@certchip/signer 0.1.11

package/README.md

@@ -0,0 +1,587 @@
+# @certchip/signer
+
+Cross-platform code and document signing CLI tool with SSH key authentication.
+
+## Features
+
+- **Cross-platform** - Windows, Linux, macOS (x64, arm64)
+- **SSH Key Authentication** - Ed25519, ECDSA, RSA support
+- **Code Signing** - PE executables (EXE, DLL, SYS, OCX), MSI, MSP, CAB
+- **Document Signing** - PDF with visual signature (watermark, box, barcode, QR code)
+- **Script Signing** - PowerShell, VBScript with Authenticode
+- **Text/Source Signing** - JS, Python, Go, Rust, and more
+- **Hash-based Signing** - Default mode: only hash sent to server, not the file
+- **Windows KSP** - Native Windows crypto integration (Windows only)
+
+## Installation
+
+```bash
+# Global installation (recommended)
+npm install -g @certchip/signer
+
+# Or local installation
+npm install @certchip/signer
+```
+
+## Quick Start
+
+### signercli (Cross-platform: Windows, Linux, macOS)
+
+```bash
+# Login with SSH key authentication
+signercli -login https://signer.example.com username
+
+# Sign a file
+signercli myapp.exe
+
+# Verify signature
+signercli -verify myapp.exe
+
+# Logout
+signercli -logout
+```
+
+### signer (Windows only - KSP integration)
+
+```bash
+# Login (certificate is installed to Windows certificate store)
+signer -login https://signer.example.com username
+
+# Sign using Windows signtool.exe
+signtool sign /n "Your Certificate CN" /fd sha256 /tr http://timestamp.digicert.com /td sha256 myapp.exe
+
+# Or sign directly with signer
+signer myapp.exe
+
+# Logout (removes certificate from store)
+signer -logout
+```
+
+### With local installation (npx)
+
+```bash
+# signercli (Cross-platform)
+npx signercli -login https://signer.example.com username
+npx signercli myapp.exe
+
+# signer (Windows only)
+npx signer -login https://signer.example.com username
+npx signer myapp.exe
+```
+
+## CLI Commands
+
+This package provides two CLI tools with different purposes:
+
+| | signercli | signer |
+|---|-----------|--------|
+| **Purpose** | Direct file signing | Windows signtool integration |
+| **Platform** | Windows, Linux, macOS | Windows only |
+| **How it works** | Signs files directly via server API | Provides certificates to Windows crypto system |
+| **Best for** | CI/CD, cross-platform, simple signing | Windows developers using signtool.exe |
+
+### When to use which tool?
+
+| Scenario | Recommended |
+|----------|-------------|
+| CI/CD pipeline (any platform) | signercli |
+| Linux/macOS development | signercli |
+| Simple file signing | signercli |
+| Using Windows signtool.exe | signer |
+| Windows certificate store integration | signer |
+| Visual Studio post-build signing | signercli or signer |
+
+---
+
+### signercli (Cross-platform)
+
+The main CLI tool for code and document signing. Signs files directly by communicating with the signing server. Works on all platforms without any additional setup.
+
+#### Authentication
+
+```bash
+# Auto-detect authentication (SSH key if exists, otherwise password prompt)
+signercli -login <url> [username]
+
+# SSH Key Authentication (explicit)
+signercli -login <url> -key ~/.ssh/id_ed25519
+signercli -login <url> username -key ~/.ssh/id_rsa
+
+# Password Authentication
+signercli -login <url> -user <userid>              # Password prompted interactively
+signercli -login <url> -user <userid> -pw <password>  # Password on command line
+
+# Login Options
+-profile <name>       Use specific config profile
+-expires <time>       Token expiration (e.g., 24h, 7d, 1w)
+-cert-id <id>         Pre-specify certificate ID
+-cert-serial <sn>     Pre-specify certificate serial number
+-include-chain        Include certificate chain in token
+
+# Logout
+signercli -logout [url]
+```
+
+#### File Signing
+
+```bash
+# Basic signing (default: hash-only mode)
+signercli <file>
+
+# Signing options
+signercli <file> -o <output>              # Specify output file
+signercli <file> -save-signed             # Save with _signed suffix (preserve original)
+signercli <file> -hash-only               # Hash-based signing (default)
+signercli <file> -file-upload             # Upload entire file to server
+signercli <file> -hash-algorithm <alg>    # sha256, sha384, sha512
+signercli <file> -timestamp-url <url>     # Timestamp server URL
+signercli <file> -profile <name>          # Use config profile
+```
+
+> **Note:** Hash-only signing is the default mode. Only the file hash is sent to the server, not the entire file.
