From 867191105c7630ab4147ddde332058d8aa636b98 Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Mon, 28 Sep 2020 17:42:41 -0700
Subject: [PATCH 01/15] Update signtool-exe.md

---
 docs/framework/tools/signtool-exe.md | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index 79ff8cb7ee88a..a56cbcbfc4917 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -11,6 +11,10 @@ ms.assetid: 0c25ff6c-bff3-422e-b017-146a3ee86cb9
 Sign Tool is a command-line tool that digitally signs files, verifies signatures in files, and time-stamps files.  
   
  This tool is automatically installed with Visual Studio. To run the tool, use the Developer Command Prompt for Visual Studio (or the Visual Studio Command Prompt in Windows 7). For more information, see [Command Prompts](developer-command-prompt-for-vs.md).  
+ 
+> [!Note]  
+> Beginning in Windows 10 SDK (10.0.19041.0), Windows 10 HLK (10.0.xxxx) and Windows 10 ADK (10.0.yyyy), the SignTool sign command requires the /fd `file digest algorithm` and the /td `timestamp digest algorithm` option to be specified during signing and timestamping, respectively. A warning (error code 0, initially) will be thrown if /fd is not specified during signing and if /td is not specified during timestamping. In later versions of SignTool, the warning will become an error. SHA256 is recommended and considered to be more secure than SHA1 by the industry.  
+
   
  At the command prompt, type the following:  
   
@@ -70,7 +74,7 @@ signtool [command] [options] [file_name | ...]
 |`/d`  *Desc*|Specifies a description of the signed content.|  
 |`/du`  *URL*|Specifies a Uniform Resource Locator (URL) for the expanded description of the signed content.|  
 |`/f`  *SignCertFile*|Specifies the signing certificate in a file. If the file is in Personal Information Exchange (PFX) format and protected by a password, use the `/p` option to specify the password. If the file does not contain private keys, use the `/csp` and `/kc` options to specify the CSP and private key container name.|  
-|`/fd`|Specifies the file digest algorithm to use for creating file signatures. The default is SHA1.|  
+|`/fd`|Specifies the file digest algorithm to use for creating file signatures. </br> **Note:** A warning is generated if <strong>/fd</strong> switch is not provided while signing. The default alg is SHA1 but SHA256 is recommended.|
 |`/i`  *IssuerName*|Specifies the name of the issuer of the signing certificate. This value can be a substring of the entire issuer name.|  
 |`/kc`  *PrivKeyContainerName*|Specifies the private key container name.|  
 |`/n`  *SubjectName*|Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name.|  
@@ -85,7 +89,7 @@ signtool [command] [options] [file_name | ...]
 |`/sha1`  *Hash*|Specifies the SHA1 hash of the signing certificate. The SHA1 hash is commonly specified when multiple certificates satisfy the criteria specified by the remaining switches.|  
 |`/sm`|Specifies that a machine store, instead of a user store, is used.|  
 |`/t`  *URL*|Specifies the URL of the time stamp server. If this option (or `/tr`) is not present, the signed file will not be time stamped. A warning is generated if time stamping fails. This option cannot be used with the `/tr` option.|  
-|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server.|  
+|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server. </br> **Note:** A warning is generated if <strong>/td</strong> switch is not provided while timestamping. The default alg is SHA1 but SHA256 is recommended. <br/> The <strong>/td</strong> switch must be declared after the <strong>/tr</strong> switch, not before. If the <strong>/td</strong> switch is declared before the <strong>/tr</strong> switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm. |
 |`/tr`  *URL*|Specifies the URL of the RFC 3161 time stamp server. If this option (or `/t`) is not present, the signed file will not be time stamped. A warning is generated if time stamping fails. This option cannot be used with the `/t` option.|  
 |`/u`  *Usage*|Specifies the enhanced key usage (EKU) that must be present in the signing certificate. The usage value can be specified by OID or string. The default usage is "Code Signing" (1.3.6.1.5.5.7.3.3).|  
 |`/uw`|Specifies usage of "Windows System Component Verification" (1.3.6.1.4.1.311.10.3.6).|  
@@ -100,7 +104,7 @@ signtool [command] [options] [file_name | ...]
 |----------------------|-----------------|  
 |`/p7`|Time stamps PKCS #7 files.|  
 |`/t`  *URL*|Specifies the URL of the time stamp server. The file being time stamped must have previously been signed. Either the `/t` or the `/tr` option is required.|  
-|`/td`  *alg*|Requests a digest algorithm used by the RFC 3161 time stamp server. `/td` is used with the `/tr` option.|  
+|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server. </br> **Note:** A warning is generated if <strong>/td</strong> switch is not provided while timestamping. The default alg is SHA1 but SHA256 is recommended. <br/> The <strong>/td</strong> switch must be declared after the <strong>/tr</strong> switch, not before. If the <strong>/td</strong> switch is declared before the <strong>/tr</strong> switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm. |
 |`/tp` *index*|Time stamps the signature at *index*.|  
 |`/tr`  *URL*|Specifies the URL of the RFC 3161 time stamp server. The file being time stamped must have previously been signed. Either the `/tr` or the `/t` option is required.|  
   
@@ -151,37 +155,37 @@ signtool catdb /v /u MyCatalogFileName.cat
  The following command signs a file automatically by using the best certificate.  
   
