Advanced users may have the need to access the FDI Signing Tool via command line instead of the provided User Interface. The following list of verbs are used with the Notary to achieve this use case.
System Requirements
The fdiNotary tool runs on Microsoft Windows and requires .NET Framework 4.6.1. fdiNotary also requires the SecureBlackBox DLLs by EldoS and an internal DLL called “CommandLine.dll”. These will be delivered with the fdiNotary executable and must reside in the folder with the executable on the system where fdiNotary is run.
Workflows
Each section below describes a step in the workflow and has an associated command-line “verb” telling fdiNotary what action to perform for that step.
List
Syntax:
fdiNotary list <packageFileName>
The “list” verb will cause the fdiNotary to list all the parts of the package, including their Part URI, which is a unique local identifier to a component of the package.
The “list” verb will also output a numbered list of signatures in the package. These numbers can be used to refer to the individual signatures for the “remove” verb documented below.
Sign
Syntax:
fdiNotary sign [options] <packageFileName>
The “sign” verb will cause the package to be modified by being marked as signed by the provided certificate (see options below). Several options, described below, are required to specify to the tool how to do this.
The relevant options for the “sign” verb are:
--sha1=HEX Specify the SHA1 thumbprint of the signing certificate. Use either this option or the --serial option to specify the certificate to use to sign the package (but not both). The thumbprint must be a hexadecimal number (valid characters are 0-9 and a-f).
--serial=HEX Specify the serial number of the signing certificate. Use either this option or the –sha1 option to specify the certificate to use to sign the package (but not both). The serial number must be a hexadecimal number (valid characters are 0-9 and a-f).
--tr=URL (Optional) Specify the URL of a trusted timestamp server. This URL will be used to create a trusted timestamp (XADeS-T) portion for the signature. If this option is not specified, the signature will not be a XADeS-T signature.
--alg=algorithm Specify which signature and digest algorithm will be used for the package to be signed. The algorithm will apply to both digest and signature calculations. The supported algorithms are “sha1” and “sha256”, with “sha1” being the default if no algorithm is specified.
--pem=PATH Specify a PEM (certificate) file that contains one or more intermediate certificates that will be added into the signature. Certificates between the signing cert and the trusted root should be included here. Instructions on creating the PEM file can be found on the FieldCommGroup support portal.
--ignoreval Ignore any validation errors, and sign anyway.
--noedd Do not automatically sign the EDD in the package. By default, even if not specified in the uris, the EDD will be signed.
--proxyhost=hostname
In cases where an internet proxy is needed, specifies the proxy host name to use.
--proxyport=nnn
In cases where an internet proxy is needed, specifies the port number to use on the proxy host. Required if the proxyhost is specified.
--proxyuser=username
In cases where an internet proxy is needed, specifies the username to use on the proxy host.
--proxypass=passwd
In cases where an internet proxy is needed, specifies the clear text password to use on the proxy host.
Timestamp
Syntax:
fdiNotary timestamp [options] <packageFileName>
The “timestamp” verb is used to add a trusted timestamp to the last signature in a package. The package must already have been signed, and the last signature in the package must not be a XADeS-T signature.
Either the “sha1” or “serial” option must be used to specify a certificate, although this certificate will not be used for signing (and therefore a private key need not be available), the certificate is used as part of the XADeS-T timestamp process.
The relevant options are:
--tr=URL Specify the URL of a trusted timestamp server. This URL will be used to create a trusted timestamp (XADeS-T) portion for the existing final signature. This option MUST be specified for the timestamp command.
--sha1=HEX Specify the SHA1 thumbprint of the signing certificate. Use either this option or the --serial option to specify the certificate to include in the XADeS-T signature. The thumbprint must be a hexadecimal number (valid characters are 0-9 and a-f).
--serial=HEX Specify the serial number of the signing certificate. Use either this option or the –sha1 option to specify the certificate to include in the XADeS-T signature. The serial number must be a hexadecimal number (valid characters are 0-9 and a-f).
--alg=algorithm Specify which signature and digest algorithm will be used for the XADeS-T signature. The algorithm will apply to both digest and signature calculations. The supported algorithms are “sha1” and “sha256”, with “sha1” being the default if no algorithm is specified.
--ignoreval Ignore any validation errors, and timestamp anyway.
Additional Command Line Options
Display options
There are several options related to controlling the verbosity of the output of the command-line tool. As such, they do not affect the operation of the tool itself other than its output messaging.
There are 3 priorities of messages in the fdiNotary tool: messages, warnings, and errors. “Quiet” mode will show only errors. “verbose” mode will show both warnings and errors. “Debug” mode will show all possible output, including potential tool-debugging messages.
-q, --quiet (Optional) Quiet (minimal) output mode.
-v, --verbose (Optional) Verbose output mode.
-d, --debug (Optional) Debug output mode.
Documentation from v1.5.1 Release