+
+#### Signature Verification
+
+```bash
+signercli -verify <file>
+signercli -verify <file> -signature-id <id>    # Verify specific signature
+signercli -verify <file> -profile <name>
+```
+
+#### Certificate Management
+
+```bash
+# List available certificates
+signercli -codesign-list
+
+# Get/Set certificate ID
+signercli -codesign-id                    # Show current certificate ID
+signercli -codesign-id <id>               # Set certificate ID
+
+# Get certificate PEM
+signercli -codesign-cert                  # Fetch current certificate
+signercli -codesign-cert -id <id>         # Fetch specific certificate
+signercli -codesign-cert -o cert.pem      # Save to file
+
+# Set private key password (for password-protected keys on server)
+signercli -codesign-set <password>
+```
+
+#### Configuration
+
+Profiles store connection settings. The `default` profile is used when no profile is specified. Other profiles inherit missing settings from `default`.
+
+```bash
+# View configuration
+signercli -config                         # Show config file
+signercli -config list                    # List all profiles
+signercli -config show <name>             # Show profile details
+
+# Create/Update profile
+signercli -config set <name> [options]
+
+# Delete profile
+signercli -config delete <name>
+```
+
+**Profile Inheritance Example:**
+
+```bash
+# Set common settings in 'default' profile
+signercli -config set default -host https://signer.example.com -username admin
+
+# Create 'production' profile (inherits host and username from default)
+signercli -config set production -cert-id prod-cert-001
+
+# Create 'staging' profile with different host (overrides default)
+signercli -config set staging -host https://staging.example.com -cert-id staging-cert
+
+# Usage
+signercli -login                          # Uses 'default' profile
+signercli -login -profile production      # Uses 'production' (inherits from default)
+signercli -login -profile staging         # Uses 'staging' (overrides host)
+```
+
+**Profile Options:**
+
+| Option | Description |
+|--------|-------------|
+| `-host <url>` | Server URL |
+| `-ssh-key-path <path>` | SSH private key path |
+| `-username <name>` | SSH username |
+| `-user <id>` | Password auth user ID |
+| `-cert-id <id>` | Default certificate ID |
+| `-cert-serial <sn>` | Certificate serial number |
+| `-expires <time>` | Token expiration (24h, 7d, 1w) |
+| `-include-chain` | Include certificate chain |
+| `-timestamp-url <url>` | Timestamp server URL |
+| `-hash-algorithm <alg>` | Default hash algorithm |
+
+**Document Signing Options:**
+
+| Option | Description |
+|--------|-------------|
+| `-doc-style <style>` | watermark, box, barcode, qrcode |
+| `-doc-position <pos>` | bottom-right, bottom-left, top-right, top-left, center |
+| `-doc-sig-position <pos>` | left, center, right (for barcode/qrcode) |
+| `-doc-font-size <size>` | Font size for signature |
+| `-doc-opacity <value>` | Opacity (0.0-1.0 or 0-100) |
+
+#### Windows DLL Installation
+
+```bash
+# Install DLLs to System32 (auto-requests UAC elevation)
+signercli -install
+
+# Remove DLLs from System32
+signercli -uninstall
+```
+
+#### Help & Debugging
+
+```bash
+signercli -help
+signercli -version
+
+# Log levels (append to any command for debugging)
+signercli <file> LOG_DBG                  # Debug output
+signercli <file> LOG_INF                  # Info output
+# Available: LOG_NON, LOG_ERR, LOG_WRN, LOG_DBG, LOG_INF
+```
+
+---
+
+### signer (Windows only)
+
+Windows-specific tool that integrates with the Windows cryptographic system via KSP (Key Storage Provider). Instead of signing files directly, it registers certificates in the Windows certificate store, allowing you to use standard Windows tools like `signtool.exe`.