 ```console  
-signtool sign /a MyFile.exe  
+signtool sign /a MyFile.exe /fd SHA256
 ```  
   
  The following command digitally signs a file by using a certificate stored in a password-protected PFX file.  
   
 ```console  
-signtool sign /f MyCert.pfx /p MyPassword MyFile.exe  
+signtool sign /f MyCert.pfx /p MyPassword MyFile.exe /fd SHA256
 ```  
   
  The following command digitally signs and time-stamps a file. The certificate used to sign the file is stored in a PFX file.  
   
 ```console  
-signtool sign /f MyCert.pfx /t http://timestamp.digicert.com MyFile.exe  
+signtool sign /f MyCert.pfx /t http://timestamp.digicert.com MyFile.exe /fd SHA256
 ```  
   
  The following command signs a file by using a certificate located in the `My` store that has a subject name of `My Company Certificate`.  
   
 ```console  
-signtool sign /n "My Company Certificate" MyFile.exe  
+signtool sign /n "My Company Certificate" MyFile.exe /fd SHA256
 ```  
   
  The following command signs an ActiveX control and provides information that is displayed by Internet Explorer when the user is prompted to install the control.  
   
 ```console  
-Signtool sign /f MyCert.pfx /d: "MyControl" /du http://www.example.com/MyControl/info.html MyControl.exe  
+Signtool sign /f MyCert.pfx /d: "MyControl" /du http://www.example.com/MyControl/info.html MyControl.exe /fd SHA256
 ```  
   
  The following command time-stamps a file that has already been digitally signed.  
   
 ```console  
-signtool timestamp /t http://timestamp.digicert.com MyFile.exe  
+signtool timestamp /t http://timestamp.digicert.com MyFile.exe /td SHA256 
 ```  
   
  The following command verifies that a file has been signed.  

From 270e0625c74007d23d14b1911d1a916dfc5a4b27 Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Mon, 12 Oct 2020 14:21:46 -0700
Subject: [PATCH 02/15] Updated kit build versions and examples

---
 docs/framework/tools/signtool-exe.md | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index a56cbcbfc4917..c54a7cccb3826 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -13,7 +13,7 @@ Sign Tool is a command-line tool that digitally signs files, verifies signatures
  This tool is automatically installed with Visual Studio. To run the tool, use the Developer Command Prompt for Visual Studio (or the Visual Studio Command Prompt in Windows 7). For more information, see [Command Prompts](developer-command-prompt-for-vs.md).  
  
 > [!Note]  
-> Beginning in Windows 10 SDK (10.0.19041.0), Windows 10 HLK (10.0.xxxx) and Windows 10 ADK (10.0.yyyy), the SignTool sign command requires the /fd `file digest algorithm` and the /td `timestamp digest algorithm` option to be specified during signing and timestamping, respectively. A warning (error code 0, initially) will be thrown if /fd is not specified during signing and if /td is not specified during timestamping. In later versions of SignTool, the warning will become an error. SHA256 is recommended and considered to be more secure than SHA1 by the industry.  
+> The Windows 10 SDK, Windows 10 HLK, Windows 10 WDK and Windows 10 ADK **builds 20236 and above** will now require specifying the digest algorithm. The SignTool sign command requires the /fd `file digest algorithm` and the /td `timestamp digest algorithm` option to be specified during signing and timestamping, respectively. A warning (error code 0, initially) will be thrown if /fd is not specified during signing and if /td is not specified during timestamping. In later versions of SignTool, the warning will become an error. SHA256 is recommended and considered to be more secure than SHA1 by the industry.  
 
   
  At the command prompt, type the following:  
@@ -75,6 +75,7 @@ signtool [command] [options] [file_name | ...]
 |`/du`  *URL*|Specifies a Uniform Resource Locator (URL) for the expanded description of the signed content.|  
 |`/f`  *SignCertFile*|Specifies the signing certificate in a file. If the file is in Personal Information Exchange (PFX) format and protected by a password, use the `/p` option to specify the password. If the file does not contain private keys, use the `/csp` and `/kc` options to specify the CSP and private key container name.|  
 |`/fd`|Specifies the file digest algorithm to use for creating file signatures. </br> **Note:** A warning is generated if <strong>/fd</strong> switch is not provided while signing. The default alg is SHA1 but SHA256 is recommended.|
+|`/fd`  *certHash*|Specifying the string certHash will default to the algorithm used on the signing certificate. </br> **Note:** Only available in Windows 10 kit builds 20236 and greater.|  
 |`/i`  *IssuerName*|Specifies the name of the issuer of the signing certificate. This value can be a substring of the entire issuer name.|  
 |`/kc`  *PrivKeyContainerName*|Specifies the private key container name.|  
 |`/n`  *SubjectName*|Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name.|  
@@ -144,7 +145,8 @@ signtool [command] [options] [file_name | ...]
 |0|Execution was successful.|  
 |1|Execution has failed.|  
 |2|Execution has completed with warnings.|  
-  
+
+<a name="Examples"></a>
 ## Examples  
  The following command adds the catalog file MyCatalogFileName.cat to the system component and driver database. The `/u` option generates a unique name if necessary to prevent replacing an existing catalog file named `MyCatalogFileName.cat`.  
   
