michael@0: Signing Tool (signtool) michael@0: 3.10 Release Notes michael@0: ======================================== michael@0: michael@0: Documentation is provided online at mozilla.org michael@0: michael@0: Problems or questions not covered by the online documentation can be michael@0: discussed in the DevEdge Security Newsgroup. michael@0: michael@0: === New Features in 3.10 michael@0: ======================= michael@0: One new option (-X) has been added to create a Mozilla aware signed XPI archive. michael@0: The option must be accompanied by the -Z option. This new option michael@0: creates a JAR file with the META-INF/zigbert.rsa/dsa file as the first file in michael@0: the archive instead of the default third to last. This will enable the archive michael@0: to be seen as signed by products incorporating XPInstall. i.e. .xpi extensions michael@0: for FireFox or Mozilla. michael@0: michael@0: === New Features in 1.3 michael@0: ======================= michael@0: michael@0: The security library components have been upgraded to utilize NSS_2_7_1_RTM. michael@0: This means that the maximum RSA keysize now supported should be 4096 bits. michael@0: michael@0: === Zigbert 0.6 Support michael@0: ======================= michael@0: This program was previously named Zigbert. The last version of zigbert michael@0: was Zigbert 0.6. Because all the functionality of Zigbert is maintained in michael@0: signtool 1.2, Zigbert is no longer supported. If you have problems michael@0: using Zigbert, please upgrade to signtool 1.2. michael@0: michael@0: === New Features in 1.2 michael@0: ======================= michael@0: michael@0: Certificate Generation Improvements michael@0: ----------------------------------- michael@0: Two new options have been added to control generation of self-signed object michael@0: signing certificates with the -G option. The -s option takes the size (in bits) michael@0: of the generated RSA private key. The -t option takes the name of the PKCS #11 michael@0: token on which to generate the keypair and install the certificate. Both michael@0: options are optional. By default, the private key is 1024 bits and is generated michael@0: on the internal software token. michael@0: michael@0: michael@0: === New Features in 1.1 michael@0: ======================= michael@0: michael@0: File I/O michael@0: -------- michael@0: Signtool can now read its options from a command file specified with the -f michael@0: option on the command line. The format for the file is described in the michael@0: documentation. michael@0: Error messages and informational output can be redirected to an output file michael@0: by supplying the "--outfile" option on the command line or the "outfile=" michael@0: option in the command file. michael@0: michael@0: New Options michael@0: ----------- michael@0: "--norecurse" tells Signtool not to recurse into subdirectories when signing michael@0: directories or parsing HTML with the -J option. michael@0: "--leavearc" tells Signtool not to delete the temporary .arc directories michael@0: produced by the -J option. This can aid debugging. michael@0: "--verbosity" tells Signtool how much information to display. 0 is the michael@0: default. -1 suppresses most messages, except for errors. michael@0: michael@0: === Bug Fixes in 1.1 michael@0: ==================== michael@0: michael@0: -J option revamped michael@0: ------------------ michael@0: The -J option, which parses HTML files, extracts Java and Javascript code, michael@0: and stores them in signed JAR files, has been re-implemented. Several bugs michael@0: have been fixed: michael@0: - CODEBASE attribute is no longer ignored michael@0: - CLASS and SRC attributes can be be paths ("xxx/xxx/x.class") rather than michael@0: just filenames ("x.class"). michael@0: - LINK tags are handled correctly michael@0: - various HTML parsing bugs fixed michael@0: - error messages are more informative michael@0: michael@0: No Password on Key Database michael@0: --------------------------- michael@0: If you had not yet set a Communicator password (which locks key3.db, the michael@0: key database), signtool would fail with a cryptic error message whenever it michael@0: attempted to verify the password. Now this condition is detected at the michael@0: beginning of the program, and a more informative message is displayed. michael@0: michael@0: -x and -e Options michael@0: ----------------- michael@0: Previously, only one of each of these options could be specified on the command michael@0: line. Now arbitrarily many can be specified. For example, to sign only files michael@0: with .class or .js extensions, the arguments "-eclass -ejs" could both be michael@0: specified. To exclude the directories "subdir1" and "subdir2" from signing, michael@0: the arguments "-x subdir1 -x subdir2" could both be specified. michael@0: michael@0: New Features in 1.0 michael@0: =================== michael@0: michael@0: Creation of JAR files michael@0: ---------------------- michael@0: The -Z option causes signtool to output a JAR file formed by storing the michael@0: signed archive in ZIP format. This eliminates the need to use a separate ZIP michael@0: utility. The -c option specifies the compression level of the resulting michael@0: JAR file. michael@0: michael@0: Generation of Object-Signing Certificates and Keys michael@0: -------------------------------------------------- michael@0: The -G option will create a new, self-signed object-signing certificate michael@0: which can be used for testing purposes. The generated certificate and michael@0: associated public and private keys will be installed in the cert7.db and michael@0: key3.db files in the directory specified with the -d option (unless the key michael@0: is generated on an external token using the -t option). On Unix systems, michael@0: if no directory is specified, the user's Netscape directory (~/.netscape) michael@0: will be used. In addition, the certificate is output in X509 format to the michael@0: files x509.raw and x509.cacert in the current directory. x509.cacert can michael@0: be published on a web page and imported into browsers that visit that page. michael@0: michael@0: Extraction and Signing of JavaScript from HTML michael@0: ---------------------------------------------- michael@0: The -J option activates the same functionality provided by the signpages michael@0: Perl script. It will parse a directory of html files, creating archives michael@0: of the JavaScript called from the HTML. These archives are then signed and michael@0: made into JAR files. michael@0: michael@0: Enhanced Smart Card Support michael@0: --------------------------- michael@0: Certificates that reside on smart cards are displayed when using the -L and michael@0: -l options.