npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

signtool

v1.0.0

Published

Node module wrapper around the signtool binary

Downloads

5,321

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

mlucemluce

Keywords

compilersignersignsigntoolmssdkmsiexecodesigning

Readme

node-signtool

node-signtool is a Node module wrapper around the SignTool binary.

Getting Started

node-signtool works as a wrapper around the SignTool library. It abstracts the commands' switches with JS object abstraction. Options mapping is available below.

Installation

node-signtool can be installed using NPM:

$ npm install node-signtool --save

Usage

First import node-signtool in your project:

var signtool = require("signtool");

Then use signtool's commands:

signtool.sign("path/to/my.exe", { certificate: "path/to/my/cert.pfx", password: "*******" });
signtool.verify("path/to/my.exe");

node-signtool uses native Promise to wrap asynchronous operations and resolves with the result of the command:

signtool.sign("path/to/my.exe", { certificate: "path/to/my/cert.pfx", password: "*******" });
	.then(result => {
		result.code 	// The signtool exit code.
		result.stdout 	// The signtool stdout content.
		result.stderr	// The signtool stderr content.
	});

Documentation

signtool.sign(file: string | string[], [options: SignOptions], [runOptions: RunOptions]): Promise

The sign command allows to digitally signs files. If no options are provided, node-signtool use the default auto behavior.

| Switch | Option | Description | |-----------|-------------------|-----------------------------------------------------------------------| | /a | auto | Selects the best signing certificate automatically. | | /as | append | Appends this signature. If no primary signature is present, this signature is made the primary signature. | | /uw | verify | Specifies using "Windows System Component Verification" (1.3.6.1.4.1.311.10.3.6). | | /f | certificate | Specifies the signing certificate in a file (PFX). | | /p | password | Specifies the password to use when opening a PFX file. | | /i | issuer | Specifies the name of the issuer of the signing certificate. | | /n | subject | Specifies the name of the subject of the signing certificate. | | /r | rootSubject | Specifies the name of the subject of the root certificate that the signing certificate must chain to. | | /d | description | Specifies a description of the signed content. | | /du | url | Specifies a URL for expanded description of the signed content. | | /s | store | Specifies the store to open when searching for the certificate. | | /sm | computerStore | Specifies that a computer store, instead of a user store, be used. | | /sha1 | sha1 | Specifies the SHA1 hash of the signing certificate. | | /csp | csp | Specifies the cryptographic service provider (CSP) that contains the private key container. | | /kc | key | Specifies the key that contains the name of the private key. | | /c | template | Specifies the Certificate Template Name (a Microsoft extension) for the signing certificate. | | /ac | additional | Specifies a file that contains an additional certificate to add to the signature block. | | /fd | algorithm | Specifies the file digest algorithm to use to create file signatures. | | /u | EKU | Specifies the enhanced key usage (EKU) that must be present in the signing certificate. | | /t | timestamp | Specifies the URL of the time stamp server. | | /tr | rfcTimestamp | Specifies the RFC 3161 time stamp server's URL. | | /td | timestampAlgo | Used with the rfcTimestamp switch to request a digest algorithm used by the RFC 3161 time stamp server. | | /dg | digest | Generates the to be signed digest and the unsigned PKCS7 files. | | /dxml | digestXML | When used with the digest option, produces an XML file. | | /dmdf | digestFunction | When used with the digest option, passes the file’s contents to the AuthenticodeDigestSign function without modification. | | /dlib | digestLib | Specifies the DLL implementing the AuthenticodeDigestSign function. | | /ds | digestOnly | Signs the digest only. The input file should be the digest generated by the digest option. | | /p7 | pkcs | Creates the signature by ingesting the signed digest to the unsigned PKCS7 file. | | /p7ce | pkcsCE | Specifies options for the signed PKCS #7 content. | | /p7co | pkcsOID | Specifies the object identifier (OID) that identifies the signed PKCS #7 content. | | /ph | pageHashes | If supported, generates page hashes for executable files. | | /nph | suppresPageHashes | If supported, suppresses page hashes for executable files. |

signtool.verify(file: string | string[], [options: VerifyOptions], [runOptions: RunOptions]): Promise

The verify command allows to verify the digital signature of files.