@@ -155,37 +157,43 @@ signtool catdb /v /u MyCatalogFileName.cat
  The following command signs a file automatically by using the best certificate.  
   
 ```console  
-signtool sign /a MyFile.exe /fd SHA256
+signtool sign /a /fd SHA256 MyFile.exe 
 ```  
   
  The following command digitally signs a file by using a certificate stored in a password-protected PFX file.  
   
 ```console  
-signtool sign /f MyCert.pfx /p MyPassword MyFile.exe /fd SHA256
+signtool sign /f MyCert.pfx /p MyPassword /fd SHA256 MyFile.exe 
 ```  
   
  The following command digitally signs and time-stamps a file. The certificate used to sign the file is stored in a PFX file.  
   
 ```console  
-signtool sign /f MyCert.pfx /t http://timestamp.digicert.com MyFile.exe /fd SHA256
+signtool sign /f MyCert.pfx /t http://timestamp.digicert.com /fd SHA256 MyFile.exe 
 ```  
   
  The following command signs a file by using a certificate located in the `My` store that has a subject name of `My Company Certificate`.  
   
 ```console  
-signtool sign /n "My Company Certificate" MyFile.exe /fd SHA256
+signtool sign /n "My Company Certificate" /fd SHA256 MyFile.exe 
 ```  
   
  The following command signs an ActiveX control and provides information that is displayed by Internet Explorer when the user is prompted to install the control.  
   
 ```console  
-Signtool sign /f MyCert.pfx /d: "MyControl" /du http://www.example.com/MyControl/info.html MyControl.exe /fd SHA256
+Signtool sign /f MyCert.pfx /d: "MyControl" /du http://www.example.com/MyControl/info.html /fd SHA256 MyControl.exe 
 ```  
   
  The following command time-stamps a file that has already been digitally signed.  
   
 ```console  
-signtool timestamp /t http://timestamp.digicert.com MyFile.exe /td SHA256 
+signtool timestamp /t http://timestamp.digicert.com MyFile.exe
+```  
+
+The following command time-stamps a file using an RFC 3161 timestamp server.  
+  
+```console  
+signtool timestamp /tr http://timestamp.digicert.com /td SHA256 MyFile.exe
 ```  
   
  The following command verifies that a file has been signed.  

From 878b734fe074a8653e254a8e986b9ddd940a5f09 Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Mon, 12 Oct 2020 14:55:14 -0700
Subject: [PATCH 03/15] Update signtool-exe.md

---
 docs/framework/tools/signtool-exe.md | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index c54a7cccb3826..740e779a1b6d2 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -10,11 +10,10 @@ ms.assetid: 0c25ff6c-bff3-422e-b017-146a3ee86cb9
 # SignTool.exe (Sign Tool)
 Sign Tool is a command-line tool that digitally signs files, verifies signatures in files, and time-stamps files.  
   
- This tool is automatically installed with Visual Studio. To run the tool, use the Developer Command Prompt for Visual Studio (or the Visual Studio Command Prompt in Windows 7). For more information, see [Command Prompts](developer-command-prompt-for-vs.md).  
- 
+ This tool is automatically installed with Visual Studio. To run the tool, use the Developer Command Prompt for Visual Studio (or the Visual Studio Command Prompt in Windows 7). For more information, see [Command Prompts](developer-command-prompt-for-vs.md).
+
 > [!Note]  
 > The Windows 10 SDK, Windows 10 HLK, Windows 10 WDK and Windows 10 ADK **builds 20236 and above** will now require specifying the digest algorithm. The SignTool sign command requires the /fd `file digest algorithm` and the /td `timestamp digest algorithm` option to be specified during signing and timestamping, respectively. A warning (error code 0, initially) will be thrown if /fd is not specified during signing and if /td is not specified during timestamping. In later versions of SignTool, the warning will become an error. SHA256 is recommended and considered to be more secure than SHA1 by the industry.  
-
   
  At the command prompt, type the following:  
   
