.
/du URL/du URL 為已簽署的內容之擴充描述指定統一資源定位器 (Uniform Resource Locator,URL)。Specifies a Uniform Resource Locator (URL) for the expanded description of the signed content.
/f SignCertFile/f SignCertFile 指定檔案中的簽署憑證。Specifies the signing certificate in a file. 如果檔案為「個人資訊交換」(PFX) 格式並且受密碼保護,請使用 /p 選項指定密碼。If the file is in Personal Information Exchange (PFX) format and protected by a password, use the /p option to specify the password. 如果檔案不包含私密金鑰,請使用 /csp/kc 選項,以指定 CSP 和私密金鑰容器的名稱。If the file does not contain private keys, use the /csp and /kc options to specify the CSP and private key container name.
/fd 指定要用於建立檔案簽章的檔案摘要演算法。Specifies the file digest algorithm to use for creating file signatures. 預設值為 SHA1。The default is SHA1.
/i IssuerName/i IssuerName 指定簽署憑證的簽發者名稱。Specifies the name of the issuer of the signing certificate. 這個值可以是完整簽發者名稱的子字串。This value can be a substring of the entire issuer name.
/kc PrivKeyContainerName/kc PrivKeyContainerName 指定私密金鑰容器名稱。Specifies the private key container name.
/n SubjectName/n SubjectName 指定簽署憑證的主體名稱。Specifies the name of the subject of the signing certificate. 這個值可以是完整主體名稱的子字串。This value can be a substring of the entire subject name.
/nph 如果支援,則隱藏可執行檔的頁面雜湊。If supported, suppresses page hashes for executable files. 預設取決於 SIGNTOOL_PAGE_HASHES 環境變數和 wintrust.dll 版本。The default is determined by the SIGNTOOL_PAGE_HASHES environment variable and by the wintrust.dll version. 若為非 PE 檔案,則會忽略這個選項。This option is ignored for non-PE files.
/p Password/p Password 指定用來開啟 PFX 檔案的密碼Specifies the password to use when opening a PFX file. (使用 /f 選項指定 PFX 檔)。(Use the /f option to specify a PFX file.)
/p7 Path/p7 Path 指定為每個指定內容檔產生公開金鑰加密標準 (PKCS) #7 檔案。Specifies that a Public Key Cryptography Standards (PKCS) #7 file is produced for each specified content file. PKCS #7 檔案會命名為路徑\檔案名稱.p7。PKCS #7 files are named path\filename.p7.
/p7ce Value/p7ce Value 指定已簽署的 PKCS #7 內容的選項。Specifies options for the signed PKCS #7 content. Value 設定為 "Embedded" 會將簽署內容內嵌在 PKCS #7 檔案中,設定為 "DetachedSignedData" 會產生已中斷連結的 PKCS #7 檔案的簽署資料部分。Set Value to "Embedded" to embed the signed content in the PKCS #7 file, or to "DetachedSignedData" to produce the signed data portion of a detached PKCS #7 file. 如果未使用 /p7ce 選項,則預設會內嵌簽署的內容。If the /p7ce option is not used, the signed content is embedded by default.
/p7co <OID>/p7co <OID> 指定識別已簽署 PKCS #7 內容的物件識別項 (OID)。Specifies the object identifier (OID) that identifies the signed PKCS #7 content.
/ph 如果支援,則產生可執行檔的頁面雜湊。If supported, generates page hashes for executable files.
/r RootSubjectName/r RootSubjectName 指定簽署憑證必須鏈結之根憑證的主體名稱。Specifies the name of the subject of the root certificate that the signing certificate must chain to. 這個值可以是完整根憑證主體名稱的子字串。This value may be a substring of the entire subject name of the root certificate.
/s StoreName/s StoreName 指定搜尋憑證時要開啟的存放區。Specifies the store to open when searching for the certificate. 如果沒有指定這個選項,則會開啟 My 存放區。If this option is not specified, the My store is opened.
/sha1 Hash/sha1 Hash 指定簽署憑證的 SHA1 雜湊。Specifies the SHA1 hash of the signing certificate. 在多重憑證符合其餘參數指定的準則時,SHA1 雜湊最常被指定。The SHA1 hash is commonly specified when multiple certificates satisfy the criteria specified by the remaining switches.
/sm 指定使用電腦存放區,而非使用者存放區。Specifies that a machine store, instead of a user store, is used.
/t URL/t URL 指定時間戳記伺服器的 URL。Specifies the URL of the time stamp server. 如果沒有這個選項 (或 /tr),簽署的檔案就不會加上時間戳記。If this option (or /tr) is not present, the signed file will not be time stamped. 如果加上時間戳記失敗,便會產生警告。A warning is generated if time stamping fails. 這個選項不可與 /tr 選項搭配使用。This option cannot be used with the /tr option.
/td alg/td alg /tr 選項一起使用以要求 RFC 3161 時間戳記伺服器使用的摘要演算法。Used with the /tr option to request a digest algorithm used by the RFC 3161 time stamp server.
/tr URL/tr URL 指定 RFC 3161 時間戳記伺服器的 URL。Specifies the URL of the RFC 3161 time stamp server. 如果沒有這個選項 (或 /t),簽署的檔案就不會加上時間戳記。If this option (or /t) is not present, the signed file will not be time stamped. 如果加上時間戳記失敗,便會產生警告。A warning is generated if time stamping fails. 這個選項不可與 /t 選項搭配使用。This option cannot be used with the /t option.
/u Usage/u Usage 指定在簽署憑證時必須存在的增強金鑰使用方法 (Enhanced Key Usage,EKU)。Specifies the enhanced key usage (EKU) that must be present in the signing certificate. 使用方法的值可以利用 OID 或字串指定。The usage value can be specified by OID or string. 預設的使用方法為 "Code Signing" (1.3.6.1.5.5.7.3.3)。The default usage is "Code Signing" (1.3.6.1.5.5.7.3.3).
/uw 指定「Windows 系統元件驗證」(1.3.6.1.4.1.311.10.3.6) 的使用方式。Specifies usage of "Windows System Component Verification" (1.3.6.1.4.1.311.10.3.6).

