security/nss/cmd/signtool/README@6474c204b198 (annotated)
security/nss/cmd/signtool/README
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
| michael@0 | 1 | Signing Tool (signtool) |
| michael@0 | 2 | 3.10 Release Notes |
| michael@0 | 3 | ======================================== |
| michael@0 | 4 | |
| michael@0 | 5 | Documentation is provided online at mozilla.org |
| michael@0 | 6 | |
| michael@0 | 7 | Problems or questions not covered by the online documentation can be |
| michael@0 | 8 | discussed in the DevEdge Security Newsgroup. |
| michael@0 | 9 | |
| michael@0 | 10 | === New Features in 3.10 |
| michael@0 | 11 | ======================= |
| michael@0 | 12 | One new option (-X) has been added to create a Mozilla aware signed XPI archive. |
| michael@0 | 13 | The option must be accompanied by the -Z option. This new option |
| michael@0 | 14 | creates a JAR file with the META-INF/zigbert.rsa/dsa file as the first file in |
| michael@0 | 15 | the archive instead of the default third to last. This will enable the archive |
| michael@0 | 16 | to be seen as signed by products incorporating XPInstall. i.e. .xpi extensions |
| michael@0 | 17 | for FireFox or Mozilla. |
| michael@0 | 18 | |
| michael@0 | 19 | === New Features in 1.3 |
| michael@0 | 20 | ======================= |
| michael@0 | 21 | |
| michael@0 | 22 | The security library components have been upgraded to utilize NSS_2_7_1_RTM. |
| michael@0 | 23 | This means that the maximum RSA keysize now supported should be 4096 bits. |
| michael@0 | 24 | |
| michael@0 | 25 | === Zigbert 0.6 Support |
| michael@0 | 26 | ======================= |
| michael@0 | 27 | This program was previously named Zigbert. The last version of zigbert |
| michael@0 | 28 | was Zigbert 0.6. Because all the functionality of Zigbert is maintained in |
| michael@0 | 29 | signtool 1.2, Zigbert is no longer supported. If you have problems |
| michael@0 | 30 | using Zigbert, please upgrade to signtool 1.2. |
| michael@0 | 31 | |
| michael@0 | 32 | === New Features in 1.2 |
| michael@0 | 33 | ======================= |
| michael@0 | 34 | |
| michael@0 | 35 | Certificate Generation Improvements |
| michael@0 | 36 | ----------------------------------- |
| michael@0 | 37 | Two new options have been added to control generation of self-signed object |
| michael@0 | 38 | signing certificates with the -G option. The -s option takes the size (in bits) |
| michael@0 | 39 | of the generated RSA private key. The -t option takes the name of the PKCS #11 |
| michael@0 | 40 | token on which to generate the keypair and install the certificate. Both |
| michael@0 | 41 | options are optional. By default, the private key is 1024 bits and is generated |
| michael@0 | 42 | on the internal software token. |
| michael@0 | 43 | |
| michael@0 | 44 | |
| michael@0 | 45 | === New Features in 1.1 |
| michael@0 | 46 | ======================= |
| michael@0 | 47 | |
| michael@0 | 48 | File I/O |
| michael@0 | 49 | -------- |
| michael@0 | 50 | Signtool can now read its options from a command file specified with the -f |
| michael@0 | 51 | option on the command line. The format for the file is described in the |
| michael@0 | 52 | documentation. |
| michael@0 | 53 | Error messages and informational output can be redirected to an output file |
| michael@0 | 54 | by supplying the "--outfile" option on the command line or the "outfile=" |
| michael@0 | 55 | option in the command file. |
| michael@0 | 56 | |
| michael@0 | 57 | New Options |
| michael@0 | 58 | ----------- |
| michael@0 | 59 | "--norecurse" tells Signtool not to recurse into subdirectories when signing |
| michael@0 | 60 | directories or parsing HTML with the -J option. |
| michael@0 | 61 | "--leavearc" tells Signtool not to delete the temporary .arc directories |
| michael@0 | 62 | produced by the -J option. This can aid debugging. |
| michael@0 | 63 | "--verbosity" tells Signtool how much information to display. 0 is the |
| michael@0 | 64 | default. -1 suppresses most messages, except for errors. |
| michael@0 | 65 | |
| michael@0 | 66 | === Bug Fixes in 1.1 |
