ctxsigntool 1.1.7

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher. 
dotnet tool install --global ctxsigntool --version 1.1.7
This package contains a .NET tool you can call from the shell/command line. 
dotnet new tool-manifest
                    


                            if you are setting up this repo
                        

                    

                
dotnet tool install --local ctxsigntool --version 1.1.7
This package contains a .NET tool you can call from the shell/command line. 
#tool dotnet:?package=ctxsigntool&version=1.1.7
                    


                    

                
nuke :add-package ctxsigntool --version 1.1.7

CtxSignTool

CtxSignTool is a command-line utility built on CtxSignLib for generating manifests, signing files, verifying detached signatures, creating development certificates, and extracting certificate pin information.

The tool is designed for deterministic software distribution workflows and integrates with CI/CD pipelines, build systems, and deployment tooling.

Version

CtxSignTool version matches the underlying library version when possible.

Example:

ctxsigntool --version

Output:

CtxSignTool
Version: 1.1.0
Library Version: 1.1.0

Pin Contract

CtxSignTool follows the immutable pin contract defined by CtxSignLib.

Switch Meaning
--thumb Certificate SHA-1 thumbprint
--pin Raw SubjectPublicKeyInfo (SPKI) public key material
--pubpin SHA-256 hash of the SPKI public key

Accepted formats for --pin

The --pin switch accepts the raw public key material in any of these formats:

  • PEM public key
  • Base64 encoded SPKI
  • Hex encoded SPKI

Example PEM:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE...
-----END PUBLIC KEY-----

Example Base64:

MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE...

Example Hex:

3059301306072A8648CE3D020106082A8648CE3D03010703420004...

--pubpin

--pubpin is the SHA-256 digest of the SPKI public key.

Example:

7f3a8b3e45c2b2f2f72f2df7bce1b4e9e5d7e3d50a75c0e7f0e0f3a5c4b9e01f

Commands

PrintPins

Extract pin values from a certificate.

ctxsigntool --printpins --cert cert.cer

or

ctxsigntool --printpins --pfx cert.pfx --pass password

Output includes:

thumb
pin
pubpin

Optional switches:

--json
--pretty
--out <file>

MakeCert

Create a self-signed development certificate.

ctxsigntool --makecert --out cert.pfx --pass password

Optional parameters:

--cer cert.cer
--cn "Common Name"
--days 825
--eku code|doc|both
--rsa 3072
--pinsout pins.json

Tip:

--pass env:ENVIRONMENT_VARIABLE

Manifest

Generate a manifest describing files in a directory.

ctxsigntool --manifest --root <directory>

Optional:

--out ctxsign.json

Sign

Sign a file.

Using PFX:

ctxsigntool --sign --in file.exe --pfx cert.pfx --pass password

Using certificate thumbprint:

ctxsigntool --sign --in file.exe --thumb <thumbprint>

Sign a manifest during creation:

ctxsigntool --sign --manifest --root <directory>

Verify

Verify a detached signature.

Using thumbprint:

ctxsigntool --verify --in file.exe --thumb <thumbprint>

Using raw public key pin:

ctxsigntool --verify --in file.exe --pin <spki-pem|base64|hex>

Using SHA-256 public key pin:

ctxsigntool --verify --in file.exe --pubpin <spki-sha256-hex>

Verify using a certificate and derive the pin automatically:

ctxsigntool --verify --in file.exe --cert cert.cer --pinmode pub

Manifest Verification

Verify a signed manifest:

ctxsigntool --verify --manifest ctxsign.json --thumb <thumbprint>

Verify a specific file against a manifest:

ctxsigntool --verify --manifest ctxsign.json --root <dir> --in <file> --pubpin <hash>

Exit Codes

Code Meaning
0 Success
1 Invalid arguments
2 Verification failed
3 File or certificate error
4 Internal error

Security Model

CtxSignTool produces detached CMS / PKCS#7 signatures.

The signer certificate is embedded inside the CMS signature so verification can pin the signer without relying on system certificate stores.

Verification can be performed using:

  • certificate thumbprint
  • raw public key pin
  • SHA-256 public key pin

This enables deterministic verification in secure build pipelines and distributed systems.

License

Apache 2.0

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last Updated
1.1.7 151 3/28/2026

This release refactors ctxsigntool structure, preserves established ctxsignlib behavioral contracts, adds localized help scaffolding, and supports composed manifest flows through --sign --manifest and --verify --manifest.