CodeSignTool is a secure, privacy-oriented multi-platform Java command line utility for remotely signing Microsoft Authenticode and Java code objects with eSigner EV code signing certificates. Hashes of the files are sent to SSL.com for signing so that the code itself is not sent. This is ideal where sensitive files need to be signed, but should not be sent over the wire for signing. CodeSignTool is also ideal for automated batch processes for high volume signings or integration into existing CI/CD pipeline workflows.
To know all the file types that CodeSignTool is able to sign, please refer to this article: eSigner Supported File Types
For instructions on how to automate EV Code Signing using signtool.exe or certutil.exe please review this how-to.
If you are looking to use esigner to sign documents instead, please refer to this DocSignTool guide.
CodeSignTool Installation
To install the current version of CodeSignTool, simply download and unzip the correct file for your OS:
Note that the Windows download includes Java runtime, but the Linux/macOS version requires Java runtime to be installed on your computer. The Windows version of the command is a batch file (CodeSignTool.bat
) and the Linux/macOS version is a shell script (CodeSignTool.sh
).
CodeSignTool Usage Overview
Usage: CodeSignTool [-hV] [COMMAND] [PARAMETERS]
Options:
-h
,--help
: Display help message and exit.-V
,--version
: Display version information and exit.
Commands:
get_credential_ids
: Output the list of eSigner credential IDs associated with a particular user.credential_info
: Output key and certificate information related to a credential ID.sign
: Sign and timestamp code object.batch_sign
: Sign and timestamp multiple code objects with one OTP.hash
: Pre-compute hash(es) for later use withbatch_hash_sign
command.batch_sign_hash
: Sign hash(es) pre-computed withhash
command.
Parameters:
-access_token=<TOKEN>
: OAuth access token.-credential_id=<CREDENTIAL_ID>
: Credential ID for signing certificate.-input_dir_path=<PATH>
: Input directory for code objects to be signed, have hashes computed, or pick unsigned files and corresponding hashes for signing.-input_file_path=<PATH>
: Path of code object to be signed.-otp=<OTP>
: OAuth OTP value from authentication app.-output_dir_path=<PATH>
: Directory where signed code object(s) will be written.-password=<PASSWORD>
: SSL.com account password.-program_name=<PROGRAM_NAME>
: Name of program (for MSI installers only).-totp_secret=<TOTP_SECRET>
: OAuth TOTP secret-username=<USERNAME>
: SSL.com account username-override="true"
: Overwrites the signed file
-password="P!@^^ssword12"
).CodeSignTool Commands
get_credential_ids
Output the list of eSigner credential IDs associated with a particular user. Parameters -username
and -password
are required.
Usage: CodeSignTool [-hV] get_credential_ids -username=<USERNAME> -password=<PASSWORD>
Example:
Entering CodeSignTool get_credential_ids
without the required parameters will display usage information for the command.
credential_info
Output key and certificate information related to a credential ID. Parameters -credential_id
, -username
, and -password
are required.
Usage: CodeSignTool [-hV] credential_info -credential_id=<CREDENTIAL_ID> -username=<USERNAME> -password=<PASSWORD>
Example:
Entering CodeSignTool credential_info
without the required parameters will display usage information for the command.
scan_code
Enables pre-signing malware scan. This scans your file for any possible malware in order to avoid code compromise and prevents signing of code if malware is detected.
Usage: CodeSignTool scan_code [-hV] -credential_id=<credentialId> -input_file_path=<inputFilePath> -password=<password> [-program_name=<programName>] -username=<username>
For more detailed information on the security benefits of SSL.com’s Malware Scan service, you can visit our dedicated page.
sign
Sign and timestamp code object. Parameters -username
, -password
, and -input_file_path
are required. -credential_id
is required only for users with more than one eSigner code signing certificate. -output_dir_path
, -program_name
, and -totp_secret
are optional.