+
+**How it works:**
+1. Login fetches your certificate from the server
+2. Certificate is registered in Windows certificate store
+3. KSP provider enables private key operations via the server
+4. Use `signtool.exe` or other Windows signing tools normally
+
+```bash
+# Authentication (fetches certificate to Windows store)
+signer -login <url> [username]            # Login and register certificate
+signer -logout                            # Logout and remove certificate
+signer -list                              # List available certificates
+
+# KSP Provider Management
+signer -register                          # Register Certchip KSP provider
+signer -unregister                        # Unregister KSP provider
+signer -enum                              # List all crypto providers
+signer -container                         # List key containers
+
+# DLL Installation (auto-requests UAC elevation)
+signer -install                           # Install DLLs to System32
+signer -uninstall                         # Remove DLLs from System32
+
+# After login, use standard Windows signing tools
+signtool sign /n "Certificate Name" /fd sha256 myapp.exe
+signtool sign /sha1 <thumbprint> /fd sha256 /tr http://timestamp.digicert.com myapp.exe
+```
+
+---
+
+### DLL System Installation (Windows)
+
+For system-wide DLL access (required for signtool integration), install DLLs to System32:
+
+```bash
+# Both tools auto-request UAC elevation when needed
+signercli -install
+signer -install
+
+# To remove DLLs from System32
+signercli -uninstall
+signer -uninstall
+```
+
+**What gets installed:**
+- `otpkey.dll` → `C:\Windows\System32\otpkey.dll`
+- `Certchip.dll` → `C:\Windows\System32\Certchip.dll`
+
+**When to use:**
+- When using `signtool.exe` with the Certchip KSP provider
+- When other applications need to access the DLLs
+- For system-wide certificate store integration
+
+## Node.js API
+
+```javascript
+const signer = require('@certchip/signer');
+
+// Login
+await signer.login('https://signer.example.com', 'username', {
+    keyPath: '~/.ssh/id_ed25519',
+    expires: '24h',
+    certId: 'abc123',
+    includeChain: true
+});
+
+// Sign a file
+await signer.sign('myapp.exe', {
+    output: 'myapp_signed.exe',
+    hashAlgorithm: 'sha256',
+    timestampUrl: 'http://timestamp.digicert.com'
+});
+
+// Verify signature
+const result = await signer.verify('myapp_signed.exe');
+console.log(result.valid ? 'Valid' : 'Invalid');
+
+// Configuration
+await signer.config('set', 'production', {
+    host: 'https://signer.example.com',
+    username: 'john',
+    expires: '12h'
+});
+
+// List certificates
+const certs = await signer.listCertificates();
+
+// Logout
+await signer.logout();
+```
+
+## Configuration Profiles
+
+Create reusable signing profiles:
+
+```bash
+# Create a code signing profile
+signercli -config set production \
+    -host https://signer.example.com \
+    -username john \
+    -ssh-key-path ~/.ssh/id_ed25519 \
+    -expires 24h \
+    -cert-id abc123 \
+    -include-chain \
+    -timestamp-url http://timestamp.digicert.com \
+    -hash-algorithm sha256
+
+# Create a document signing profile with visual signature
+signercli -config set pdf-signing \
+    -host https://signer.example.com \
+    -username john \
+    -doc-style qrcode \
+    -doc-position bottom-right \
+    -doc-sig-position center \
+    -doc-font-size 12 \
+    -doc-opacity 0.8
+
+# Use the profile
+signercli -login -profile production
+signercli myapp.exe -profile production
+signercli document.pdf -profile pdf-signing
+```
+
+## Supported File Types
+
+| Type | Extensions | Method |
+|------|------------|--------|
+| **Code** | .exe, .dll, .sys, .ocx, .msi, .msp, .cab | Authenticode |
