The CreateSIS tool is a wrapper around the MakeSIS, SignSIS and MakeKeys tools.
This tool supports the creation and signing of SIS files, and generation of keys and certificate pairs for signing. It also displays signatures and certificate chain details of a SIS file.
createsis [OPTIONS] <ARGS>
The following table lists the options supported by the CreateSIS tool.
Options | Description | Usage |
---|---|---|
create |
Creates and signs the SIS file with a trusted key. |
createsis create [-cert <cert>] [-key <key>] [-pass <passphrase>] <pkgfile> |
sign |
Signs a pre-existing SIS file with a trusted key. Note: The output SIS file created is different from the input SIS file, therefore the original data is not destroyed. |
createsis sign –cert <cert> -key <key> [-pass <passphrase>] <sis_input> <sis_output> |
dump |
Displays all valid signatures and certificates associated with the SIS file. |
createsis dump <sisfile> |
strip |
Removes the most recent signatures from the SIS file. |
createsis strip <sisfile> |
The following table lists the arguments to be specified with the CreateSIS tool.
Arguments | Description |
---|---|
-cert |
Specifies the certificate file used for signing. |
-key |
Specifies private key file of the certificate. |
-pass |
Specifies passphrase of the private key file. |
sis_input |
Specifies the SIS file to be signed, unsigned or investigated. |
sis_output |
Specifies the name of the output SIS file. |
pkgfile |
Specifies the PKG file, for which a SIS file is generated. |
sisfile |
Specifies the name of the output SIS file to be generated. Note: If not specified, is derived from the name of the PKG file, but with a SIS file extension. |
The following examples illustrate the usage of the CreateSIS tool:
To create and sign a SIS file using a trusted key
You can specify the trusted End Entity (EE) certificate and matching key using the -cert and -key parameters while creating the SIS file. Optionally, you can specify a passphrase to decrypt the private key using the -pass parameter.
The trusted EE Certificate is one that chains back to a trusted root in the target device SWI certstore.
createsis create -cert trustedchain.pem -key eecertkey.key mypackage.pkg
To sign a pre-existing SIS file with a trusted key
You can sign and re-sign a pre-existing SIS file using the sign method. To sign a package, a key and certificate chain must be provided on the command line. The output SIS file is different from the input SIS file, so the original data is not destroyed.
createsis sign -cert trustedchain.pem -key eecertkey.key mysis.sis mysis-signed.sis
To sign a pre-existing SIS file with a self-signed certificate
When using sign method if key-certificate pair is not provided then CreateSIS signs the specified SIS file with an automatically generated self-signed certificate.
createsis sign mysis.sis mysis-signed.sis