@@ -74,7 +73,7 @@ signtool [command] [options] [file_name | ...]
 |`/d`  *Desc*|Specifies a description of the signed content.|  
 |`/du`  *URL*|Specifies a Uniform Resource Locator (URL) for the expanded description of the signed content.|  
 |`/f`  *SignCertFile*|Specifies the signing certificate in a file. If the file is in Personal Information Exchange (PFX) format and protected by a password, use the `/p` option to specify the password. If the file does not contain private keys, use the `/csp` and `/kc` options to specify the CSP and private key container name.|  
-|`/fd`|Specifies the file digest algorithm to use for creating file signatures. </br> **Note:** A warning is generated if <strong>/fd</strong> switch is not provided while signing. The default alg is SHA1 but SHA256 is recommended.|
+|`/fd`|Specifies the file digest algorithm to use for creating file signatures. </br> **Note:** A warning is generated if **/fd** switch is not provided while signing. The default alg is SHA1 but SHA256 is recommended.|
 |`/fd`  *certHash*|Specifying the string certHash will default to the algorithm used on the signing certificate. </br> **Note:** Only available in Windows 10 kit builds 20236 and greater.|  
 |`/i`  *IssuerName*|Specifies the name of the issuer of the signing certificate. This value can be a substring of the entire issuer name.|  
 |`/kc`  *PrivKeyContainerName*|Specifies the private key container name.|  
@@ -90,8 +89,8 @@ signtool [command] [options] [file_name | ...]
 |`/sha1`  *Hash*|Specifies the SHA1 hash of the signing certificate. The SHA1 hash is commonly specified when multiple certificates satisfy the criteria specified by the remaining switches.|  
 |`/sm`|Specifies that a machine store, instead of a user store, is used.|  
 |`/t`  *URL*|Specifies the URL of the time stamp server. If this option (or `/tr`) is not present, the signed file will not be time stamped. A warning is generated if time stamping fails. This option cannot be used with the `/tr` option.|  
-|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server. </br> **Note:** A warning is generated if <strong>/td</strong> switch is not provided while timestamping. The default alg is SHA1 but SHA256 is recommended. <br/> The <strong>/td</strong> switch must be declared after the <strong>/tr</strong> switch, not before. If the <strong>/td</strong> switch is declared before the <strong>/tr</strong> switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm. |
-|`/tr`  *URL*|Specifies the URL of the RFC 3161 time stamp server. If this option (or `/t`) is not present, the signed file will not be time stamped. A warning is generated if time stamping fails. This option cannot be used with the `/t` option.|  
+|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server. </br> **Note:** A warning is generated if **/td** switch is not provided while timestamping. The default alg is SHA1 but SHA256 is recommended. <br/> The **/td** switch must be declared after the **/tr** switch, not before. If the **/td<** switch is declared before the **/tr** switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm. |
+|`/tr`  *URL*|Specifies the URL of the RFC 3161 time stamp server. If this option (or `/t`) is not present, the signed file will not be time stamped. A warning is generated if time stamping fails. This option cannot be used with the `/t` option.|
 |`/u`  *Usage*|Specifies the enhanced key usage (EKU) that must be present in the signing certificate. The usage value can be specified by OID or string. The default usage is "Code Signing" (1.3.6.1.5.5.7.3.3).|  
 |`/uw`|Specifies usage of "Windows System Component Verification" (1.3.6.1.4.1.311.10.3.6).|  
   
@@ -105,7 +104,7 @@ signtool [command] [options] [file_name | ...]
 |----------------------|-----------------|  
 |`/p7`|Time stamps PKCS #7 files.|  
 |`/t`  *URL*|Specifies the URL of the time stamp server. The file being time stamped must have previously been signed. Either the `/t` or the `/tr` option is required.|  
-|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server. </br> **Note:** A warning is generated if <strong>/td</strong> switch is not provided while timestamping. The default alg is SHA1 but SHA256 is recommended. <br/> The <strong>/td</strong> switch must be declared after the <strong>/tr</strong> switch, not before. If the <strong>/td</strong> switch is declared before the <strong>/tr</strong> switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm. |
+|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server. </br> **Note:** A warning is generated if **/td** switch is not provided while timestamping. The default alg is SHA1 but SHA256 is recommended. <br/> The **/td** switch must be declared after the **/tr** switch, not before. If the **/td<** switch is declared before the **/tr** switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm. |
 |`/tp` *index*|Time stamps the signature at *index*.|  
 |`/tr`  *URL*|Specifies the URL of the RFC 3161 time stamp server. The file being time stamped must have previously been signed. Either the `/tr` or the `/t` option is required.|  
   
@@ -158,31 +157,31 @@ signtool catdb /v /u MyCatalogFileName.cat
   
 ```console  
 signtool sign /a /fd SHA256 MyFile.exe 
-```  
-  
+```
+
  The following command digitally signs a file by using a certificate stored in a password-protected PFX file.  
   
 ```console  
 signtool sign /f MyCert.pfx /p MyPassword /fd SHA256 MyFile.exe 
-```  
+```   
   
  The following command digitally signs and time-stamps a file. The certificate used to sign the file is stored in a PFX file.  
   
 ```console  
 signtool sign /f MyCert.pfx /t http://timestamp.digicert.com /fd SHA256 MyFile.exe 
-```  
+```   
   
  The following command signs a file by using a certificate located in the `My` store that has a subject name of `My Company Certificate`.  
   
 ```console  
 signtool sign /n "My Company Certificate" /fd SHA256 MyFile.exe 
-```  
+```   
   
  The following command signs an ActiveX control and provides information that is displayed by Internet Explorer when the user is prompted to install the control.  
   