+| **Document** | .pdf | Server-based with visual signature |
+| **Script** | .ps1, .vbs | Authenticode |
+| **Java** | .jar | JAR signing |
+| **Text/Source** | .js, .ts, .py, .java, .c, .cpp, .go, .rs, .sh, .yml, .json, .xml, .html, .sql, .md, .txt | Embedded signature |
+
+## Package Contents
+
+```
+@certchip/signer/
+├── lib/
+│   ├── index.js          # Node.js API
+│   └── index.d.ts        # TypeScript definitions
+└── bin/
+    ├── signercli.js      # Cross-platform wrapper
+    ├── signer.js         # Windows KSP wrapper
+    └── win32-x64/
+        ├── signercli.exe # 9.3 MB (static build)
+        ├── signer.exe    # 420 KB (static build)
+        ├── otpkey.dll    # 6.2 MB (static linked)
+        └── Certchip.dll  # 700 KB (KSP provider)
+```
+
+### Binary Comparison
+
+| | signercli | signer |
+|---|-----------|--------|
+| **Platform** | Windows, Linux, macOS | Windows only |
+| **Dependencies** | None (static build) | otpkey.dll, Certchip.dll |
+| **Size** | 9.3 MB | 420 KB + 6.9 MB DLLs |
+| **Signing method** | Direct (via server API) | Indirect (via Windows crypto) |
+| **Windows KSP** | No | Yes |
+| **signtool compatible** | No | Yes |
+| **UAC auto-elevation** | Yes | Yes |
+| **Use case** | CI/CD, cross-platform | Windows developers, signtool |
+
+## Examples
+
+### CI/CD Pipeline
+
+```bash
+#!/bin/bash
+set -e
+
+# Login
+signercli -login "$SIGNER_URL" "$SIGNER_USER" -key "$SSH_KEY_PATH"
+
+# Sign all executables
+for exe in dist/*.exe; do
+    signercli "$exe"
+done
+
+# Logout
+signercli -logout
+```
+
+### TypeScript Usage
+
+```typescript
+import * as signer from '@certchip/signer';
+
+async function signRelease() {
+    await signer.login('https://signer.example.com', 'username');
+
+    const result = await signer.sign('app.exe', {
+        output: 'app_signed.exe',
+        hashAlgorithm: 'sha256'
+    });
+
+    if (result.success) {
+        console.log('Signed:', result.outputPath);
+    }
+
+    await signer.logout();
+}
+```
+
+### Document Signing with Visual Signature
+
+```bash
+# Login
+signercli -login https://signer.example.com username
+
+# Sign PDF with QR code signature
+signercli document.pdf \
+    -doc-style qrcode \
+    -doc-position bottom-right \
+    -o document_signed.pdf
+
+# Sign PDF with watermark
+signercli contract.pdf \
+    -doc-style watermark \
+    -doc-position center \
+    -doc-opacity 0.3
+```
+
+### Windows KSP with signtool
+
+```batch
+REM First-time setup (run as Administrator):
+REM 1. Install DLLs to System32
+signercli -install
+
+REM 2. Register KSP provider
+signer -register
+
+REM Daily usage:
+REM Login to get certificate
+signer -login https://signer.example.com username
+
+REM Sign with signtool
+signtool sign /n "Your Certificate" /fd sha256 /tr http://timestamp.digicert.com myapp.exe
+
+REM Verify
+signtool verify /pa myapp.exe
+
+REM Logout
+signer -logout
+
+REM To uninstall:
+signer -unregister
+signercli -uninstall
+```
+
+## Authentication
+
+### SSH Key (Recommended)
+
+```bash
+# Generate Ed25519 key (if needed)
+ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
+
+# Login with default key
+signercli -login https://server.com username
+
+# Login with specific key
+signercli -login https://server.com username -key ~/.ssh/id_rsa
+```
+
+### Password
+
+```bash
+signercli -login https://server.com -user admin -pw password
+```
+
+## Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `SIGNER_URL` | Default server URL |
+| `SIGNER_USER` | Default username |
+| `SIGNER_KEY_PATH` | Default SSH key path |
+| `SIGNER_CERT_ID` | Default certificate ID |
+
+## Troubleshooting
+
+### "signer command is only available on Windows"
+
+The `signer` command requires Windows KSP integration. Use `signercli` for cross-platform signing.
