1SIGNVER(1) NSS Security Tools SIGNVER(1)
2
3
4
6 signver - Verify a detached PKCS#7 signature for a file.
7
9 signtool -A | -V -d directory [-a] [-i input_file] [-o output_file]
10 [-s signature_file] [-v]
11
13 This documentation is still work in progress. Please contribute to the
14 initial review in Mozilla NSS bug 836477[1]
15
17 The Signature Verification Tool, signver, is a simple command-line
18 utility that unpacks a base-64-encoded PKCS#7 signed object and
19 verifies the digital signature using standard cryptographic techniques.
20 The Signature Verification Tool can also display the contents of the
21 signed object.
22
24 -A
25 Displays all of the information in the PKCS#7 signature.
26
27 -V
28 Verifies the digital signature.
29
30 -d [sql:]directory
31 Specify the database directory which contains the certificates and
32 keys.
33
34 signver supports two types of databases: the legacy security
35 databases (cert8.db, key3.db, and secmod.db) and new SQLite
36 databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql:
37 is not used, then the tool assumes that the given databases are in
38 the old format.
39
40 -a
41 Sets that the given signature file is in ASCII format.
42
43 -i input_file
44 Gives the input file for the object with signed data.
45
46 -o output_file
47 Gives the output file to which to write the results.
48
49 -s signature_file
50 Gives the input file for the digital signature.
51
52 -v
53 Enables verbose output.
54
56 Verifying a Signature
57 The -V option verifies that the signature in a given signature file is
58 valid when used to sign the given object (from the input file).
59
60 signver -V -s signature_file -i signed_file -d sql:/home/my/sharednssdb
61
62 signatureValid=yes
63
64 Printing Signature Data
65 The -A option prints all of the information contained in a signature
66 file. Using the -o option prints the signature file information to the
67 given output file rather than stdout.
68
69 signver -A -s signature_file -o output_file
70
72 NSS originally used BerkeleyDB databases to store security information.
73 The last versions of these legacy databases are:
74
75 · cert8.db for certificates
76
77 · key3.db for keys
78
79 · secmod.db for PKCS #11 module information
80
81 BerkeleyDB has performance limitations, though, which prevent it from
82 being easily used by multiple applications simultaneously. NSS has some
83 flexibility that allows applications to use their own, independent
84 database engine while keeping a shared database and working around the
85 access issues. Still, NSS requires more flexibility to provide a truly
86 shared security database.
87
88 In 2009, NSS introduced a new set of databases that are SQLite
89 databases rather than BerkleyDB. These new databases provide more
90 accessibility and performance:
91
92 · cert9.db for certificates
93
94 · key4.db for keys
95
96 · pkcs11.txt, which is listing of all of the PKCS #11 modules
97 contained in a new subdirectory in the security databases directory
98
99 Because the SQLite databases are designed to be shared, these are the
100 shared database type. The shared database type is preferred; the legacy
101 format is included for backward compatibility.
102
103 By default, the tools (certutil, pk12util, modutil) assume that the
104 given security databases follow the more common legacy type. Using the
105 SQLite databases must be manually specified by using the sql: prefix
106 with the given security directory. For example:
107
108 # signver -A -s signature -d sql:/home/my/sharednssdb
109
110 To set the shared database type as the default type for the tools, set
111 the NSS_DEFAULT_DB_TYPE environment variable to sql:
112
113 export NSS_DEFAULT_DB_TYPE="sql"
114
115 This line can be added to the ~/.bashrc file to make the change
116 permanent for the user.
117
118 Most applications do not use the shared database by default, but they
119 can be configured to use them. For example, this how-to article covers
120 how to configure Firefox and Thunderbird to use the new shared NSS
121 databases:
122
123 · https://wiki.mozilla.org/NSS_Shared_DB_Howto
124
125 For an engineering draft on the changes in the shared NSS databases,
126 see the NSS project wiki:
127
128 · https://wiki.mozilla.org/NSS_Shared_DB
129
131 signtool (1)
132
133 The NSS wiki has information on the new database design and how to
134 configure applications to use it.
135
136 · Setting up the shared NSS database
137
138 https://wiki.mozilla.org/NSS_Shared_DB_Howto
139
140 · Engineering and technical information about the shared NSS database
141
142 https://wiki.mozilla.org/NSS_Shared_DB
143
145 For information about NSS and other tools related to NSS (like JSS),
146 check out the NSS project wiki at
147 http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
148 directly to NSS code changes and releases.
149
150 Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
151
152 IRC: Freenode at #dogtag-pki
153
155 The NSS tools were written and maintained by developers with Netscape,
156 Red Hat, Sun, Oracle, Mozilla, and Google.
157
158 Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
159 <dlackey@redhat.com>.
160
162 Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL
163 was not distributed with this file, You can obtain one at
164 http://mozilla.org/MPL/2.0/.
165
167 1. Mozilla NSS bug 836477
168 https://bugzilla.mozilla.org/show_bug.cgi?id=836477
169
170
171
172nss-tools 3.44.0 Nov 13 2013 SIGNVER(1)