 ```console  
 Signtool sign /f MyCert.pfx /d: "MyControl" /du http://www.example.com/MyControl/info.html /fd SHA256 MyControl.exe 
-```  
+```   
   
  The following command time-stamps a file that has already been digitally signed.  
   

From aee368207536f1f9d11dcf0aa79021f5604c1a66 Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Mon, 12 Oct 2020 14:59:05 -0700
Subject: [PATCH 04/15] Update signtool-exe.md to address md linter issues

---
 docs/framework/tools/signtool-exe.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index 740e779a1b6d2..cf06d5c505dcf 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -155,33 +155,33 @@ signtool catdb /v /u MyCatalogFileName.cat
   
  The following command signs a file automatically by using the best certificate.  
   
-```console  
+```console 
 signtool sign /a /fd SHA256 MyFile.exe 
 ```
 
  The following command digitally signs a file by using a certificate stored in a password-protected PFX file.  
   
 ```console  
-signtool sign /f MyCert.pfx /p MyPassword /fd SHA256 MyFile.exe 
-```   
+signtool sign /f MyCert.pfx /p MyPassword /fd SHA256 MyFile.exe
+```  
   
  The following command digitally signs and time-stamps a file. The certificate used to sign the file is stored in a PFX file.  
   
 ```console  
-signtool sign /f MyCert.pfx /t http://timestamp.digicert.com /fd SHA256 MyFile.exe 
-```   
+signtool sign /f MyCert.pfx /t http://timestamp.digicert.com /fd SHA256 MyFile.exe
+```  
   
  The following command signs a file by using a certificate located in the `My` store that has a subject name of `My Company Certificate`.  
   
 ```console  
-signtool sign /n "My Company Certificate" /fd SHA256 MyFile.exe 
-```   
+signtool sign /n "My Company Certificate" /fd SHA256 MyFile.exe
+```  
   
  The following command signs an ActiveX control and provides information that is displayed by Internet Explorer when the user is prompted to install the control.  
   
 ```console  
-Signtool sign /f MyCert.pfx /d: "MyControl" /du http://www.example.com/MyControl/info.html /fd SHA256 MyControl.exe 
-```   
+Signtool sign /f MyCert.pfx /d: "MyControl" /du http://www.example.com/MyControl/info.html /fd SHA256 MyControl.exe
+```  
   
  The following command time-stamps a file that has already been digitally signed.  
   

From 0c8bd485a07bf0136b459bb00a0b9012a1a48f59 Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Tue, 13 Oct 2020 14:59:05 -0700
Subject: [PATCH 05/15] Update docs/framework/tools/signtool-exe.md

Co-authored-by: Youssef Victor <31348972+Youssef1313@users.noreply.github.com>
---
 docs/framework/tools/signtool-exe.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index cf06d5c505dcf..1a0b648467fd3 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -89,7 +89,7 @@ signtool [command] [options] [file_name | ...]
 |`/sha1`  *Hash*|Specifies the SHA1 hash of the signing certificate. The SHA1 hash is commonly specified when multiple certificates satisfy the criteria specified by the remaining switches.|  
 |`/sm`|Specifies that a machine store, instead of a user store, is used.|  
 |`/t`  *URL*|Specifies the URL of the time stamp server. If this option (or `/tr`) is not present, the signed file will not be time stamped. A warning is generated if time stamping fails. This option cannot be used with the `/tr` option.|  
-|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server. </br> **Note:** A warning is generated if **/td** switch is not provided while timestamping. The default alg is SHA1 but SHA256 is recommended. <br/> The **/td** switch must be declared after the **/tr** switch, not before. If the **/td<** switch is declared before the **/tr** switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm. |
+|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server. </br> **Note:** A warning is generated if **/td** switch is not provided while timestamping. The default algorithm is SHA1 but SHA256 is recommended. <br/> The **/td** switch must be declared after the **/tr** switch, not before. If the **/td<** switch is declared before the **/tr** switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm. |
 |`/tr`  *URL*|Specifies the URL of the RFC 3161 time stamp server. If this option (or `/t`) is not present, the signed file will not be time stamped. A warning is generated if time stamping fails. This option cannot be used with the `/t` option.|
 |`/u`  *Usage*|Specifies the enhanced key usage (EKU) that must be present in the signing certificate. The usage value can be specified by OID or string. The default usage is "Code Signing" (1.3.6.1.5.5.7.3.3).|  
 |`/uw`|Specifies usage of "Windows System Component Verification" (1.3.6.1.4.1.311.10.3.6).|  

From b13904c39392a6fb40fe24050f32444f02401a22 Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Tue, 13 Oct 2020 14:59:18 -0700
Subject: [PATCH 06/15] Update docs/framework/tools/signtool-exe.md

Co-authored-by: Youssef Victor <31348972+Youssef1313@users.noreply.github.com>
---
 docs/framework/tools/signtool-exe.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index 1a0b648467fd3..e2e30d90607ca 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -145,7 +145,6 @@ signtool [command] [options] [file_name | ...]
 |1|Execution has failed.|  
 |2|Execution has completed with warnings.|  
 
-<a name="Examples"></a>
 ## Examples  
  The following command adds the catalog file MyCatalogFileName.cat to the system component and driver database. The `/u` option generates a unique name if necessary to prevent replacing an existing catalog file named `MyCatalogFileName.cat`.  
   