+
+### "DLL not found"
+
+The `signer.exe` requires `otpkey.dll` and `Certchip.dll`. These are automatically included when installed via npm. No additional MSYS2 or system DLLs are required.
+
+For signtool integration or system-wide access, install DLLs to System32:
+```bash
+signercli -install
+```
+
+### "Access denied" during installation
+
+The `-install` command requires Administrator privileges. Both `signercli` and `signer` will automatically request UAC elevation. If the UAC prompt is cancelled, run the command prompt as Administrator.
+
+### "Token expired"
+
+Login again:
+```bash
+signercli -login https://server.com username
+```
+
+### "Permission denied"
+
+On Linux/macOS, ensure the binary is executable:
+```bash
+chmod +x node_modules/@certchip/signer/bin/*/signercli
+```
+
+## Requirements
+
+- **Node.js** >= 14.0.0
+- **Platforms**: Windows x64 (Linux x64/arm64, macOS x64/arm64 coming soon)
+- **Server**: Certchip Signer API compatible server
+
+> **Note:** The current npm package includes Windows x64 binaries only. Linux and macOS binaries will be added in a future release.
+
+## License
+
+Copyright (c) 2025 Certchip. All rights reserved.
+
+## Links
+
+- [Homepage](https://certchip.com/signer)
+- [Documentation](https://certchip.com/signer/help)
+- [Issues](https://github.com/certchip/signer-cli/issues)

package/bin/signer.js

@@ -0,0 +1,19 @@
+#!/usr/bin/env node
+const { spawn } = require('child_process');
+const path = require('path');
+const os = require('os');
+
+function getBinaryPath(name) {
+    const platform = os.platform();
+    if (platform !== 'win32') {
+        console.error('signer command is only available on Windows (Windows KSP integration)');
+        console.error('Use signercli for cross-platform code signing');
+        process.exit(1);
+    }
+    return path.join(__dirname, 'win32-x64', name + '.exe');
+}
+
+const binary = getBinaryPath('signer');
+const child = spawn(binary, process.argv.slice(2), { stdio: 'inherit', windowsHide: true });
+child.on('close', code => process.exit(code || 0));
+child.on('error', err => { console.error(err.message); process.exit(1); });

package/bin/signercli.js

@@ -0,0 +1,18 @@
+#!/usr/bin/env node
+const { spawn } = require('child_process');
+const path = require('path');
+const os = require('os');
+
+function getBinaryPath(name) {
+    const platform = os.platform();
+    const arch = os.arch();
+    let platformId = platform === 'win32' ? 'win32' : platform === 'darwin' ? 'darwin' : 'linux';
+    let archId = arch === 'x64' || arch === 'x86_64' ? 'x64' : 'arm64';
+    const ext = platform === 'win32' ? '.exe' : '';
+    return path.join(__dirname, platformId + '-' + archId, name + ext);
+}
+
+const binary = getBinaryPath('signercli');
+const child = spawn(binary, process.argv.slice(2), { stdio: 'inherit', windowsHide: true });
+child.on('close', code => process.exit(code || 0));
+child.on('error', err => { console.error(err.message); process.exit(1); });

package/lib/index.d.ts

@@ -0,0 +1,122 @@
+/**
+ * @certchip/signer - TypeScript definitions
+ */
+
+export interface ExecResult {
+    stdout: string;
+    stderr: string;
+    code: number;
+}
+
+export interface LoginOptions {
+    keyPath?: string;
+    expires?: string;
+    certId?: string;
+    certSerial?: string;
+    includeChain?: boolean;
+}
+
+export interface LoginResult {
+    success: boolean;
+    message: string;
+    code: number;
+}
+
+export interface LogoutResult {
+    success: boolean;
+    message: string;
+    code: number;
+}
+
+export interface SignOptions {
+    output?: string;
+    profile?: string;
+    hashAlgorithm?: string;
+    timestampUrl?: string;
