signercli -login
Authentication and Login Command Reference
1. Overview
The signercli -login command is used to authenticate and log in to a remote Signer Server.
After successful authentication:
- An access token is issued by the server
- The token is stored locally
- Subsequent signing and management commands automatically reuse the token
The command supports both SSH key–based authentication and password-based authentication.
2. Command Usage
signercli -login <server_url> [username] [options]
signercli -login -profile <profile_name>
3. Description
signercli -login authenticates a user against a remote signing server.
Supported authentication mechanisms:
- SSH private key authentication (default)
- Username and password authentication
Once authenticated, the issued token is cached locally and used for:
- File signing
- Certificate management
- Key management
- Verification operations
4. Authentication Methods
4.1 SSH Key Authentication (Default)
SSH key authentication is the default and recommended method.
Behavior:
- Automatically searches for:
~/.ssh/id_ed25519~/.ssh/id_rsa
- Uses the public key registered on the Signer Server
- No password transmission required
Typical use cases:
- Developer workstations
- CI/CD systems with SSH credentials
- High-security environments
4.2 Password Authentication
Password authentication is available as an alternative method.
Usage:
-user <id> -pw <password>
Behavior:
- If only a username is provided, an interactive prompt may be shown
- Password is used only for authentication
- Token-based access is still used after login
Typical use cases:
- Initial user setup
- Environments without SSH key infrastructure
5. Options
| Option | Description |
|---|---|
-profile <name> | Use a predefined configuration profile (default: default) |
-key <path> | Path to SSH private key |
-user <id> | User ID for password authentication |
-pw <password> | Password |
-expires <time> | Token expiration duration |
-cert-id <id> | Certificate ID to associate with the session |
-cert-serial <serial> | Certificate serial number to associate |
-include-chain | Include certificate chain in the session |
6. Token Expiration (expires)
The -expires option controls how long the issued token remains valid.
Supported Time Units
| Unit | Meaning |
|---|---|
s | Seconds |
m | Minutes |
h | Hours |
d | Days |
w | Weeks |
Examples
30m → 30 minutes
24h → 24 hours
7d → 7 days
1w → 1 week
7. Certificate Association Options
The following options allow a login session to be associated with a specific certificate:
cert-id <id>cert-serial <serial>include-chain
These options are commonly used when:
- Pre-selecting a certificate for signing
- Ensuring the certificate chain is available during operations
- Working in controlled signing environments
8. Examples
Login using SSH key (most common)
signercli -login https://signer.example.com:7443 myusername
Login with a specific SSH key
signercli -login https://signer.example.com:7443 -key ~/.ssh/id_ed25519
Password-based login
signercli -login https://signer.example.com:7443 -user admin -pw mypassword
Set token expiration to 7 days
signercli -login https://signer.example.com:7443 admin -expires 7d
Login using a configuration profile
signercli -login -profile production
Login with certificate chain included
signercli -login https://signer.example.com:7443 admin -include-chain
9. Security Notes
- Tokens are stored locally and reused automatically
- SSH keys are never transmitted to the server
- Passwords are used only during authentication and are not stored
- Token expiration should be configured appropriately for CI/CD environments
10. Related Commands
| Command | Description |
|---|---|
signercli -logout | Logout and revoke token |
signercli -config set | Configure profiles |
signercli -codesign-list | List available certificates |
11. Summary
The signercli -login command provides a secure and flexible authentication mechanism, supporting:
- SSH key–based login (recommended)
- Password-based login
- Token expiration control
- Certificate-aware sessions
It is the first step in any authenticated workflow using the Signer CLI.