@certchip/signer 0.1.11 → 0.1.19

package/README.md

@@ -12,6 +12,7 @@ Cross-platform code and document signing CLI tool with SSH key authentication.
 - **Text/Source Signing** - JS, Python, Go, Rust, and more
 - **Hash-based Signing** - Default mode: only hash sent to server, not the file
 - **Windows KSP** - Native Windows crypto integration (Windows only)
+- **Structured Output** - JSON, table, or CSV output for scripting and automation
 
 ## Installation
 
@@ -47,11 +48,13 @@ signercli -logout
 # Login (certificate is installed to Windows certificate store)
 signer -login https://signer.example.com username
 
-# Sign using Windows signtool.exe
-signtool sign /n "Your Certificate CN" /fd sha256 /tr http://timestamp.digicert.com /td sha256 myapp.exe
+# Sign directly with signer (same options as signercli)
+signer myapp.exe                              # Default: hash-only mode
+signer myapp.exe -o myapp_signed.exe          # Specify output file
+signer myapp.exe -file-upload -save-signed    # Upload file, save with _signed suffix
 
-# Or sign directly with signer
-signer myapp.exe
+# Or use Windows signtool.exe (after login)
+signtool sign /n "Your Certificate CN" /fd sha256 /tr http://timestamp.digicert.com /td sha256 myapp.exe
 
 # Logout (removes certificate from store)
 signer -logout
@@ -75,10 +78,10 @@ This package provides two CLI tools with different purposes:
 
 | | signercli | signer |
 |---|-----------|--------|
-| **Purpose** | Direct file signing | Windows signtool integration |
+| **Purpose** | Direct file signing | Direct signing + Windows signtool integration |
 | **Platform** | Windows, Linux, macOS | Windows only |
-| **How it works** | Signs files directly via server API | Provides certificates to Windows crypto system |
-| **Best for** | CI/CD, cross-platform, simple signing | Windows developers using signtool.exe |
+| **How it works** | Signs files directly via server API | Signs files directly OR provides certificates to Windows crypto system |
+| **Best for** | CI/CD, cross-platform, simple signing | Windows developers, signtool.exe integration |
 
 ### When to use which tool?
 
@@ -86,7 +89,8 @@ This package provides two CLI tools with different purposes:
 |----------|-------------|
 | CI/CD pipeline (any platform) | signercli |
 | Linux/macOS development | signercli |
-| Simple file signing | signercli |
+| Simple file signing | signercli or signer |
+| Windows direct signing | signer or signercli |
 | Using Windows signtool.exe | signer |
 | Windows certificate store integration | signer |
 | Visual Studio post-build signing | signercli or signer |
@@ -167,6 +171,28 @@ signercli -codesign-cert -o cert.pem      # Save to file
 signercli -codesign-set <password>
 ```
 
+**Alternative: `-cert` commands (compatible with signer.exe)**
+
+```bash
+# List certificates (with purpose filter)
+signercli -cert -list                     # List all certificates
+signercli -cert -list codesign            # List code signing certificates
+signercli -cert -list docsign             # List document signing certificates
+
+# Get/Set certificate ID
+signercli -cert -id                       # Show current configuration
+signercli -cert -id <cert_id>             # Set certificate ID
+signercli -cert -id <cert_id> <label>     # Set with label
+
+# Get certificate PEM
+signercli -cert -pem
+
+# Set private key password
+signercli -cert -password <password>
+```
+
+> **Note:** The `-cert` commands use the same API endpoints as `signer.exe`, ensuring full compatibility between both tools.
+
 #### Configuration
 
 Profiles store connection settings. The `default` profile is used when no profile is specified. Other profiles inherit missing settings from `default`.
@@ -216,6 +242,7 @@ signercli -login -profile staging         # Uses 'staging' (overrides host)
 | `-include-chain` | Include certificate chain |
 | `-timestamp-url <url>` | Timestamp server URL |
 | `-hash-algorithm <alg>` | Default hash algorithm |
+| `-output-format <type>` | Default output format (classic, json, table, csv) |
 
 **Document Signing Options:**
 
@@ -249,23 +276,147 @@ signercli <file> LOG_INF                  # Info output
 # Available: LOG_NON, LOG_ERR, LOG_WRN, LOG_DBG, LOG_INF
 ```
 