| michael@0 | 67 | ==================== |
| michael@0 | 68 | |
| michael@0 | 69 | -J option revamped |
| michael@0 | 70 | ------------------ |
| michael@0 | 71 | The -J option, which parses HTML files, extracts Java and Javascript code, |
| michael@0 | 72 | and stores them in signed JAR files, has been re-implemented. Several bugs |
| michael@0 | 73 | have been fixed: |
| michael@0 | 74 | - CODEBASE attribute is no longer ignored |
| michael@0 | 75 | - CLASS and SRC attributes can be be paths ("xxx/xxx/x.class") rather than |
| michael@0 | 76 | just filenames ("x.class"). |
| michael@0 | 77 | - LINK tags are handled correctly |
| michael@0 | 78 | - various HTML parsing bugs fixed |
| michael@0 | 79 | - error messages are more informative |
| michael@0 | 80 | |
| michael@0 | 81 | No Password on Key Database |
| michael@0 | 82 | --------------------------- |
| michael@0 | 83 | If you had not yet set a Communicator password (which locks key3.db, the |
| michael@0 | 84 | key database), signtool would fail with a cryptic error message whenever it |
| michael@0 | 85 | attempted to verify the password. Now this condition is detected at the |
| michael@0 | 86 | beginning of the program, and a more informative message is displayed. |
| michael@0 | 87 | |
| michael@0 | 88 | -x and -e Options |
| michael@0 | 89 | ----------------- |
| michael@0 | 90 | Previously, only one of each of these options could be specified on the command |
| michael@0 | 91 | line. Now arbitrarily many can be specified. For example, to sign only files |
| michael@0 | 92 | with .class or .js extensions, the arguments "-eclass -ejs" could both be |
| michael@0 | 93 | specified. To exclude the directories "subdir1" and "subdir2" from signing, |
| michael@0 | 94 | the arguments "-x subdir1 -x subdir2" could both be specified. |
| michael@0 | 95 | |
| michael@0 | 96 | New Features in 1.0 |
| michael@0 | 97 | =================== |
| michael@0 | 98 | |
| michael@0 | 99 | Creation of JAR files |
| michael@0 | 100 | ---------------------- |
| michael@0 | 101 | The -Z option causes signtool to output a JAR file formed by storing the |
| michael@0 | 102 | signed archive in ZIP format. This eliminates the need to use a separate ZIP |
| michael@0 | 103 | utility. The -c option specifies the compression level of the resulting |
| michael@0 | 104 | JAR file. |
| michael@0 | 105 | |
| michael@0 | 106 | Generation of Object-Signing Certificates and Keys |
| michael@0 | 107 | -------------------------------------------------- |
| michael@0 | 108 | The -G option will create a new, self-signed object-signing certificate |
| michael@0 | 109 | which can be used for testing purposes. The generated certificate and |
| michael@0 | 110 | associated public and private keys will be installed in the cert7.db and |
| michael@0 | 111 | key3.db files in the directory specified with the -d option (unless the key |
| michael@0 | 112 | is generated on an external token using the -t option). On Unix systems, |
| michael@0 | 113 | if no directory is specified, the user's Netscape directory (~/.netscape) |
| michael@0 | 114 | will be used. In addition, the certificate is output in X509 format to the |
| michael@0 | 115 | files x509.raw and x509.cacert in the current directory. x509.cacert can |
| michael@0 | 116 | be published on a web page and imported into browsers that visit that page. |
| michael@0 | 117 | |
| michael@0 | 118 | Extraction and Signing of JavaScript from HTML |
| michael@0 | 119 | ---------------------------------------------- |
| michael@0 | 120 | The -J option activates the same functionality provided by the signpages |
| michael@0 | 121 | Perl script. It will parse a directory of html files, creating archives |
| michael@0 | 122 | of the JavaScript called from the HTML. These archives are then signed and |
| michael@0 | 123 | made into JAR files. |
| michael@0 | 124 | |
| michael@0 | 125 | Enhanced Smart Card Support |
| michael@0 | 126 | --------------------------- |
| michael@0 | 127 | Certificates that reside on smart cards are displayed when using the -L and |
| michael@0 | 128 | -l options. |
