Cross-platform code and document signing CLI tool
npm install @certchip/signerCross-platform code and document signing CLI tool with SSH key authentication.
- Cross-platform - Windows, Linux, macOS (x64, arm64)
- SSH Key Authentication - Ed25519, ECDSA, RSA support
- Code Signing - PE executables (EXE, DLL, SYS, OCX), MSI, MSP, CAB
- Document Signing - PDF with visual signature (watermark, box, barcode, QR code)
- Script Signing - PowerShell, VBScript with Authenticode
- Text/Source Signing - JS, Python, Go, Rust, and more
- Hash-based Signing - Default mode: only hash sent to server, not the file
- Windows KSP - Native Windows crypto integration (Windows only)
- Structured Output - JSON, table, or CSV output for scripting and automation
``bashGlobal installation (recommended)
npm install -g @certchip/signer
Quick Start
$3
bash
Login with SSH key authentication
signercli -login https://signer.example.com usernameSign a file
signercli myapp.exeVerify signature
signercli -verify myapp.exeLogout
signercli -logout
`$3
bash
Login (certificate is installed to Windows certificate store)
signer -login https://signer.example.com usernameSign directly with signer (same options as signercli)
signer myapp.exe # Default: hash-only mode
signer myapp.exe -o myapp_signed.exe # Specify output file
signer myapp.exe -file-upload -save-signed # Upload file, save with _signed suffixOr use Windows signtool.exe (after login)
signtool sign /n "Your Certificate CN" /fd sha256 /tr http://timestamp.digicert.com /td sha256 myapp.exeLogout (removes certificate from store)
signer -logout
`$3
bash
signercli (Cross-platform)
npx signercli -login https://signer.example.com username
npx signercli myapp.exesigner (Windows only)
npx signer -login https://signer.example.com username
npx signer myapp.exe
`CLI Commands
This package provides two CLI tools with different purposes:
| | signercli | signer |
|---|-----------|--------|
| Purpose | Direct file signing | Direct signing + Windows signtool integration |
| Platform | Windows, Linux, macOS | Windows only |
| How it works | Signs files directly via server API | Signs files directly OR provides certificates to Windows crypto system |
| Best for | CI/CD, cross-platform, simple signing | Windows developers, signtool.exe integration |
$3
| Scenario | Recommended |
|----------|-------------|
| CI/CD pipeline (any platform) | signercli |
| Linux/macOS development | signercli |
| Simple file signing | signercli or signer |
| Windows direct signing | signer or signercli |
| Using Windows signtool.exe | signer |
| Windows certificate store integration | signer |
| Visual Studio post-build signing | signercli or signer |
---
$3
The main CLI tool for code and document signing. Signs files directly by communicating with the signing server. Works on all platforms without any additional setup.
#### Authentication
bash
Auto-detect authentication (SSH key if exists, otherwise password prompt)
signercli -login [username]SSH Key Authentication (explicit)
signercli -login -key ~/.ssh/id_ed25519
signercli -login username -key ~/.ssh/id_rsaPassword Authentication
signercli -login -user # Password prompted interactively
signercli -login -user -pw # Password on command lineLogin Options
-profile Use specific config profile
-expires `#### File Signing
bash
Basic signing (default: hash-only mode)
signercli Signing options
signercli -o `> Note: Hash-only signing is the default mode. Only the file hash is sent to the server, not the entire file.
#### Signature Verification
bash
signercli -verify
signercli -verify -signature-id # Verify specific signature
signercli -verify -profile
`#### Certificate Management
bash
List available certificates
signercli -codesign-listGet/Set certificate ID
signercli -codesign-id # Show current certificate ID
signercli -codesign-id # Set certificate IDGet certificate PEM
signercli -codesign-cert # Fetch current certificate
signercli -codesign-cert -id # Fetch specific certificate
signercli -codesign-cert -o cert.pem # Save to fileSet private key password (for password-protected keys on server)
signercli -codesign-set
`Alternative:
commands (compatible with signer.exe)`bash
List certificates (with purpose filter)
signercli -cert -list # List all certificates
signercli -cert -list codesign # List code signing certificates
signercli -cert -list docsign # List document signing certificatesGet/Set certificate ID
signercli -cert -id # Show current configuration
signercli -cert -id # Set certificate ID
signercli -cert -id `> Note: The
commands use the same API endpoints as signer.exe, ensuring full compatibility between both tools.#### Configuration
Profiles store connection settings. The
default profile is used when no profile is specified. Other profiles inherit missing settings from default.`bash
View configuration
signercli -config # Show config file
signercli -config list # List all profiles
signercli -config show # Show profile detailsCreate/Update profile
signercli -config set [options]Delete profile
signercli -config delete
`Profile Inheritance Example:
bash
Set common settings in 'default' profile
signercli -config set default -host https://signer.example.com -username adminCreate 'production' profile (inherits host and username from default)
signercli -config set production -cert-id prod-cert-001Create 'staging' profile with different host (overrides default)
signercli -config set staging -host https://staging.example.com -cert-id staging-certUsage
signercli -login # Uses 'default' profile
signercli -login -profile production # Uses 'production' (inherits from default)
signercli -login -profile staging # Uses 'staging' (overrides host)
`Profile Options:
| Option | Description |
|--------|-------------|
|
| Server URL |
| -ssh-key-path | SSH private key path |
| -username | SSH username |
| -user | Password auth user ID |
| -cert-id | Default certificate ID |
| -cert-serial | Certificate serial number |
| -expires