如需使用方式範例,請參閱使用 SignTool 簽署檔案For usage examples, see Using SignTool to Sign a File.

TimeStamp 命令選項TimeStamp Command Options

下表列出可以搭配 TimeStamp 命令使用的選項。The following table lists the options that can be used with the TimeStamp command.

TimeStamp 選項TimeStamp option 描述Description
/p7 為 PKCS #7 檔案加上時間戳記。Time stamps PKCS #7 files.
/t URL/t URL 指定時間戳記伺服器的 URL。Specifies the URL of the time stamp server. 要加上時間戳記的檔案必須先經過簽署。The file being time stamped must have previously been signed. 必須有 /t/tr 任一選項。Either the /t or the /tr option is required.
/td alg/td alg 要求 RFC 3161 時間戳記伺服器使用的摘要演算法。Requests a digest algorithm used by the RFC 3161 time stamp server. /td 可搭配 /tr 選項使用。/td is used with the /tr option.
/tp index/tp index index 的簽章加上時間戳記。Time stamps the signature at index.
/tr URL/tr URL 指定 RFC 3161 時間戳記伺服器的 URL。Specifies the URL of the RFC 3161 time stamp server. 要加上時間戳記的檔案必須先經過簽署。The file being time stamped must have previously been signed. 必須有 /tr/t 任一選項。Either the /tr or the /t option is required.

如需使用範例,請參閱新增時間戳記至先前已簽署的檔案For a usage example, see Adding Time Stamps to Previously Signed Files.

驗證命令選項Verify Command Options

Verify 選項Verify option 描述Description
/a 指定所有方法都可以用來驗證檔案。Specifies that all methods can be used to verify the file. 首先會搜尋目錄資料庫,判斷檔案是否已在目錄中簽署。First, the catalog databases are searched to determine whether the file is signed in a catalog. 如果檔案未在任何目錄中簽署,簽署工具便會嘗試驗證檔案的內嵌簽署。If the file is not signed in any catalog, Sign Tool attempts to verify the file's embedded signature. 驗證不一定已在目錄中簽署的檔案時,建議您採用這個選項。This option is recommended when verifying files that may or may not be signed in a catalog. 這些檔案的範例包括 Windows 檔案或驅動程式。Examples of these files include Windows files or drivers.
/ad 使用預設目錄資料庫尋找目錄。Finds the catalog by using the default catalog database.
/ag CatDBGUID/ag CatDBGUID CatDBGUID 所識別的目錄資料庫中尋找目錄。Finds the catalog in the catalog database that is identified by the CatDBGUID.
/all 確認在包含多個簽章的檔案中的所有簽章。Verifies all signatures in a file that includes multiple signatures.
/as 使用系統元件 (驅動程式) 目錄資料庫尋找目錄。Finds the catalog by using the system component (driver) catalog database.
/c CatFile/c CatFile 依名稱指定目錄檔。Specifies the catalog file by name.
/d 指定簽署工具應列印描述及描述 URL。Specifies that Sign Tool should print the description and the description URL.
/ds Index/ds Index 驗證位於指定位置的簽章。Verifies the signature at a specified position.
/hash (SHA1|SHA256)/hash (SHA1|SHA256) 指定在目錄中搜尋檔案時,要使用的選擇性雜湊演算法。Specifies an optional hash algorithm to use when searching for a file in a catalog.
/kp 指定應以核心模式驅動程式簽署原則執行驗證。Specifies that verification should be performed with the kernel-mode driver signing policy.
/ms 使用多個驗證語意。Uses multiple verification semantics. 這是 Windows 8 和更新版本上WinVerifyTrust呼叫的預設行為。This is the default behavior of a WinVerifyTrust call on Windows 8 and above.
/o Version/o Version 根據作業系統版本驗證檔案。Verifies the file by operating system version. Version 的格式如下:PlatformID:VerMajor.VerMinor.BuildNumberVersion has the following form: PlatformID:VerMajor.VerMinor.BuildNumber. PlatformID 代表 PlatformID 列舉成員的基礎值。PlatformID represents the underlying value of a PlatformID enumeration member. 重要事項: 建議使用 /o 參數。Important: The use of the /o switch is recommended. 如果未指定 /o,SignTool.exe 可能會傳回未預期的結果。If /o is not specified, SignTool.exe may return unexpected results. 例如,如果您未包含 /o 參數,在舊版作業系統上正確驗證的系統目錄,可能無法在較新版作業系統正確驗證。For example, if you do not include the /o switch, system catalogs that validate correctly on an older operating system may not validate correctly on a newer operating system.
/p7 驗證 PKCS #7 檔案。Verifies PKCS #7 files. PKCS #7 驗證沒有使用任何現有的原則。No existing policies are used for PKCS #7 validation. 檢查簽章,並建置簽署憑證鏈結。The signature is checked and a chain is built for the signing certificate.
/pa 指定使用預設 Authenticode 驗證原則。Specifies that the Default Authenticode Verification Policy should be used. 如果未指定 /pa 選項,簽署工具便會使用「Windows 驅動程式驗證原則」(Windows Driver Verification Policy)。If the /pa option is not specified, Sign Tool uses the Windows Driver Verification Policy. 這個選項無法與 catdb 選項搭配使用。This option cannot be used with the catdb options.
/pg PolicyGUID/pg PolicyGUID 依 GUID 指定驗證原則。Specifies a verification policy by GUID. PolicyGUID 會對應至驗證原則的 ActionID。The PolicyGUID corresponds to the ActionID of the verification policy. 這個選項無法與 catdb 選項搭配使用。This option cannot be used with the catdb options.
/ph 指定簽署工具應列印及驗證頁面雜湊值。Specifies that Sign Tool should print and verify page hash values.
/r RootSubjectName/r RootSubjectName 指定簽署憑證必須鏈結之根憑證的主體名稱。Specifies the name of the subject of the root certificate that the signing certificate must chain to. 這個值可以是完整根憑證主體名稱的子字串。This value can be a substring of the entire subject name of the root certificate.
/tw 指定如果簽章未加上時間戳記,則應產生警告。Specifies that a warning should be generated if the signature is not time stamped.

