OneSignTool CLI — Remote Code Signing Guide
Apr 6, 2026 · 9 views
What is OneSignTool?
OneSignTool is a command-line tool for remote code signing. It allows developers to sign Windows executables (EXE, DLL, MSI, CAB, SYS) from any machine, while the USB hardware token (YubiKey, SafeNet) stays securely connected to a central signing server.
Key benefits:
- Azure Key Vault compatible — drop-in replacement for AzureSignTool. Same CLI flags, same workflow, but with your own hardware token instead of cloud HSM
- No per-signature cloud fees — sign unlimited files with your existing code signing certificate
- USB token stays on server — developers never need physical access to the token
- CI/CD ready — integrates with GitHub Actions, Azure DevOps, Jenkins, and any build pipeline
- Signtool compatible — supports standard signtool.exe flags for easy migration
How It Works
- Setup: Install OneSigner Service on a Windows machine with your USB token plugged in
- Configure: Enable the Azure Key Vault Proxy endpoint in OneSigner settings
- Sign: Use OneSignTool (or AzureSignTool) from any machine to sign files remotely
The signing server exposes Azure Key Vault compatible REST endpoints. When OneSignTool sends a signing request, the server uses the local USB token to perform the cryptographic operation and returns the signed hash. The actual file content never leaves your build machine — only the hash is sent to the server.
Installation
Download OneSignTool from the Downloads page. It's a single executable — no installation required.
# Option 1: Download directly
# Visit https://onesign.sg/portal/download
# Option 2: Copy from OneSigner installation
# OneSignTool is included in the OneSigner Service packageQuick Start
1. Sign a file (AzureSignTool-compatible mode)
OneSignTool.exe sign ^
-kvu http://your-server:9440 ^
-kvc your-certificate-name ^
-kva YOUR_ADMIN_TOKEN ^
-fd sha256 ^
-tr http://ts.ssl.com ^
-td sha256 ^
-d "My Application" ^
myapp.exe2. Sign with signtool-compatible flags
hAutoSignerService.exe --codesign ^
/sha1 THUMBPRINT_HERE ^
/pin 654321 ^
/fd sha256 ^
/tr http://ts.ssl.com ^
/d "My Application" ^
myapp.exe3. Sign multiple files
# Sign all EXE files in a folder
for %%f in (build*.exe) do (
OneSignTool.exe sign -kvu http://server:9440 -kvc cert-name -kva TOKEN -fd sha256 -tr http://ts.ssl.com "%%f"
)Command Reference
AzureSignTool-compatible flags
| Flag | Description | Example |
|---|---|---|
-kvu | Key Vault URL (OneSigner server address) | http://server:9440 |
-kvc | Certificate name (as configured in OneSigner) | my-codesign-cert |
-kva | Access token (OneSigner admin token) | your-secret-token |
-fd | File digest algorithm | sha256 |
-tr | RFC 3161 timestamp server URL | http://ts.ssl.com |
-td | Timestamp digest algorithm | sha256 |
-d | Description (appears in signature details) | "My App v2.0" |
-du | Description URL | https://example.com |
-as | Append signature (dual-sign) | (no value) |
-v | Verbose output | (no value) |
Signtool-compatible flags
| Flag | Description |
|---|---|
/sha1 <thumbprint> | Select certificate by SHA1 thumbprint |
/pin <PIN> | Hardware token PIN |
/f <path> | PFX certificate file path |
/p <password> | PFX file password |
/n <subject> | Select certificate by subject name |
/fd <alg> | File digest: sha1, sha256, sha384, sha512 |
/tr <url> | RFC 3161 timestamp server |
/td <alg> | Timestamp digest algorithm |
/t <url> | Legacy timestamp URL (Authenticode) |
/d <desc> | Description string |
/du <url> | Description URL |
/as | Append signature (nested/dual-sign) |
/ac <path> | Additional certificate (cross-cert) |
/ph | Generate page hashes |
/o <path> | Output file (sign to different path) |
/v | Verbose output |
Supported File Types
| Type | Extensions | Description |
|---|---|---|
| Executable | .exe, .dll, .ocx, .sys | Windows PE files |
| Installer | .msi, .msix, .appx | Windows Installer packages |