From 68f2931951b56e778145985f2aa8c45e6e82a1e9 Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Tue, 13 Oct 2020 15:00:10 -0700
Subject: [PATCH 07/15] Update docs/framework/tools/signtool-exe.md

Co-authored-by: Youssef Victor <31348972+Youssef1313@users.noreply.github.com>
---
 docs/framework/tools/signtool-exe.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index e2e30d90607ca..b0da743782bb1 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -104,7 +104,7 @@ signtool [command] [options] [file_name | ...]
 |----------------------|-----------------|  
 |`/p7`|Time stamps PKCS #7 files.|  
 |`/t`  *URL*|Specifies the URL of the time stamp server. The file being time stamped must have previously been signed. Either the `/t` or the `/tr` option is required.|  
-|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server. </br> **Note:** A warning is generated if **/td** switch is not provided while timestamping. The default alg is SHA1 but SHA256 is recommended. <br/> The **/td** switch must be declared after the **/tr** switch, not before. If the **/td<** switch is declared before the **/tr** switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm. |
+|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server. </br> **Note:** A warning is generated if **/td** switch is not provided while timestamping. The default algorithm is SHA1 but SHA256 is recommended. <br/> The **/td** switch must be declared after the **/tr** switch, not before. If the **/td<** switch is declared before the **/tr** switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm. |
 |`/tp` *index*|Time stamps the signature at *index*.|  
 |`/tr`  *URL*|Specifies the URL of the RFC 3161 time stamp server. The file being time stamped must have previously been signed. Either the `/tr` or the `/t` option is required.|  
   

From 8bfe0a8791be4a61a1b19f72cce3c96d43a56152 Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Tue, 13 Oct 2020 15:00:30 -0700
Subject: [PATCH 08/15] Update docs/framework/tools/signtool-exe.md

Co-authored-by: Youssef Victor <31348972+Youssef1313@users.noreply.github.com>
---
 docs/framework/tools/signtool-exe.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index b0da743782bb1..4e34fa7ecbbc1 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -154,7 +154,7 @@ signtool catdb /v /u MyCatalogFileName.cat
   
  The following command signs a file automatically by using the best certificate.  
   