+    hashOnly?: boolean;
+}
+
+export interface SignResult {
+    success: boolean;
+    message: string;
+    code: number;
+    outputPath?: string;
+}
+
+export interface VerifyOptions {
+    signatureId?: string;
+    profile?: string;
+}
+
+export interface VerifyResult {
+    valid: boolean;
+    message: string;
+    code: number;
+}
+
+export interface ConfigOptions {
+    host?: string;
+    username?: string;
+    keyPath?: string;
+    expires?: string;
+    certId?: string;
+    timestampUrl?: string;
+    includeChain?: boolean;
+}
+
+export interface ConfigResult {
+    success: boolean;
+    message: string;
+    code: number;
+}
+
+export interface ListCertificatesResult {
+    success: boolean;
+    message: string;
+    code: number;
+}
+
+/**
+ * Execute signer command with raw arguments
+ */
+export function exec(args: string[]): Promise<ExecResult>;
+
+/**
+ * Login to signing server
+ */
+export function login(serverUrl: string, username?: string, options?: LoginOptions): Promise<LoginResult>;
+
+/**
+ * Logout from signing server
+ */
+export function logout(serverUrl?: string): Promise<LogoutResult>;
+
+/**
+ * Sign a file
+ */
+export function sign(filePath: string, options?: SignOptions): Promise<SignResult>;
+
+/**
+ * Verify signature on a file
+ */
+export function verify(filePath: string, options?: VerifyOptions): Promise<VerifyResult>;
+
+/**
+ * Get or set configuration
+ */
+export function config(action?: string, profile?: string, options?: ConfigOptions): Promise<ConfigResult>;
+
+/**
+ * List available certificates
+ */
+export function listCertificates(): Promise<ListCertificatesResult>;
+
+/**
+ * Get version information
+ */
+export function version(): Promise<string>;
+
+/**
+ * Get the path to the signer binary
+ */
+export function getBinaryPath(): string;

package/lib/index.js

@@ -0,0 +1,285 @@
+/**
+ * @certchip/signercli - Node.js API
+ *
+ * Provides programmatic access to the signercli CLI functionality.
+ *
+ * @example
+ * const signercli = require('@certchip/signercli');
+ *
+ * // Login with SSH key
+ * await signercli.login('https://server.com', 'username');
+ *
+ * // Sign a file
+ * await signercli.sign('myapp.exe');
+ *
+ * // Verify signature
+ * const result = await signercli.verify('myapp.exe');
+ *
+ * // Logout
+ * await signercli.logout();
+ */
+
+'use strict';
+
+const { spawn } = require('child_process');
+const path = require('path');
+const os = require('os');
+
+/**
+ * Get the path to the signer binary
+ */
+function getBinaryPath() {
+    const platform = os.platform();
+    const arch = os.arch();
+
+    let platformId;
+    switch (platform) {
+        case 'win32': platformId = 'win32'; break;
+        case 'linux': platformId = 'linux'; break;
+        case 'darwin': platformId = 'darwin'; break;
+        default: throw new Error(`Unsupported platform: ${platform}`);
+    }
+
+    let archId;
+    switch (arch) {
+        case 'x64':
+        case 'x86_64':
+            archId = 'x64';
+            break;
+        case 'arm64':
+        case 'aarch64':
+            archId = 'arm64';
+            break;
+        default:
+            throw new Error(`Unsupported architecture: ${arch}`);
+    }
+
+    const binaryName = platform === 'win32' ? 'signercli.exe' : 'signercli';
+    return path.join(__dirname, '..', 'bin', `${platformId}-${archId}`, binaryName);
+}
+
+/**
+ * Execute signer command
+ * @param {string[]} args - Command line arguments
+ * @returns {Promise<{stdout: string, stderr: string, code: number}>}
+ */
+function exec(args) {
+    return new Promise((resolve, reject) => {
+        const binary = getBinaryPath();