如需使用方式範例,請參閱使用 SignTool 驗證檔案簽章For usage examples, see Using SignTool to Verify a File Signature.

傳回值Return Value

簽署工具終止時會傳回下列其中一個結束代碼。Sign Tool returns one of the following exit codes when it terminates.

結束代碼Exit code 描述Description
00 執行成功。Execution was successful.
11 執行失敗。Execution has failed.
22 執行已完成,但出現警告。Execution has completed with warnings.

範例Examples

下列命令會將目錄檔 MyCatalogFileName.cat 加入至系統元件和驅動程式資料庫。The following command adds the catalog file MyCatalogFileName.cat to the system component and driver database. 如有必要防止取代名為 /u 的現有目錄檔案,MyCatalogFileName.cat 選項會產生一個唯一的名稱。The /u option generates a unique name if necessary to prevent replacing an existing catalog file named MyCatalogFileName.cat.

signtool catdb /v /u MyCatalogFileName.cat  

下列命令會使用最佳憑證自動簽署檔案。The following command signs a file automatically by using the best certificate.

signtool sign /a MyFile.exe  

下列命令使用儲存在受密碼保護之 PFX 檔中的憑證存放區,對檔案進行數位簽署。The following command digitally signs a file by using a certificate stored in a password-protected PFX file.

signtool sign /f MyCert.pfx /p MyPassword MyFile.exe  

下列命令會對檔案進行數位簽署和時間戳記。The following command digitally signs and time-stamps a file. 用於簽署檔案的憑證存放在 PFX 檔中。The certificate used to sign the file is stored in a PFX file.

signtool sign /f MyCert.pfx /t http://timestamp.digicert.com MyFile.exe  

下列命令會使用位於主旨名稱為 MyMy Company Certificate 存放區中的憑證來簽署檔案。The following command signs a file by using a certificate located in the My store that has a subject name of My Company Certificate.

signtool sign /n "My Company Certificate" MyFile.exe  

下列命令會簽署 ActiveX 控制項,並在提示使用者安裝該控制項時,提供由 Internet Explorer 顯示的資訊。The following command signs an ActiveX control and provides information that is displayed by Internet Explorer when the user is prompted to install the control.

Signtool sign /f MyCert.pfx /d: "MyControl" /du http://www.example.com/MyControl/info.html MyControl.exe  

下列命令會為已數位簽署的檔案加上時間戳記。The following command time-stamps a file that has already been digitally signed.

signtool timestamp /t http://timestamp.digicert.com MyFile.exe  

下列命令會確認檔案是否已簽署。The following command verifies that a file has been signed.

signtool verify MyFile.exe  

下列命令會驗證可能已在目錄中簽署的系統檔。The following command verifies a system file that may be signed in a catalog.

signtool verify /a SystemFile.dll  

下列命令會驗證已在名為 MyCatalog.cat 之目錄中簽署的系統檔。The following command verifies a system file that is signed in a catalog named MyCatalog.cat.

signtool verify /c MyCatalog.cat SystemFile.dll  

請參閱See also