Skip to main content
Skip table of contents

Client-Side Hashing

When signing large executables, software releases, virtual machines or container images, the overhead from the data transfer can be significant. In those cases it would be preferable to not have to send the original file data to and from the server when signing.

For CMS detached signatures only the much smaller signature file is sent back and thus eliminating half of the data transfers. But it would be even better if we would not have to send the original file at all. This can be achieved for some signature formats (such as for CMS detached signatures) if we let the client perform the hashing and then this much smaller data is sent to the server and the signature created for it.

For signature formats where the signature is embedded within the file this scheme would require some logic on the client side first for preparing the file for signing, then to hash it and finally to include the signature within the data structure. In the SignServer Client CLI - SignClient, we have implemented support for this for Authenticode and JAR signing.

CMS Client-Side Hashing Example

cat | openssl sha256 -binary -out
bin/signclient signdocument -workername CMSSigner \
  -infile \

Authenticode® Client-Side Hashing Example

signclient signdocument -clientside -workername MSAuthCodeCMSSigner \
  -digestalgorithm SHA-256 \
  -infile application-unsigned.exe \
  -outfile application-signed.exe

See the Client-Side Hashing section for more information including which signers to set up instead of the normal MSAuthCode and JArchiveSigner and for how to run SignClient with the "-clientside" flag in order to use this mode.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.