Digitally signing binaries via a Signing Manager Controller (SMCTL) typically involves using the SMCTL command-line utility to interact with a code signing certificate and keypair managed by a certificate authority or a cloud-based key management service.
1. Sign Using the Default Signing Tool
SMCTL does this very easily by just selecting the proper signing tool according to file type and OS. If no signing tool is specified in the command, SMCTL itself decides on the best of the tools available on your system and complies with the signing operation accordingly.
This method comes out to be very comfortable for users who want secure and effective digital signatures but do not want to indulge themselves in performing the said signing tools manually.
Keypair Alias Method (Preferred)
The keypair alias method is the recommended way to sign binaries since it allows the signed binaries to be compatible with different signing tools. In general, SMCTL uses the private key associated with the given alias to carry out the signing.
This method is widely preferred because it avoids situations, on the other hand, where a user has to explicitly define a certificate fingerprint.
To sign a file using the keypair alias, the following command is given:
smctl sign --keypair-alias <keypair alias> --input <path to file>Example:
smctl sign –keypair-alias kp3 –input C:\Users\Name\Desktop\file_to_sign.exe
This way, one could manage their certificate more easily and assure that the correct certificate is used for signing.
Certificate Fingerprint Method
If it happens that a binary must be signed with a specific certificate, the certificate fingerprint method is used.
This method is primarily used when signing with the KSP (Key Storage Provider) library, or when the certificate is already synchronized with the Windows certificate store.
To sign a file using a certificate fingerprint, use the following command:
smctl sign --fingerprint <certificate fingerprint> --input <path to file>Example:
smctl sign –fingerprint aa42b7d92f826d0ad6d23aa0d778c8cbfab7d61d –input C:\Users\Name\Desktop\file_to_sign.exe
As the fingerprint is the unique identifier of a specific certificate, this method ensures the signing with that specific certificate. However, managing fingerprints is more cumbersome than doing so when you use the keypair alias method.
2. Sign with a Specific Third-Party Tool
Although SMCTL offers an in-built signing mechanism, situations do arise where external signing tools are warranted. In these cases, SMCTL can take care to explicitly call a third-party tool compatible with differing file formats and security policies.
Signing with an external tool is prudent if certain requirements dictate the signing process or if the default SMCTL signing tool is unavailable.
To invoke a specific third-party tool for signing, the flag –tool and the required parameters should be applied:
smctl sign --keypair-alias <keypair alias> --certificate <path to cert> --input <path> --tool <tool>Example (using jsign):
smctl sign –keypair-alias=dynamic-kp1 –certificate C:\Users\John.Doe\Desktop\certificate.pem –input C:\Users\John.Doe\Desktop\file_to_sign.exe –tool jsign
This command explicitly instructs SMCTL to utilize jsign to carry out signing as opposed to relying on the default selection.
Such an option to choose a signing tool is especially potent in organizations due to their varied signing techniques used for different binaries by various teams.
3. Special Case: Signing Android APKs
Signing an Android package requires some special attention. Utilizing SMCTL, when signing APK files, SMCTL might generate multiple signatures for different versions of Android, and hence, sees some incompatibility bugs with some devices or app stores.
To get rid of the headaches of multiple signatures being created, Android APK files should, therefore, preferably be signed directly with Apksigner, instead of SMCTL.
Doing so will force the APK to comply with Android security policies, thus preventing installation or verification failures on devices.
Reference
How to Digitally Sign Binaries with Signing Manager Controller (SMCTL)?
Top comments (0)