Usage: CodeSignTool sign [-hV] [-credential_id=<CREDENTIAL_ID>] -username=<USERNAME> -password=<PASSWORD> -input_file_path=<PATH> [-output_dir_path=<PATH>] [-program_name=<PROGRAM_NAME>] [-totp_secret=<TOTP_SECRET>]
Optional parameters:
- If
-credential_id
is omitted and the user has only one eSigner code signing certificate, CodeSignTool will default to that. If the user has more than one code signing certificate, this parameter is mandatory. - If
-output_dir_path
is omitted, the file specified in-input_file_path
will be overwritten with the signed file. CodeSignTool will prompt the user before overwriting the file. - If
-program_name
is present when signing an MSI installer, the value will be displayed in the confirmation dialog as the program name. - If
-totp_secret
is present, CodeSignTool will calculate a time-based OTP for signing, allowing automated use of the tool. If this parameter is not present, the user will be prompted for manual OTP entry.
Examples:
Manual OTP Entry:
Automated OTP Generation:
Entering CodeSignTool sign
without the required parameters will display usage information for the command.
- The QR code you scanned into your authentication app doesn’t match the username, password, and/or credential ID from your command. This could happen if:
- You have multiple accounts configured for 2FA on your device and chose the wrong one.
- You are attempting to use your login credentials for a shared certificate, but scanned a QR code shared by a teammate from their account.
- The OTP you entered has already expired.
- Your command includes an invalid TOTP secret.
batch_sign
Sign and timestamp up to 100 code files with one OTP. Parameters -username
, -password
, and -input_dir_path
are required. -credential_id
is required only for users with more than one eSigner code signing certificate. -output_dir_path
, -program_name
, and -totp_secret
are optional.
Usage: CodeSignTool [-hV] batch_sign [-credential_id=<CREDENTIAL_ID>] -username=<USERNAME> -password=<PASSWORD> -input_dir_path=<PATH> [-output_dir_path=<PATH>] [-program_name=<PROGRAM_NAME>] [-totp_secret=<TOTP_SECRET>]
If a user wants to conduct batch sign with malware checking, each code object in the batch must first be scanned with the scan_code
command and then afterwards, the batch_sign
command can be ran.
Optional parameters:
- If
-credential_id
is omitted and the user has only one eSigner code signing certificate, CodeSignTool will default to that. If the user has more than one code signing certificate, this parameter is mandatory. - If
-output_dir_path
is omitted, the files specified in-input_dir_path
will be overwritten with the signed files. CodeSignTool will prompt the user before overwriting the file. - If
-program_name
is present when signing an MSI installer, the value will be displayed in the confirmation dialog as the program name. - If
-totp_secret
is present, CodeSignTool will calculate a time-based OTP for signing, allowing automated use of the tool. If this parameter is not present, the user will be prompted for manual OTP entry.
Example:
Entering CodeSignTool batch_sign
without the required parameters will display usage information for the command.
hash
Pre-compute hash(es) for later use with batch_hash_sign
command. Parameter -input_dir_path
is required. -program_name
is optional
Usage: CodeSignTool [-hV] hash -input_dir_path=<PATH> [-program_name=<PROGRAM_NAME>]
Optional parameters:
- If
-program_name
is present when signing an MSI installer, the value will be displayed in the confirmation dialog as the program name.
Example:
Entering CodeSignTool hash
without the required parameters will display usage information for the command.
batch_sign_hash
Sign hash(es) pre-computed with hash
command. Parameters -access_token
, input_dir_path
, -otp
, and output_dir_path
are required. -credential_id
is required only for users with more than one eSigner code signing certificate.
Usage: CodeSignTool [-hV] batch_sign_hash -access_token=<ACCESS_TOKEN> [-credential_id=<CREDENTIAL_ID>] -input_dir_path=<PATH> -output_dir_path=<PATH> -otp=<OTP>
Optional parameters:
- If
-credential_id
is omitted and the user has only one eSigner code signing certificate, CodeSignTool will default to that. If the user has more than one code signing certificate, this parameter is mandatory.
Example:
Entering CodeSignTool batch_sign_hash
without the required parameters will display usage information for the command.