+        const proc = spawn(binary, args, {
+            stdio: ['inherit', 'pipe', 'pipe'],
+            windowsHide: true
+        });
+
+        let stdout = '';
+        let stderr = '';
+
+        proc.stdout.on('data', (data) => {
+            stdout += data.toString();
+        });
+
+        proc.stderr.on('data', (data) => {
+            stderr += data.toString();
+        });
+
+        proc.on('close', (code) => {
+            resolve({ stdout, stderr, code: code || 0 });
+        });
+
+        proc.on('error', (error) => {
+            reject(error);
+        });
+    });
+}
+
+/**
+ * Login to signing server
+ * @param {string} serverUrl - Server URL
+ * @param {string} [username] - SSH username (optional for keyless mode)
+ * @param {Object} [options] - Login options
+ * @param {string} [options.keyPath] - SSH key path
+ * @param {string} [options.expires] - Token expiration (e.g., "24h")
+ * @param {string} [options.certId] - Certificate ID
+ * @param {boolean} [options.includeChain] - Include certificate chain
+ * @returns {Promise<{success: boolean, message: string}>}
+ */
+async function login(serverUrl, username, options = {}) {
+    const args = ['-login', serverUrl];
+
+    if (username) {
+        args.push(username);
+    }
+    if (options.keyPath) {
+        args.push('-key', options.keyPath);
+    }
+    if (options.expires) {
+        args.push('-expires', options.expires);
+    }
+    if (options.certId) {
+        args.push('-cert-id', options.certId);
+    }
+    if (options.includeChain) {
+        args.push('-include-chain');
+    }
+
+    const result = await exec(args);
+    return {
+        success: result.code === 0,
+        message: result.stdout || result.stderr,
+        code: result.code
+    };
+}
+
+/**
+ * Logout from signing server
+ * @param {string} [serverUrl] - Server URL (optional)
+ * @returns {Promise<{success: boolean, message: string}>}
+ */
+async function logout(serverUrl) {
+    const args = ['-logout'];
+    if (serverUrl) {
+        args.push(serverUrl);
+    }
+
+    const result = await exec(args);
+    return {
+        success: result.code === 0,
+        message: result.stdout || result.stderr,
+        code: result.code
+    };
+}
+
+/**
+ * Sign a file
+ * @param {string} filePath - Path to file to sign
+ * @param {Object} [options] - Signing options
+ * @param {string} [options.output] - Output file path
+ * @param {string} [options.profile] - Config profile name
+ * @param {string} [options.hashAlgorithm] - Hash algorithm
+ * @param {string} [options.timestampUrl] - Timestamp server URL
+ * @param {boolean} [options.hashOnly] - Only compute hash
+ * @returns {Promise<{success: boolean, message: string, outputPath?: string}>}
+ */
+async function sign(filePath, options = {}) {
+    const args = [filePath];
+
+    if (options.output) {
+        args.push('-o', options.output);
+    }
+    if (options.profile) {
+        args.push('-profile', options.profile);
+    }
+    if (options.hashAlgorithm) {
+        args.push('-hash-algorithm', options.hashAlgorithm);
+    }
+    if (options.timestampUrl) {
+        args.push('-timestamp-url', options.timestampUrl);
+    }
+    if (options.hashOnly) {
+        args.push('-hash-only');
+    }
+
+    const result = await exec(args);
+    return {
+        success: result.code === 0,
+        message: result.stdout || result.stderr,
+        code: result.code,
+        outputPath: options.output
+    };
+}
+
+/**
+ * Verify signature on a file
+ * @param {string} filePath - Path to file to verify
+ * @param {Object} [options] - Verification options
+ * @param {string} [options.signatureId] - Specific signature ID
