1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/cmd/signtool/README Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,128 @@
1.4 + Signing Tool (signtool)
1.5 + 3.10 Release Notes
1.6 + ========================================
1.7 +
1.8 +Documentation is provided online at mozilla.org
1.9 +
1.10 +Problems or questions not covered by the online documentation can be
1.11 +discussed in the DevEdge Security Newsgroup.
1.12 +
1.13 +=== New Features in 3.10
1.14 +=======================
1.15 +One new option (-X) has been added to create a Mozilla aware signed XPI archive.
1.16 +The option must be accompanied by the -Z option. This new option
1.17 +creates a JAR file with the META-INF/zigbert.rsa/dsa file as the first file in
1.18 +the archive instead of the default third to last. This will enable the archive
1.19 +to be seen as signed by products incorporating XPInstall. i.e. .xpi extensions
1.20 +for FireFox or Mozilla.
1.21 +
1.22 +=== New Features in 1.3
1.23 +=======================
1.24 +
1.25 +The security library components have been upgraded to utilize NSS_2_7_1_RTM.
1.26 +This means that the maximum RSA keysize now supported should be 4096 bits.
1.27 +
1.28 +=== Zigbert 0.6 Support
1.29 +=======================
1.30 +This program was previously named Zigbert. The last version of zigbert
1.31 +was Zigbert 0.6. Because all the functionality of Zigbert is maintained in
1.32 +signtool 1.2, Zigbert is no longer supported. If you have problems
1.33 +using Zigbert, please upgrade to signtool 1.2.
1.34 +
1.35 +=== New Features in 1.2
1.36 +=======================
1.37 +
1.38 +Certificate Generation Improvements
1.39 +-----------------------------------
1.40 +Two new options have been added to control generation of self-signed object
1.41 +signing certificates with the -G option. The -s option takes the size (in bits)
1.42 +of the generated RSA private key. The -t option takes the name of the PKCS #11
1.43 +token on which to generate the keypair and install the certificate. Both
1.44 +options are optional. By default, the private key is 1024 bits and is generated
1.45 +on the internal software token.
1.46 +
1.47 +
1.48 +=== New Features in 1.1
1.49 +=======================
1.50 +
1.51 +File I/O
1.52 +--------
1.53 +Signtool can now read its options from a command file specified with the -f
1.54 +option on the command line. The format for the file is described in the
1.55 +documentation.
1.56 +Error messages and informational output can be redirected to an output file
1.57 +by supplying the "--outfile" option on the command line or the "outfile="
1.58 +option in the command file.
1.59 +
1.60 +New Options
1.61 +-----------
1.62 +"--norecurse" tells Signtool not to recurse into subdirectories when signing
1.63 +directories or parsing HTML with the -J option.
1.64 +"--leavearc" tells Signtool not to delete the temporary .arc directories
1.65 +produced by the -J option. This can aid debugging.
1.66 +"--verbosity" tells Signtool how much information to display. 0 is the
1.67 +default. -1 suppresses most messages, except for errors.
1.68 +
1.69 +=== Bug Fixes in 1.1
1.70 +====================
1.71 +
1.72 +-J option revamped
1.73 +------------------
1.74 +The -J option, which parses HTML files, extracts Java and Javascript code,
1.75 +and stores them in signed JAR files, has been re-implemented. Several bugs
1.76 +have been fixed:
1.77 +- CODEBASE attribute is no longer ignored
1.78 +- CLASS and SRC attributes can be be paths ("xxx/xxx/x.class") rather than
1.79 + just filenames ("x.class").
1.80 +- LINK tags are handled correctly
1.81 +- various HTML parsing bugs fixed
1.82 +- error messages are more informative
1.83 +
1.84 +No Password on Key Database
1.85 +---------------------------
1.86 +If you had not yet set a Communicator password (which locks key3.db, the
1.87 +key database), signtool would fail with a cryptic error message whenever it
1.88 +attempted to verify the password. Now this condition is detected at the
1.89 +beginning of the program, and a more informative message is displayed.
1.90 +
1.91 +-x and -e Options
1.92 +-----------------
1.93 +Previously, only one of each of these options could be specified on the command
1.94 +line. Now arbitrarily many can be specified. For example, to sign only files
1.95 +with .class or .js extensions, the arguments "-eclass -ejs" could both be
1.96 +specified. To exclude the directories "subdir1" and "subdir2" from signing,
1.97 +the arguments "-x subdir1 -x subdir2" could both be specified.
1.98 +
1.99 +New Features in 1.0
1.100 +===================
1.101 +
1.102 +Creation of JAR files
1.103 +----------------------
1.104 +The -Z option causes signtool to output a JAR file formed by storing the
1.105 +signed archive in ZIP format. This eliminates the need to use a separate ZIP
1.106 +utility. The -c option specifies the compression level of the resulting
1.107 +JAR file.
1.108 +
1.109 +Generation of Object-Signing Certificates and Keys
1.110 +--------------------------------------------------
1.111 +The -G option will create a new, self-signed object-signing certificate
1.112 +which can be used for testing purposes. The generated certificate and
1.113 +associated public and private keys will be installed in the cert7.db and
1.114 +key3.db files in the directory specified with the -d option (unless the key
1.115 +is generated on an external token using the -t option). On Unix systems,
1.116 +if no directory is specified, the user's Netscape directory (~/.netscape)
1.117 +will be used. In addition, the certificate is output in X509 format to the
1.118 +files x509.raw and x509.cacert in the current directory. x509.cacert can
1.119 +be published on a web page and imported into browsers that visit that page.
1.120 +
1.121 +Extraction and Signing of JavaScript from HTML
1.122 +----------------------------------------------
1.123 +The -J option activates the same functionality provided by the signpages
1.124 +Perl script. It will parse a directory of html files, creating archives
1.125 +of the JavaScript called from the HTML. These archives are then signed and
1.126 +made into JAR files.
1.127 +
1.128 +Enhanced Smart Card Support
1.129 +---------------------------
1.130 +Certificates that reside on smart cards are displayed when using the -L and
1.131 +-l options.