-```console 
+```console
 signtool sign /a /fd SHA256 MyFile.exe 
 ```
 

From bc51723afbbe9bcd52ca6258b30c6ce5f3d52e75 Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Tue, 13 Oct 2020 15:00:39 -0700
Subject: [PATCH 09/15] Update docs/framework/tools/signtool-exe.md

Co-authored-by: Youssef Victor <31348972+Youssef1313@users.noreply.github.com>
---
 docs/framework/tools/signtool-exe.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index 4e34fa7ecbbc1..e1475756ba54b 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -155,7 +155,7 @@ signtool catdb /v /u MyCatalogFileName.cat
  The following command signs a file automatically by using the best certificate.  
   
 ```console
-signtool sign /a /fd SHA256 MyFile.exe 
+signtool sign /a /fd SHA256 MyFile.exe
 ```
 
  The following command digitally signs a file by using a certificate stored in a password-protected PFX file.  

From c63ccf5ea38e125ecb588479f05b58f71e915543 Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Tue, 13 Oct 2020 15:00:47 -0700
Subject: [PATCH 10/15] Update docs/framework/tools/signtool-exe.md

Co-authored-by: Youssef Victor <31348972+Youssef1313@users.noreply.github.com>
---
 docs/framework/tools/signtool-exe.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index e1475756ba54b..f44ebd72f45fe 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -73,7 +73,7 @@ signtool [command] [options] [file_name | ...]
 |`/d`  *Desc*|Specifies a description of the signed content.|  
 |`/du`  *URL*|Specifies a Uniform Resource Locator (URL) for the expanded description of the signed content.|  
 |`/f`  *SignCertFile*|Specifies the signing certificate in a file. If the file is in Personal Information Exchange (PFX) format and protected by a password, use the `/p` option to specify the password. If the file does not contain private keys, use the `/csp` and `/kc` options to specify the CSP and private key container name.|  
-|`/fd`|Specifies the file digest algorithm to use for creating file signatures. </br> **Note:** A warning is generated if **/fd** switch is not provided while signing. The default alg is SHA1 but SHA256 is recommended.|
+|`/fd`|Specifies the file digest algorithm to use for creating file signatures. </br> **Note:** A warning is generated if **/fd** switch is not provided while signing. The default algorithm is SHA1 but SHA256 is recommended.|
 |`/fd`  *certHash*|Specifying the string certHash will default to the algorithm used on the signing certificate. </br> **Note:** Only available in Windows 10 kit builds 20236 and greater.|  
 |`/i`  *IssuerName*|Specifies the name of the issuer of the signing certificate. This value can be a substring of the entire issuer name.|  
 |`/kc`  *PrivKeyContainerName*|Specifies the private key container name.|  

From e73a0e1ccd04b97e59cceea23770b85d55b9155d Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Mon, 2 Nov 2020 10:30:59 -0800
Subject: [PATCH 11/15] Update docs/framework/tools/signtool-exe.md

Co-authored-by: Tom Dykstra <tdykstra@microsoft.com>
---
 docs/framework/tools/signtool-exe.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index f44ebd72f45fe..1a51d1d148403 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -13,7 +13,7 @@ Sign Tool is a command-line tool that digitally signs files, verifies signatures
  This tool is automatically installed with Visual Studio. To run the tool, use the Developer Command Prompt for Visual Studio (or the Visual Studio Command Prompt in Windows 7). For more information, see [Command Prompts](developer-command-prompt-for-vs.md).
 
 > [!Note]  
-> The Windows 10 SDK, Windows 10 HLK, Windows 10 WDK and Windows 10 ADK **builds 20236 and above** will now require specifying the digest algorithm. The SignTool sign command requires the /fd `file digest algorithm` and the /td `timestamp digest algorithm` option to be specified during signing and timestamping, respectively. A warning (error code 0, initially) will be thrown if /fd is not specified during signing and if /td is not specified during timestamping. In later versions of SignTool, the warning will become an error. SHA256 is recommended and considered to be more secure than SHA1 by the industry.  
+> The Windows 10 SDK, Windows 10 HLK, Windows 10 WDK and Windows 10 ADK **builds 20236 and later** require specifying the digest algorithm. The SignTool `sign` command requires the `/fd` **file digest algorithm** and the `/td` **timestamp digest algorithm** option to be specified during signing and timestamping, respectively. A warning (error code 0, initially) will be thrown if `/fd` is not specified during signing and if `/td` is not specified during timestamping. In later versions of SignTool, the warning will become an error. SHA256 is recommended and considered to be more secure than SHA1 by the industry.  
   
  At the command prompt, type the following:  
   

From b12273af469f82c2a319f03bd41fdecbfcaf76cd Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Mon, 2 Nov 2020 10:31:52 -0800
Subject: [PATCH 12/15] Committed tdykstra's suggestion in signtool-exe.md

Co-authored-by: Tom Dykstra <tdykstra@microsoft.com>
---
 docs/framework/tools/signtool-exe.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index 1a51d1d148403..301ae348be70b 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -73,7 +73,7 @@ signtool [command] [options] [file_name | ...]
 |`/d`  *Desc*|Specifies a description of the signed content.|  
 |`/du`  *URL*|Specifies a Uniform Resource Locator (URL) for the expanded description of the signed content.|  
 |`/f`  *SignCertFile*|Specifies the signing certificate in a file. If the file is in Personal Information Exchange (PFX) format and protected by a password, use the `/p` option to specify the password. If the file does not contain private keys, use the `/csp` and `/kc` options to specify the CSP and private key container name.|  
-|`/fd`|Specifies the file digest algorithm to use for creating file signatures. </br> **Note:** A warning is generated if **/fd** switch is not provided while signing. The default algorithm is SHA1 but SHA256 is recommended.|
+|`/fd`|Specifies the file digest algorithm to use for creating file signatures. </br> **Note:** A warning is generated if the`/fd` switch is not provided while signing. The default algorithm is SHA1 but SHA256 is recommended.|
 |`/fd`  *certHash*|Specifying the string certHash will default to the algorithm used on the signing certificate. </br> **Note:** Only available in Windows 10 kit builds 20236 and greater.|  
