CLI Reference
Complete reference for the @qwickcert/cli command-line tool. Sign Windows binaries from your terminal or CI pipeline without managing Azure credentials, certificates, or SignTool configuration.
What you can do with the CLI
- Sign PE binaries (.exe, .dll, .sys) with a single command
- Verify existing Authenticode signatures
- Batch sign entire build directories with glob patterns
- Integrate code signing into CI/CD pipelines via API keys
- Manage organizations, projects, and team access
Installation
Requirements
- Windows (x64 or ARM64) for signing and verification
- Windows SDK (optional, for
qwick verifyand--verifyflag)
Option 1: MSI Installer (recommended)
Download the installer from the latest GitHub release. The MSI installs qwick.exe to Program Files, adds it to your system PATH, and shows in Add/Remove Programs. No Node.js required.
# After installing the MSI: qwick --version
Option 2: Standalone exe (portable)
Download qwick.exe directly from GitHub Releases and place it anywhere on your PATH. Single file, no installation needed, no Node.js required.
Option 3: npm (for Node.js developers)
npm install -g @qwickcert/cli
Requires Node.js 18+. Also available as npx @qwickcert/cli sign ./MyApp.exe.
Verify installation
qwick --version
Verify download integrity (SHA256)
Each release includes .sha256 checksum files. Verify your download in PowerShell:
# Compare the hash of your downloaded file: (Get-FileHash qwick-installer.msi -Algorithm SHA256).Hash # ...against the contents of qwick-installer.msi.sha256
Update to latest
qwick update
Works for all installation methods. MSI/standalone users get an automatic download from GitHub Releases; npm users are shown the update command. The CLI also checks for updates automatically on every run. Required updates block execution with a clear message; recommended and optional updates show a non-blocking notice.
Authentication
The CLI supports two authentication methods: browser-based OAuth for interactive use and API keys for CI/CD pipelines.
Browser login (interactive)
qwick auth login
Opens your browser to authenticate with Qwick Cert via OAuth. On success, a refresh token and access token are stored locally. You only need to do this once per machine.
Log out
qwick auth logout
Revokes your session server-side and clears all local tokens.
Check current session
qwick auth whoami
Displays the currently authenticated user, organization, and role. Automatically refreshes the access token if it is near expiry.
Token storage
Tokens are stored in ~/.qwick/config.json with restricted file permissions (600 on Unix, ACL-locked on Windows). The file contains:
- Access token (JWT, short-lived)
- Refresh token (used to obtain new access tokens transparently)
- Organization context (slug, ID, name, role)
No Azure credentials on disk
Unlike direct Azure signing workflows, no Azure client secrets, certificates, or service principal credentials are ever stored on your machine. The server handles all Azure authentication.
Token lifetime and refresh
Access tokens are short-lived JWTs. The CLI automatically refreshes them before they expire using the stored refresh token — no manual re-login needed. If the refresh token itself has expired, you will be prompted to log in again.
Automatic login prompts
If you run a command that requires authentication (like qwick sign or qwick org list) without being logged in, the CLI will offer to open the browser for authentication right away. After logging in, your original command continues automatically — no need to re-run it.
The same applies when your session expires: the CLI will attempt a silent token refresh, and if that fails, prompt you to log in again before proceeding.
Connectivity checks
Before any server operation, the CLI verifies that the Qwick Cert API is reachable. If the connection fails, it displays a diagnostic with specific guidance based on the error type (DNS failure, timeout, TLS issue, connection refused) and shows relevant proxy settings if detected. Run qwick doctor for a comprehensive system diagnostic.
API key auth (CI/CD)
For non-interactive environments, set the QWICK_API_KEY environment variable. The CLI detects it automatically and skips browser authentication. API keys have mandatory expiration (6 months by default, up to 24 months maximum) matching Microsoft's Azure credential policy. Rotate keys before they expire by creating a new one and updating your CI secrets.
The organization is resolved automatically from your API key — no need to set QWICK_ORG unless you need to override the default.
export QWICK_API_KEY=qwick_ak_xxxxxxxxxxxx qwick sign ./dist/MyApp.exe
Organization switching
qwick org list # list your memberships qwick org switch <slug> # switch active organization
Signing
The core command. Signs one or more Windows PE files using Azure Trusted Signing. Your binary never leaves your machine — only a 32-byte hash is sent to the server.
qwick sign [files...] [options]
How it works
Signing flow
- The CLI parses the PE file locally and computes its Authenticode SHA-256 digest (32 bytes)
- Only the hash is sent to the Qwick Cert server via
POST /api/v1/sign-digest - The server authenticates with Azure Trusted Signing and signs the digest
- The server returns a PKCS#7/CMS signature blob with an RFC 3161 timestamp
- The CLI embeds the PKCS#7 signature into the PE file's certificate table
Your binary content never leaves your machine. Azure credentials never leave the server.
