productsign(1) [osx man page]

productsign(1)						    BSD General Commands Manual 					    productsign(1)

NAME

     productsign -- Sign an OS X Installer product archive

SYNOPSIS

     productsign [options] --sign identity input-product-path output-product-path

DESCRIPTION

     productsign adds a digital signature to a product archive previously created with productbuild(1).  Although you can add a digital signature
     at the time you run productbuild(1), you may wish to add a signature later, once the product archive has been tested and is ready to deploy.
     If you run productsign on a product archive that was previously signed, the existing signature will be replaced.

     To sign a product archive, you will need to have a certificate and corresponding private key -- together called an ``identity'' -- in one of
     your accessible keychains. To add a signature, specify the name of the identity using the --sign option. The identity's name is the same as
     the ``Common Name'' of the certificate.

     If you want to search for the identity in a specific keychain, specify the path to the keychain file using the --keychain option. Otherwise,
     the default keychain search path is used.

     productsign will embed the signing certificate in the product archive, as well as any intermediate certificates that are found in the key-
     chain. If you need to embed additional certificates to form a chain of trust between the signing certificate and a trusted root certificate
     on the system, use the --cert option to give the Common Name of the intermediate certificate. Multiple --cert options may be used to embed
     multiple intermediate certificates.

     The signature can optionally include a trusted timestamp. This is enabled by default when signing with a Developer ID identity, but it can be
     enabled explicitly using the --timestamp option. A timestamp server must be contacted to embed a trusted timestamp. If you aren't connected
     to the Internet, you can use --timestamp=none to disable timestamps, even for a Developer ID identity.

ARGUMENTS AND OPTIONS

     --sign identity-name
		 The name of the identity to use for signing the product archive.

     --keychain keychain-path
		 Specify a specific keychain to search for the signing identity.

     --cert certificate-name
		 Specify an intermediate certificate to be embedded in the product archive.

     --timestamp
		 Include a trusted timestamp with the signature.

     --timestamp=none
		 Disable trusted timestamp, regardless of identity.

     input-product-path
		   The product archive to be signed.

     output-product-path
		   The path to which the signed product archive will be written. Must not be the same as input-product-path.

SEE ALSO

     productbuild(1)

Mac OS								September 15, 2010							    Mac OS

Mono(signcode)															    Mono(signcode)

NAME

       signcode - Digitally sign an PE executable using an X.509 certificate.

SYNOPSIS

       signcode [options] filename

DESCRIPTION

       Digitally  sign an PE executable (CLR assembly, Win32 EXE or DLL) using an X.509 certificate and it's associated private key. The signature
       is compatible with Authenticode(r) and can be validated with chktrust (either on Windows or on any platform supported by Mono).

OPTIONS

       -spc spcfile
	      The Software Publisher File (spc) that contains the X.509 certificate chain used to digitally sign the PE executable.

       -v pvkfile
	      The Private Key File (pvk) that contains the private key used to digitally sign the PE executable. This private key must	match  the
	      public key inside the publisher X.509 certificate.

       -a md5 | sha1
	      The hash algorithm used in the digital signature of the PE executable. The default algorithm is MD5.

       -$ individual | commercial
	      Add information about the publisher, i.e. if the signature is generated by an individual or a commercial entity.

       -n description
	      Add a textual description of the signed file.

       -i url Add a URL associated to the publisher or the signed file.

       -t url URL to a timestamp service to countersign the PE executable. Countersignature is required if you want the PE executable signature to
	      be valid after the publisher certificate expires. The countersignature proves that the publisher had a valid (non-expired)  certifi-
	      cate when the PE executable was signed.

       -tr #  Number of retries to get a timestamp for the countersignature.

       -tw #  Delay (in seconds) between the retries to get a timestamp for the countersignature.

       -k name
	      CryptoAPI key container name (when not using -v).

       -p name
	      CryptoAPI provider name (when not using -v).

       -y #   CryptoAPI provider type (when not using -v or -p).

       -ky signature | exchange | #
	      CryptoAPI key type (when not using -v).

       -r localMachine | currentUser
	      CryptoAPI key location (when not using -v).

       -help , -h , -? , /?
	      Display help about this tool.

OTHER CODE SIGNING TECHNOLOGIES

       Assemblies  are	PE  files  that can also be strongnamed using the sn.exe tool. The order of code signature is important if a file requires
       both an Authenticode and a strongname signature. Strongname must be applied before the Authenticode signature. Applying a strongname  after
       the Authenticode signature, like re-signing an assembly (e.g. delay-sign), will invalidate the Authenticode signature.

KNOWN RESTRICTIONS

       signcode cannot generate Authenticode signatures for CAB files.

AUTHOR

       Written by Sebastien Pouliot

COPYRIGHT

       Copyright (C) 2003 Motus Technologies.  Copyright (C) 2004 Novell.  Released under BSD license.

MAILING LISTS

       Visit http://lists.ximian.com/mailman/listinfo/mono-devel-list for details.

WEB SITE

       Visit http://www.mono-project.com for details

SEE ALSO

       chktrust(1),makecert(1),cert2spc(1)

																    Mono(signcode)