How To Sign

Eric Schultz edited this page Nov 27, 2013 · 12 revisions
Clone this wiki locally

First off, you need access to a signing service. The signing service at is only available to Outercurve project leaders for signing Outercurve projects.

Files can be signed in one of two ways:

Powershell Cmdlet

How to install

  1. Download and install Cmdlets from
  2. If this is your first time installing on this machine, open a Powershell console and run the following command: [System.Environment]::SetEnvironmentVariable("PSMODULEPATH", [System.Environment]::GetEnvironmentVariable("PSMODULEPATH", "User") , "User")) and then close that Powershell console. (This is due to Windows Explorer not updating path variables via an MSI install. Future versions of the Cmdlets will hopefully remove this step.)

How to use

###Signing Signing files requires a single Powershell cmdlet:

Set-OcfSignatureViaService path/to/filestosign -ServiceUrl <ServiceUrl> -Credential <Credential>

  • <ServiceUrl> is the base signing service URL. In the case of Outercurve, the URL is
  • <Credential> is a PSCredential object (created using the Get-Credential cmdlet) containing your username and password
  • NOTE: You may pass in multiple or a single file to the Set-OcfSignatureViaService cmdlet. Works just as well either way


  • If you're only going to sign a files in a single command you could run in Powershell:

Set-OcfSignatureViaService path/to/filestosign -ServiceUrl <ServiceUrl> -Credential (Get-Credential)

When the command is run, your credentials will be requested in a popup window. This works well if you're only running Set-OcfSignatureViaService once. On the other hand, you might not want to do that for multiple commands since you'll be asked for your credentials every time. In those cases you might want to put your credentials in a variable and pass that variable into each signing command:

$cert = Get-Credential #### requests your credential via a pop up window
Set-OcfSignatureViaService path/to/somefilestosign -ServiceUrl <ServiceUrl> -Credentials $cert
Set-OcfSignatureViaService path/to/someotherfilestosign -ServiceUrl <ServiceUrl> -Credentials $cert

###Strong-naming and Signing If the file(s) to be signed are .Net Assemblies, the files can be strong-named and Authenticode signed by adding the -StrongName switch to the cmdlet:

Set-OcfSignatureViaService path/to/filestosign -StrongName -ServiceUrl <ServiceUrl> -Credential <Credential>

#MSBuild ##How to install

  1. Download the the MSBuild tasks and unzip them into your project from

##How to use

Basic usage

There are only a few steps to using the MSBuild task to sign a project.

First you need to import the Outercurve.MSBuildTasks.targets into you project file (or script). You'll probably want something like this: <Import Project="$(MSBuildThisFileDirectory)\relativePathFrom\projectFileTo\Outercurve.MSBuildTasks.targets"/>

This adds the SetCodeSignatureViaService target to the end of your build process. The SetCodeSignatureVia Service target has a number of properties which can be set in your MSBuild file.

  • SignConfig - the MSBuild configuration you want to run SetCodeSignatureViaService on
    Default: Release
  • SignStrongName - whether the input file(s) should be strong named. NOTE: if this is true any of the input files are not delay-signed .NET assemblies, the SetSignatureViaService target will throw an error
    Default: false
  • SignContinueOnError - whether the build process should be stopped on an error
    Default: false
  • SignOutputDir - the output directory for the signed files NOTE: currently doesn't work
    Default: $(TargetDir)
  • SignServiceUrl - the url to the signing service. In the case of Outercurve signing, this is
    Default: None, unless this has been saved to the registry using the Set-OcfDefaultRemoteService cmdlet
  • SignUserName - the username on the signing service
    Default: None, unless this has been saved to the registry using the Set-OcfDefaultRemoteService cmdlet
  • SignPassword - the password on the signing service
    Default: None, unless this has been saved to the registry using the Set-OcfDefaultRemoteService cmdlet

The input files to SetSignatureViaService are set using MSBuild items. This sole item works as follows:

  • @(SignInputAssembly) - the containing the path to the files to be signed.
    Default: $(TargetPath)