| Cabinet | .cab | Cabinet archives |
| Catalog | .cat | Security catalog files |
| PowerShell | .ps1, .psm1, .psd1 | PowerShell scripts |
Supported Hardware Tokens
| Token | Signing Method | Notes |
|---|---|---|
| YubiKey 4/5 Series | PIV direct signing (fastest) | No Windows CSP required. Supports ECDSA P-256, P-384 and RSA 2048 |
| SafeNet eToken 5110/5300 | Windows CSP | Install SafeNet Authentication Client driver |
| ePass2003 | Windows CSP | Common in Local CAs |
| Any PKCS#11 token | Windows CSP/CNG | Requires vendor minidriver installed |
Supported Signing Algorithms
| Algorithm | ID | Use Case |
|---|---|---|
| RSA PKCS#1 v1.5 | RS256, RS384, RS512 | Most common, widest compatibility |
| RSA PSS | PS256, PS384, PS512 | Modern RSA padding scheme |
| ECDSA | ES256, ES384, ES512 | Smaller signatures, faster — YubiKey P-256, P-384 |
CI/CD Integration
GitHub Actions
- name: Sign executable
run: |
OneSignTool.exe sign
-kvu ${{ secrets.SIGNING_SERVER }}
-kvc ${{ secrets.CERT_NAME }}
-kva ${{ secrets.SIGNING_TOKEN }}
-fd sha256
-tr http://ts.ssl.com
-td sha256
build/myapp.exeAzure DevOps Pipeline
- task: CmdLine@2
displayName: 'Code Sign'
inputs:
script: |
OneSignTool.exe sign ^
-kvu $(SIGNING_SERVER) ^
-kvc $(CERT_NAME) ^
-kva $(SIGNING_TOKEN) ^
-fd sha256 ^
-tr http://ts.ssl.com ^
buildmyapp.exeJenkins / Generic Script
#!/bin/bash
# Sign all EXE and DLL files after build
find ./build -name "*.exe" -o -name "*.dll" | while read f; do
./OneSignTool sign -kvu $SIGNING_SERVER -kvc $CERT_NAME -kva $SIGNING_TOKEN -fd sha256 -tr http://timestamp.digicert.com "$f"
doneServer-Side Configuration
On the OneSigner server, configure the Azure Key Vault Proxy in appsettings.json:
{
"AzureKeyVaultProxy": {
"Enabled": true,
"Certificates": [
{
"Name": "my-codesign-cert",
"CertificateSerial": "ABC123DEF456...",
"TokenPin": "654321",
"Description": "EV Code Signing Certificate"
}
]
}
}The Name field is what you pass as -kvc in OneSignTool. The server maps it to the correct USB token and PIN automatically.
Security Best Practices
- Use Cloudflare Tunnel — never expose port 9440 directly to the internet. OneSigner has built-in Cloudflare Tunnel support for secure remote access
- Rotate admin tokens — use unique tokens per CI/CD pipeline. Revoke tokens when no longer needed
- Enable audit logging — OneSigner logs all signing operations with timestamps, file hashes, and requestor IP
- Hardware token PIN protection — PINs are encrypted with DPAPI in appsettings.json. The token locks after failed attempts
- Network isolation — run the signing server on a dedicated machine or VM, separate from build infrastructure
Troubleshooting
Connection refused
Ensure OneSigner Service is running and the port matches. Check Windows Firewall allows inbound on port 9440.
Certificate not found
Verify the certificate name in -kvc matches the Name field in server's appsettings.json. The USB token must be plugged in.
Signing failed: token PIN incorrect
Check the PIN in server config. Note: most tokens lock after 3 failed PIN attempts. OneSigner has built-in PIN retry protection to prevent lockout.
Timestamp failed
Timestamp servers may be temporarily unavailable. Common reliable servers:
http://ts.ssl.comhttp://timestamp.digicert.comhttp://timestamp.sectigo.comhttp://timestamp.globalsign.com/tsa/r6advanced1
Comparison: OneSignTool vs Cloud Signing
| Feature | OneSignTool + OneSigner | Azure Key Vault / Cloud HSM |
|---|---|---|
| Monthly cost | $0 (one-time license) | $50-500+/month |
| Per-signature fee | None | $0.03-0.15 per operation |
| Certificate storage | Your own USB token | Cloud HSM (vendor lock-in) |
| Signing speed | ~100-500ms | 200-1000ms (network latency) |
| Offline capability | Yes (local network) | No (cloud required) |
| AzureSignTool compatible | Yes | Yes (native) |
| EV Code Signing | Yes (hardware token) | Yes (cloud HSM) |