Flags
| Flag | Description | Default |
|---|---|---|
[files...] | File paths or glob patterns to sign | .qwickrc.json files |
--project, -p | Project slug to sign under | .qwickrc.json / $QWICK_PROJECT |
--org | Organization slug override | .qwickrc.json / $QWICK_ORG |
--verify | Verify signatures after signing (requires SignTool) | false |
--force | Re-sign files that already have a signature | false |
--output <fmt> | Output format: text or json | text |
--dry-run | Validate auth and permissions without signing | false |
--whql | WHQL/attestation signing (not supported — shows error) | --- |
Examples
Sign a single file
qwick sign ./dist/MyApp.exe --project my-app
Sign multiple files
qwick sign app.exe helper.dll updater.exe
Sign with glob patterns
qwick sign "dist/**/*.exe" "dist/**/*.dll"
Sign and verify
qwick sign "dist/**/*.exe" --verify
Dry run (validate without signing)
qwick sign ./MyApp.exe --dry-run
Checks authentication, organization access, project permissions, and lists what would be signed without making any changes.
JSON output for CI
qwick sign "dist/**/*.exe" --output json
Emits a structured JSON envelope with per-file results, timing, signed/failed counts, and verification status. The process exit code remains the canonical success/failure signal.
Authenticode + Timestamping
Every signature includes an RFC 3161 timestamp from timestamp.acs.microsoft.com. This is mandatory — without it, signatures expire when the short-lived signing certificate does (72 hours). The CLI handles this automatically; you never need to configure a timestamp server.
Verification
Verify the Authenticode signature on any signed file and display the full certificate chain, timestamp, and algorithm details.
qwick verify <file>
Under the hood, this runs signtool verify /pa /v and parses the verbose output into a structured, readable format showing the signer chain, timestamp chain, algorithm, and file hash.
Example output
$ qwick verify MyApp.exe
✓ Valid signature — MyApp.exe
────────────────────────────────────────────────────────────
Algorithm: SHA256
File hash: a1b2c3d4e5...
Signing Certificate Chain
────────────────────────────────────
Signer (leaf)
Subject: CN=My Company
Issuer: CN=Microsoft ID Verified CS...
Expires: Mar 7, 2026
Root CA
Subject: CN=Microsoft Identity Verification Root CA
...
Timestamp
────────────────────────────────────
Signed at: 3/4/2026 2:15:30 PM
Type: RFC3161JSON output
qwick verify MyApp.exe --json
Returns a structured JSON object with status ("valid", "invalid", or "not_signed"), algorithm, file hash, timestamp, signer chain, and timestamp chain. Exit code is 0 for valid signatures, 1 otherwise.
Windows SDK required
The verify command requires SignTool.exe from the Windows SDK (10.0.22621+). If SignTool is not found, run qwick doctor for installation guidance.
Doctor
Run system diagnostics to verify all prerequisites for Authenticode signing.
qwick doctor
What it checks
| Check | Details |
|---|---|
| Distribution | Standalone exe (MSI) or npm package |
| Node.js version | Requires 18+ (bundled in standalone) |
| SignTool.exe | Windows SDK 10.0.22621+ (x64) |
| Qwick Cert API | Backend connectivity (GET /api/v1/health) |
| Azure Trusted Signing | Endpoint reachability (eus.codesigning.azure.net) |
| Proxy settings | HTTP_PROXY, HTTPS_PROXY, NODE_EXTRA_CA_CERTS |
| CPU architecture | ARM64 detection with performance notes |
Run qwick doctor after initial setup, after upgrading your Windows SDK, or when troubleshooting signing failures. Exits with code 1 if any critical check fails.
Project Configuration (.qwickrc.json)
Store signing settings in a .qwickrc.json file at your project root so your team can run qwick sign with no arguments. The CLI discovers it automatically by walking up from the current directory.
Create a config file
qwick config init
View effective configuration
qwick config show
Displays every resolved config value with its source (CLI flag, env var, .qwickrc.json, or default).
