Navigation:  Actions > Files > Sign Code >

Sign Code Action Files Tab

Previous pageReturn to chapter overviewNext page

This tab of the Sign Code action specifies the file to be signed and other output options.


File to sign: The filename to sign (required).  Must be a valid Windows executable (.exe, .dll, .ocx, .scr, .sys, .drv, .appx) or a .msi, .cab, .class, .js, or .vbs file.


Command: The command to perform on the file:

Sign adds or replaces a code signing digital certificate and optionally timestamps the certificate.
Timestamp updates the timestamp of the digital signature.
Verify verifies that the file is signed with a valid digital signature.


Append signature: Appends the signature.  If no primary signature is present, this signature is made the primary signature instead.  This can be useful when dual-signing an executable with SHA1 and SHA256 certificates (sign first with the SHA1 certificate, then append the SHA2 certificate for highest compatibility with all Windows versions).


Location: The location to retrieve the public and private key information for the digital certificate (a PFX file or a certificate store).


Store name/PFX File: The name of the certificate store (defaults to "My" if not provided") or the PFX file for the PFX file location option.


PFX password: The password used to encrypt the PFX file (required and applies only for PFX File location option).


Common name: The common name of the certificate in the certificate store (optional, does not apply for PFX File option).


Thumbprint: The SHA1 hash thumbprint of the certificate to sign with (optional).


Require only one matching valid certificate: If unchecked, the action will find all valid certificates that satisfy all specified conditions and select the one that is valid for the longest time. If checked, the action expects to find only one matching, valid signing certificate.


For the Verify command, if this option is unchecked, all methods will be used to verify the file. First, the catalog databases are searched to determine whether the file is signed in a catalog. If the file is not signed in any catalog, the action attempts to verify the file's embedded signature. Unchecking this option is recommended when verifying files that may or may not be signed in a catalog. Examples of these files include Windows files or drivers.


Timestamp server: The URL of the timestamp server to use to timestamp the digital certificate (optional).  The certificate will not be timestamped if this field is blank.  Required for the timestamp command.


RFC 3161 timestamp server: If checked, the Timestamp server field specifies the URL of an RFC 3161-compatible timestamp server.  If unchecked, the Timestamp server field specifies the URL of a legacy Authenticode timestamp server.  Requires signtool.exe v6.2 or later.


Information URL: A URL to store in the certificate which provides more information about the file's content (optional).