The Sign command allows you to run any digital signing application that can be run from the command line from within the script. Examples of programs that you might want to run include the ubiquitous Microsoft Signtool.exe, EZSignit, and so on. One key function of this command is to allow a list of timestamp servers to be specified. These will be tried sequentially until successful or the number of retries is exceeded. This function reduces the number of times a pipeline run fails due to an error returned by a timestamp server by spreading the load and ensuring that there is a gap between the retries on each server which could be seen as abusive if they happen too quickly.
IMPORTANT: The function of this command is to run third party code signing tools. As a result if you need support on the syntax required by any application you should contact the support team of the product developer. We are unable to offer support for third party applications of which we have no knowledge and over which we have no control.
Command Syntax
Sign:[ExecutablePathAndFileName],[TargetPathAndFileName],[TimeStampFlag],[TimeStampServers], [Retries], [CommandLineArguments]
The colon after the command is compulsory, as are the commas, even if the content between them is not set. The Sign command itself is not case sensitive, but parameters may be depending on the program, operating system, and locale.
Parameters:
ExecutablePathAndFileName: The fully qualified path and file name identifying the executable file to be run
TargetPathAndFileName: The fully qualified path and file name identifying the file to be signed
TimeStampFlag: A string indicating the identifier for a time stamping argument. If left blank, the Signtool default '/tr' will be used.
TimeStampServers: A string containing one or more timestamp servers separated by Pipe characters.
Retries: A string representing the number of times to retry time stamping. If left blank, the default 1 will be used.
CommandLineArguments: Any arguments to the command line that may be required.
The ExecutablePathAndFileName parameter is compulsory. The CommandLineArguments parameter may or may not be required depending upon the requirements of the application being run. If any required parameter is missing or invalid an error will be thrown. The parameters must be surrounded by quotation marks if one or more spaces are included. It is good practice to include the quotation marks in any case, so that it reduces the risk of error when writing scripts.
Example:
; This example is designed to use Signtool.exe, and whilst you could do it all in a single line command the script uses variables in order to make it easier to read and to reuse where you have multiple objects to sign. For example, you can use the Assign command to assign a new value to the
; TargetFileName variable whilst all other values remain the same allowing you to do multiple signings from a single set of variables using Global or Local variables.
; Replace any items in square brackets with the correct values for your system.
Var:Retries,3
Var:SignTool,"[C:\Signing\signtool.exe]"
Var:SetupRoot,"[C:\Programming\Source\Distribution\Setup\MyApp]"
Var:SigningCertificate,"[C:\Code Signing Certificate\My App Code Signing Certificate.cer]"
Var:SigningPassword,"[MyPassword]"
Var:SigningProvider,"eToken Base Cryptographic Provider"
Var:SigningKeyContainer,"[MyContainer]"
Var:SignToolParameters,$"sign /f \"%%SigningCertificate%%\" /csp \"%%SigningProvider%%\" /k [{{%%SigningPassword%%}}]=%%SigningKeyContainer%% /td sha256 /fd sha256"
Var:TargetFileName,"%%SetupRoot%%\myappinstaller.exe"
Var:TimeStampFlag,/tr
Var:TimeStampServers,"[http://timestamp.sectigo.com|http://timestamp.verisign.com/scripts/timstamp.dll|http://timestamp.globalsign.com/scripts/timstamp.dll]";
Sign:"%%SignTool%%",%%TargetFileName%%,%%TimeStampFlag%%,%%TimeStampServers%%,%%Retries%%,%%SignToolParameters%%
See Also: Exec Run Conditional DeleteFile MoveFile RenameFile