Set a value
qwick config set parallel 4
Schema
| Field | Type | Default | Description |
|---|---|---|---|
project | string | --- | Project slug |
organization | string | --- | Organization slug |
files | string[] | [] | Glob patterns for files to sign |
excludePatterns | string[] | [] | Glob patterns to exclude |
timestampUrl | string | timestamp.acs.microsoft.com | RFC 3161 timestamp server |
digestAlgorithm | string | sha256 | sha256 | sha384 | sha512 |
parallel | number | 1 | Concurrent SignTool workers (1-16) |
verify | boolean | false | Auto-verify after signing |
outputFormat | string | text | Output format: text or json |
Example
{
"project": "my-app",
"organization": "acme-corp",
"files": ["dist/**/*.exe", "dist/**/*.dll"],
"excludePatterns": ["*test*"],
"parallel": 4,
"verify": true
}Precedence order
When the same setting is defined in multiple places, the CLI resolves it using the following priority (highest first):
--project my-appQWICK_PROJECT"project": "my-app"CI/CD Usage
For CI pipelines, create an API key in the dashboard (or via qwick apikey create) and set it as a secret environment variable. The CLI detects the key automatically and skips browser authentication.
GitHub Actions
- name: Install Qwick Cert CLI
run: npm install -g @qwickcert/cli
- name: Sign build output
run: |
qwick sign "dist/**/*.{exe,dll}" \
--project my-app \
--verify \
--output json > signing-results.json
env:
QWICK_API_KEY: ${{ secrets.QWICK_API_KEY }}Generic CI (env vars)
export QWICK_API_KEY=qwick_ak_xxxxxxxxxxxx export QWICK_PROJECT=my-app qwick sign "dist/**/*.exe" --verify --output json
API key management
qwick apikey create # create a new API key qwick apikey list # list all active keys qwick apikey revoke <id> # revoke a key
API keys can also be created and revoked from the dashboard under Settings. Keys are scoped to an organization and have mandatory expiration (6 months default, 12 or 24 months options). Create a new key before the old one expires and rotate your CI secrets.
Store keys as secrets
Never commit API keys to source control. Use your CI provider's secret management (GitHub Secrets, Azure Key Vault, etc.) to inject QWICK_API_KEY at runtime.
Batch Signing
Sign multiple files in one command using glob patterns. All files share a single authenticated session. For the full batch signing guide, see the Batch Signing Guide.
Glob patterns
qwick sign "dist/**/*.exe" # recursive
qwick sign "dist/**/*.{exe,dll}" # brace expansion
qwick sign "build/*.exe" "lib/**/*.dll" # multiple patternsAuto-verify
qwick sign "dist/**/*.exe" --verify
Runs signtool verify /pa on every file after signing. Exits with non-zero code if any verification fails.
JSON output for CI
qwick sign "dist/**/*.exe" --output json
Emits a structured JSON envelope with per-file results, timing, and the operation ID. The exit code remains the canonical success/failure signal.
Quote your glob patterns
Always wrap glob patterns in quotes ("dist/**/*.exe") to prevent your shell from expanding them before the CLI sees them.
Supported file types
Qwick Cert currently supports PE (Portable Executable) file formats:
Non-PE Authenticode formats (.msi, .msix, .appx, .cab, .cat, .ps1) are recognized but not yet supported. Support for these formats is planned for a future release. The CLI will display a clear error message if you attempt to sign an unsupported file type.
Additional Commands
| Command | Description |
|---|---|
qwick init | Onboard as a new team member to an existing organization (auth + org selection + tool check) |
qwick org list | List your organization memberships |
qwick org switch <slug> | Switch active organization context |
qwick setup status | Check Azure provisioning and identity validation status |
qwick setup provision | Interactive wizard to provision a new Azure Trusted Signing account |
qwick setup import | Import an existing Azure Trusted Signing account into Qwick Cert |
qwick apikey create | Create a new API key for CI/CD automation |
qwick apikey list | List API keys for your organization |
qwick apikey revoke <id> | Revoke an API key immediately |
qwick doctor | Run system diagnostics (Node.js, SignTool, API connectivity, proxy) |
qwick update | Check for CLI updates and show install command |
qwick config show | Display effective configuration with source for each value |
qwick config init | Create a .qwickrc.json in the current directory |
Error Codes
All errors from the Qwick Cert API follow the QWICK_* error code convention. The CLI displays these codes alongside human-readable messages.
| Range | Category |
|---|---|
QWICK_AUTH_300-399 | Authentication and authorization errors |
QWICK_API_600-699 | API request/response errors |
QWICK_BILLING_700-799 | Billing and plan enforcement errors |
See the API Reference for the full error code registry and resolution steps.