+**Version Output:**
+
+The `-version` command displays comprehensive version information:
+
+```
+# signercli -version
+Certchip Signer CLI v0.1.18
+Cross-platform code and document signing tool
+Copyright (c) 2025 Certchip. All rights reserved.
+
+DLL Versions (Local):
+  otpkey.dll:   0.1.18.0
+  Certchip.dll: 0.1.18.0
+
+DLL Versions (System32):
+  otpkey.dll:   0.1.18.0
+  Certchip.dll: 0.1.18.0
+```
+
+| Information | Description |
+|-------------|-------------|
+| CLI Version | signercli/signer executable version |
+| Local DLL | DLL versions in the same directory as the executable |
+| System32 DLL | DLL versions installed in Windows System32 folder |
+
+> **Note:** DLL version information is Windows-only. On Linux/macOS, only the CLI version is displayed.
+
+#### Output Format
+
+Both `signercli` and `signer` support structured output formats for scripting and automation.
+
+```bash
+# JSON format (default for scripting)
+signercli -verify myapp.exe -format json
+signercli -config list -format json
+signercli -logout -format json
+
+# Table format (aligned columns)
+signercli -verify myapp.exe -format table
+
+# CSV format (spreadsheet-friendly)
+signercli -config list -format csv
+
+# Classic format (default - human-readable)
+signercli -verify myapp.exe
+```
+
+**Format Options:**
+
+| Format | Description | Best for |
+|--------|-------------|----------|
+| `classic` | Human-readable output (default) | Interactive use |
+| `json` | JSON structured output | CI/CD, scripting, automation |
+| `table` | Aligned table format | Terminal display |
+| `csv` | Comma-separated values | Spreadsheets, data processing |
+
+**Example: JSON output from verify command**
+
+```bash
+$ signercli -verify myapp.exe -format json
+```
+
+```json
+{
+    "command": "verify",
+    "status": "valid",
+    "file": "myapp.exe",
+    "method": "AUTHENTICODE",
+    "signer": "Example Company",
+    "serialNumber": "0123456789abcdef",
+    "timestamp": "2025-01-15 10:30:00",
+    "success": true
+}
+```
+
+**Example: JSON output from config list**
+
+```bash
+$ signercli -config list -format json
+```
+
+```json
+{
+    "command": "config-list",
+    "count": 3,
+    "profiles": ["default", "production", "staging"],
+    "success": true
+}
+```
+
+**Example: JSON output from login**
+
+```bash
+$ signercli -login https://signer.example.com admin -pw secret -format json
+```
+
+```json
+{
+    "command": "login",
+    "status": "success",
+    "username": "admin",
+    "expiresIn": 86400,
+    "certificate": {
+        "cn": "Example Company Code Signing"
+    },
+    "success": true
+}
+```
+
+> **Note:** Interactive authentication (password prompt, SSH key selection) is not available with structured output formats. Use `-user` and `-pw` options or `-key` option for non-interactive login.
+
 ---
 
 ### signer (Windows only)
 
-Windows-specific tool that integrates with the Windows cryptographic system via KSP (Key Storage Provider). Instead of signing files directly, it registers certificates in the Windows certificate store, allowing you to use standard Windows tools like `signtool.exe`.
+Windows-specific tool that integrates with the Windows cryptographic system via KSP (Key Storage Provider). It can both sign files directly (like signercli) and register certificates in the Windows certificate store for use with `signtool.exe`.
 
-**How it works:**
-1. Login fetches your certificate from the server
-2. Certificate is registered in Windows certificate store
-3. KSP provider enables private key operations via the server
-4. Use `signtool.exe` or other Windows signing tools normally
+**Two signing methods:**
+1. **Direct signing** - Sign files directly with `signer <file>` (same as signercli)
+2. **signtool integration** - Login to register certificate, then use Windows signtool.exe
 
 ```bash
 # Authentication (fetches certificate to Windows store)
 signer -login <url> [username]            # Login and register certificate
 signer -logout                            # Logout and remove certificate
-signer -list                              # List available certificates
+
+# File Signing (direct - same options as signercli)
+signer <file> [options]                   # Sign a file directly
+    -o <path>                             # Output file path
+    -hash-only                            # Hash-based signing (default)
+    -file-upload                          # Upload entire file to server
+    -save-signed                          # Save with _signed suffix
+    -profile <name>                       # Use specific signing profile
+
+# Certificate Management
+signer -cert -list                        # List available certificates
+signer -cert -list codesign               # Filter by purpose
+signer -cert -id                          # Show current certificate configuration
+signer -cert -id <cert_id>                # Set certificate ID
+signer -cert -pem                         # Get certificate PEM
+signer -cert -password <password>         # Set private key password
 
 # KSP Provider Management
 signer -register                          # Register Certchip KSP provider
@@ -277,11 +428,46 @@ signer -container                         # List key containers
 signer -install                           # Install DLLs to System32
 signer -uninstall                         # Remove DLLs from System32
 
-# After login, use standard Windows signing tools
+# Version & Help
+signer -version                           # Show version and DLL info
+signer -help                              # Show usage help
+
+# After login, use standard Windows signing tools (signtool integration)
 signtool sign /n "Certificate Name" /fd sha256 myapp.exe
 signtool sign /sha1 <thumbprint> /fd sha256 /tr http://timestamp.digicert.com myapp.exe
 ```
 