 |`/i`  *IssuerName*|Specifies the name of the issuer of the signing certificate. This value can be a substring of the entire issuer name.|  
 |`/kc`  *PrivKeyContainerName*|Specifies the private key container name.|  

From 6266e0b4a8d46e99134bbc41877fccc62b76fc36 Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Mon, 2 Nov 2020 10:32:17 -0800
Subject: [PATCH 13/15] Committed tdykstra's suggestion in signtool.md

Co-authored-by: Tom Dykstra <tdykstra@microsoft.com>
---
 docs/framework/tools/signtool-exe.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index 301ae348be70b..6ce583a7ffc89 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -74,7 +74,7 @@ signtool [command] [options] [file_name | ...]
 |`/du`  *URL*|Specifies a Uniform Resource Locator (URL) for the expanded description of the signed content.|  
 |`/f`  *SignCertFile*|Specifies the signing certificate in a file. If the file is in Personal Information Exchange (PFX) format and protected by a password, use the `/p` option to specify the password. If the file does not contain private keys, use the `/csp` and `/kc` options to specify the CSP and private key container name.|  
 |`/fd`|Specifies the file digest algorithm to use for creating file signatures. </br> **Note:** A warning is generated if the`/fd` switch is not provided while signing. The default algorithm is SHA1 but SHA256 is recommended.|
-|`/fd`  *certHash*|Specifying the string certHash will default to the algorithm used on the signing certificate. </br> **Note:** Only available in Windows 10 kit builds 20236 and greater.|  
+|`/fd`  *certHash*|Specifying the string *certHash* will default to the algorithm used on the signing certificate. </br> **Note:** Only available in Windows 10 kit builds 20236 and later.|  
 |`/i`  *IssuerName*|Specifies the name of the issuer of the signing certificate. This value can be a substring of the entire issuer name.|  
 |`/kc`  *PrivKeyContainerName*|Specifies the private key container name.|  
 |`/n`  *SubjectName*|Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name.|  

From 44348682697ebfdb69ddaadd5a43c69fde4020ef Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Mon, 2 Nov 2020 10:32:53 -0800
Subject: [PATCH 14/15] Committed tdykstra's formatting suggestion in
 signtool-exe.md

Co-authored-by: Tom Dykstra <tdykstra@microsoft.com>
---
 docs/framework/tools/signtool-exe.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index 6ce583a7ffc89..29ac7ca636ce2 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -89,7 +89,7 @@ signtool [command] [options] [file_name | ...]
 |`/sha1`  *Hash*|Specifies the SHA1 hash of the signing certificate. The SHA1 hash is commonly specified when multiple certificates satisfy the criteria specified by the remaining switches.|  
 |`/sm`|Specifies that a machine store, instead of a user store, is used.|  
 |`/t`  *URL*|Specifies the URL of the time stamp server. If this option (or `/tr`) is not present, the signed file will not be time stamped. A warning is generated if time stamping fails. This option cannot be used with the `/tr` option.|  
-|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server. </br> **Note:** A warning is generated if **/td** switch is not provided while timestamping. The default algorithm is SHA1 but SHA256 is recommended. <br/> The **/td** switch must be declared after the **/tr** switch, not before. If the **/td<** switch is declared before the **/tr** switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm. |
+|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server. </br> **Note:** A warning is generated if the `/td` switch is not provided while timestamping. The default algorithm is SHA1, but SHA256 is recommended. <br/> The `/td` switch must be declared after the `/tr` switch, not before. If the `/td` switch is declared before the `/tr` switch, the timestamp that is returned is from the SHA1 algorithm instead of the intended SHA256 algorithm. |
 |`/tr`  *URL*|Specifies the URL of the RFC 3161 time stamp server. If this option (or `/t`) is not present, the signed file will not be time stamped. A warning is generated if time stamping fails. This option cannot be used with the `/t` option.|
 |`/u`  *Usage*|Specifies the enhanced key usage (EKU) that must be present in the signing certificate. The usage value can be specified by OID or string. The default usage is "Code Signing" (1.3.6.1.5.5.7.3.3).|  
 |`/uw`|Specifies usage of "Windows System Component Verification" (1.3.6.1.4.1.311.10.3.6).|  

From 6252632ee7fe1a24ffbc394c8644571d4ef52706 Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Mon, 2 Nov 2020 10:33:17 -0800
Subject: [PATCH 15/15] Committed tdykstra's formatting suggestion in
 signtool-exe.md

Co-authored-by: Tom Dykstra <tdykstra@microsoft.com>
---
 docs/framework/tools/signtool-exe.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/framework/tools/signtool-exe.md b/docs/framework/tools/signtool-exe.md
index 29ac7ca636ce2..36cc61d25abd7 100644
--- a/docs/framework/tools/signtool-exe.md
+++ b/docs/framework/tools/signtool-exe.md
@@ -104,7 +104,7 @@ signtool [command] [options] [file_name | ...]
 |----------------------|-----------------|  
 |`/p7`|Time stamps PKCS #7 files.|  
 |`/t`  *URL*|Specifies the URL of the time stamp server. The file being time stamped must have previously been signed. Either the `/t` or the `/tr` option is required.|  
-|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server. </br> **Note:** A warning is generated if **/td** switch is not provided while timestamping. The default algorithm is SHA1 but SHA256 is recommended. <br/> The **/td** switch must be declared after the **/tr** switch, not before. If the **/td<** switch is declared before the **/tr** switch, the timestamp that is returned is from an SHA1 algorithm instead of the intended SHA256 algorithm. |
+|`/td`  *alg*|Used with the `/tr` option to request a digest algorithm used by the RFC 3161 time stamp server. </br> **Note:** A warning is generated if the `/td` switch is not provided while timestamping. The default algorithm is SHA1, but SHA256 is recommended. <br/> The `/td` switch must be declared after the `/tr` switch, not before. If the `/td` switch is declared before the `/tr` switch, the timestamp that is returned is from the SHA1 algorithm instead of the intended SHA256 algorithm. |
 |`/tp` *index*|Time stamps the signature at *index*.|  
 |`/tr`  *URL*|Specifies the URL of the RFC 3161 time stamp server. The file being time stamped must have previously been signed. Either the `/tr` or the `/t` option is required.|