+ * @param {string} [options.profile] - Config profile name
+ * @returns {Promise<{valid: boolean, message: string, details?: Object}>}
+ */
+async function verify(filePath, options = {}) {
+    const args = ['-verify', filePath];
+
+    if (options.signatureId) {
+        args.push('-signature-id', options.signatureId);
+    }
+    if (options.profile) {
+        args.push('-profile', options.profile);
+    }
+
+    const result = await exec(args);
+    return {
+        valid: result.code === 0,
+        message: result.stdout || result.stderr,
+        code: result.code
+    };
+}
+
+/**
+ * Get or set configuration
+ * @param {string} [action] - Config action (list, show, set, delete)
+ * @param {string} [profile] - Profile name
+ * @param {Object} [options] - Config options for set action
+ * @returns {Promise<{success: boolean, message: string}>}
+ */
+async function config(action, profile, options = {}) {
+    const args = ['-config'];
+
+    if (action) {
+        args.push(action);
+    }
+    if (profile) {
+        args.push(profile);
+    }
+
+    // Add options for 'set' action
+    if (action === 'set' && options) {
+        if (options.host) args.push('-host', options.host);
+        if (options.username) args.push('-username', options.username);
+        if (options.keyPath) args.push('-ssh-key-path', options.keyPath);
+        if (options.expires) args.push('-expires', options.expires);
+        if (options.certId) args.push('-cert-id', options.certId);
+        if (options.timestampUrl) args.push('-timestamp-url', options.timestampUrl);
+        if (options.includeChain) args.push('-include-chain');
+    }
+
+    const result = await exec(args);
+    return {
+        success: result.code === 0,
+        message: result.stdout || result.stderr,
+        code: result.code
+    };
+}
+
+/**
+ * List available certificates
+ * @returns {Promise<{success: boolean, certificates: Array}>}
+ */
+async function listCertificates() {
+    const result = await exec(['-codesign-list']);
+    return {
+        success: result.code === 0,
+        message: result.stdout || result.stderr,
+        code: result.code
+    };
+}
+
+/**
+ * Get version information
+ * @returns {Promise<string>}
+ */
+async function version() {
+    const result = await exec(['-version']);
+    return result.stdout.trim();
+}
+
+module.exports = {
+    exec,
+    login,
+    logout,
+    sign,
+    verify,
+    config,
+    listCertificates,
+    version,
+    getBinaryPath
+};

package/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "@certchip/signer",
+  "version": "0.1.11",
+  "description": "Cross-platform code and document signing CLI tool",
+  "main": "lib/index.js",
+  "types": "lib/index.d.ts",
+  "bin": {
+    "signercli": "./bin/signercli.js",
+    "signer": "./bin/signer.js"
+  },
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "version:generate": "node scripts/generate-version.js",
+    "prebuild": "npm run version:generate",
+    "prepack": "npm run version:generate"
+  },
+  "files": [
+    "bin/",
+    "lib/",
+    "README.md"
+  ],
+  "keywords": [
+    "code-signing",
+    "digital-signature",
+    "authenticode",
+    "pdf-signing",
+    "document-signing",
+    "cli",
+    "cross-platform"
+  ],
+  "author": "Certchip <support@certchip.com>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/certchip/signer-cli.git"
+  },
+  "bugs": {
+    "url": "https://github.com/certchip/signer-cli/issues"
+  },
+  "homepage": "https://certchip.com/signer",
+  "engines": {
+    "node": ">=14.0.0"
+  },
+  "os": [
+    "win32",
+    "linux",
+    "darwin"
+  ],
+  "cpu": [
+    "x64",
+    "arm64"
+  ]
+}