+**Examples:**
+```bash
+# Direct signing with output path
+signer myapp.exe -o myapp_signed.exe
+
+# Upload entire file for signing
+signer myapp.exe -file-upload -o myapp_signed.exe
+
+# Hash-only signing with _signed suffix
+signer myapp.exe -save-signed
+```
+
+**Version Output:**
+
+```
+# signer -version
+Certchip Signer v0.1.18
+Windows Key Storage Provider and Code Signing Tool
+Copyright (c) 2025 Certchip. All rights reserved.
+
+DLL Versions (Local):
+  otpkey.dll:   0.1.18.0
+  Certchip.dll: 0.1.18.0
+
+DLL Versions (System32):
+  otpkey.dll:   0.1.18.0
+  Certchip.dll: 0.1.18.0
+```
+
+The version output helps diagnose DLL version mismatches between local and system-wide installations.
+
 ---
 
 ### DLL System Installation (Windows)
@@ -371,10 +557,16 @@ signercli -config set pdf-signing \
     -doc-font-size 12 \
     -doc-opacity 0.8
 
+# Create an automation profile with JSON output
+signercli -config set automation \
+    -host https://signer.example.com \
+    -output-format json
+
 # Use the profile
 signercli -login -profile production
 signercli myapp.exe -profile production
 signercli document.pdf -profile pdf-signing
+signercli -verify myapp.exe -profile automation  # Outputs JSON automatically
 ```
 
 ## Supported File Types
@@ -411,7 +603,7 @@ signercli document.pdf -profile pdf-signing
 | **Platform** | Windows, Linux, macOS | Windows only |
 | **Dependencies** | None (static build) | otpkey.dll, Certchip.dll |
 | **Size** | 9.3 MB | 420 KB + 6.9 MB DLLs |
-| **Signing method** | Direct (via server API) | Indirect (via Windows crypto) |
+| **Signing method** | Direct (via server API) | Direct OR via Windows crypto (signtool) |
 | **Windows KSP** | No | Yes |
 | **signtool compatible** | No | Yes |
 | **UAC auto-elevation** | Yes | Yes |
@@ -425,16 +617,45 @@ signercli document.pdf -profile pdf-signing
 #!/bin/bash
 set -e
 
-# Login
-signercli -login "$SIGNER_URL" "$SIGNER_USER" -key "$SSH_KEY_PATH"
+# Login with JSON output for parsing
+result=$(signercli -login "$SIGNER_URL" -user "$SIGNER_USER" -pw "$SIGNER_PW" -format json)
+if ! echo "$result" | jq -e '.success' > /dev/null; then
+    echo "Login failed: $(echo "$result" | jq -r '.error')"
+    exit 1
+fi
 
 # Sign all executables
 for exe in dist/*.exe; do
     signercli "$exe"
 done
 
-# Logout
-signercli -logout
+# Logout with JSON output
+signercli -logout -format json
+```
+
+### CI/CD Pipeline with Verification
+
+```bash
+#!/bin/bash
+set -e
+
+# Sign and verify with JSON output
+signercli -login "$SIGNER_URL" -user "$SIGNER_USER" -pw "$SIGNER_PW" -format json
+
+for exe in dist/*.exe; do
+    signercli "$exe"
+
+    # Verify and parse JSON result
+    verify_result=$(signercli -verify "$exe" -format json)
+    status=$(echo "$verify_result" | jq -r '.status')
+
+    if [ "$status" != "valid" ]; then
+        echo "Verification failed for $exe"
+        exit 1
+    fi
+done
+
+signercli -logout -format json
 ```
 
 ### TypeScript Usage

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@certchip/signer",
-  "version": "0.1.11",
+  "version": "0.1.19",
   "description": "Cross-platform code and document signing CLI tool",
   "main": "lib/index.js",
   "types": "lib/index.d.ts",