If no options are provided, node-signtool use the default useAllMethods behavior.

The SignTool verify command determines :

  • whether the signing certificate was issued by a trusted authority,
  • whether the signing certificate has been revoked,
  • and, optionally, whether the signing certificate is valid for a specific policy.

| Switch | Option | Description | |-----------|-------------------|-----------------------------------------------------------------------| | /a | useAllMethods | Specifies that all methods can be used to verify the file. | | /o | os | Verifies the file by operating system version. (PlatformID:VerMajor.VerMinor.BuildNumber) | | /ds | index | Verifies the signature at a certain position. | | /hash | hash | Specifies an optional hash algorithm to use when searching for a file in a catalog. | | /r | rootSubject | Specifies the name of the subject of the root certificate that the signing certificate must chain to. | | /ag | catalogDatabase | Finds the catalog in the catalog database identified by the GUID. | | /c | useDefaultCatalog | Specifies the catalog file by name. | | /ad | useDefaultCatalog | Finds the catalog by using the default catalog database. | | /as | useDriverCatalog | Finds the catalog by using the system component (driver) catalog database. | | /all | verifyAllSignatures | Verifies all signatures in a file with multiple signatures. | | /kp | useX64Kernel | Performs the verification by using the x64 kernel-mode driver signing policy. | | /ms | useMultiSemantics | Uses multiple verification semantics. | | /p7 | verifyPKCS | Verify PKCS #7 files. | | /ph | verifyPageHash | Print and verify page hash values. | | /tw | verifyTimestamp | Specifies that a warning is generated if the signature is not time stamped. | | /pa | defaultAuthPolicy | Specifies that the Default Authentication Verification Policy is used. | | /pg | useAuthPolicy | Specifies a verification policy by GUID. | | /d | showDescription | Print the description and description URL. |

signtool.timestamp(file: string | string[], [options: TimestampOptions], [runOptions: RunOptions]): Promise

The timestamp command allows to time stamps files.

| Switch | Option | Description | |-----------|-------------------|-----------------------------------------------------------------------| | /t | url | The file being time stamped must have previously been signed. | | /tr | rfcUrl | Specifies the RFC 3161 time stamp server's URL. | | /tseal | sealUrl | Specifies the RFC 3161 timestamp server's URL for timestamping a Sealed file. | | /td | algorithm | Used with the rfcUrl switch to request a digest algorithm used by the RFC 3161 time stamp server. | | /tp | index | Adds a timestamp to the signature at index. | | /p7 | pkcs | Adds a timestamp to PKCS #7 files. |

signtool.catdb(file: string | string[], [options: CatDBOptions], [runOptions: RunOptions]): Promise

The catdb command allows to add or remove a catalog file to or from a catalog database.

| Switch | Option | Description | |-----------|-------------------|-----------------------------------------------------------------------| | /d | default | Specifies that the default catalog database be updated. | | /g | guid | Specifies that the catalog database identified by the GUID be updated. | | /r | remove | Removes the specified catalog from the catalog database. | | /u | unique | Specifies that a unique name be automatically generated for the added catalog files. |

RunOptions

Run options are optional. It allows to enable some common signtool switches and to specify some child_process.spawn() options.

Common Switches

| Switch | Option | Description | |-----------|-------------------|-----------------------------------------------------------------------| | /q | quiet | No output on success and minimal output on failure. | | /v | verbose | Print verbose success and status messages. | | /debug | debug | Display additional debug information. |

Spawn Options

| Spawn | Option | Description | |-----------|-------------------|-----------------------------------------------------------------------| | cwd | cwd | Specifies the Current Working Directory to execute signtool on. | | stdio | stdio | Specifies the spawn stdio option. |

Contribute

Install Global Dependencies

node-signtool needs some development dependencies:

$ npm install -g typings

Install Project dependencies

$ npm install && typings install

Build project

$ npm run build