1SIGNTOOL(1) NSS Security Tools SIGNTOOL(1)
2
3
4
6 signtool - Digitally sign objects and files.
7
9 signtool [[-b basename]] [[-c Compression Level]] [[-d cert-dir]]
10 [[-e extension]] [[-f filename]] [[-i installer script]]
11 [[-h]] [[-H]] [[-v]] [[-w]] [[-G nickname]] [[-J]]
12 [[-j directory]] [-k keyName] [[--keysize | -s size]] [[-l]]
13 [[-L]] [[-M]] [[-m metafile]] [[--norecurse]] [[-O]] [[-o]]
14 [[--outfile]] [[-p password]] [[-t|--token tokenname]] [[-z]]
15 [[-X]] [[-x name]] [[--verbose value]] [[--leavearc]]
16 [[-Z jarfile]] [directory-tree] [archive]
17
19 This documentation is still work in progress. Please contribute to the
20 initial review in Mozilla NSS bug 836477[1]
21
23 The Signing Tool, signtool, creates digital signatures and uses a Java
24 Archive (JAR) file to associate the signatures with files in a
25 directory. Electronic software distribution over any network involves
26 potential security problems. To help address some of these problems,
27 you can associate digital signatures with the files in a JAR archive.
28 Digital signatures allow SSL-enabled clients to perform two important
29 operations:
30
31 * Confirm the identity of the individual, company, or other entity
32 whose digital signature is associated with the files
33
34 * Check whether the files have been tampered with since being signed
35
36 If you have a signing certificate, you can use Netscape Signing Tool to
37 digitally sign files and package them as a JAR file. An object-signing
38 certificate is a special kind of certificate that allows you to
39 associate your digital signature with one or more files.
40
41 An individual file can potentially be signed with multiple digital
42 signatures. For example, a commercial software developer might sign the
43 files that constitute a software product to prove that the files are
44 indeed from a particular company. A network administrator manager might
45 sign the same files with an additional digital signature based on a
46 company-generated certificate to indicate that the product is approved
47 for use within the company.
48
49 The significance of a digital signature is comparable to the
50 significance of a handwritten signature. Once you have signed a file,
51 it is difficult to claim later that you didn't sign it. In some
52 situations, a digital signature may be considered as legally binding as
53 a handwritten signature. Therefore, you should take great care to
54 ensure that you can stand behind any file you sign and distribute.
55
56 For example, if you are a software developer, you should test your code
57 to make sure it is virus-free before signing it. Similarly, if you are
58 a network administrator, you should make sure, before signing any code,
59 that it comes from a reliable source and will run correctly with the
60 software installed on the machines to which you are distributing it.
61
62 Before you can use Netscape Signing Tool to sign files, you must have
63 an object-signing certificate, which is a special certificate whose
64 associated private key is used to create digital signatures. For
65 testing purposes only, you can create an object-signing certificate
66 with Netscape Signing Tool 1.3. When testing is finished and you are
67 ready to disitribute your software, you should obtain an object-signing
68 certificate from one of two kinds of sources:
69
70 * An independent certificate authority (CA) that authenticates your
71 identity and charges you a fee. You typically get a certificate from an
72 independent CA if you want to sign software that will be distributed
73 over the Internet.
74
75 * CA server software running on your corporate intranet or extranet.
76 Netscape Certificate Management System provides a complete management
77 solution for creating, deploying, and managing certificates, including
78 CAs that issue object-signing certificates.
79
80 You must also have a certificate for the CA that issues your signing
81 certificate before you can sign files. If the certificate authority's
82 certificate isn't already installed in your copy of Communicator, you
83 typically install it by clicking the appropriate link on the
84 certificate authority's web site, for example on the page from which
85 you initiated enrollment for your signing certificate. This is the case
86 for some test certificates, as well as certificates issued by Netscape
87 Certificate Management System: you must download the the CA certificate
88 in addition to obtaining your own signing certificate. CA certificates
89 for several certificate authorities are preinstalled in the
90 Communicator certificate database.
91
92 When you receive an object-signing certificate for your own use, it is
93 automatically installed in your copy of the Communicator client
94 software. Communicator supports the public-key cryptography standard
95 known as PKCS #12, which governs key portability. You can, for example,
96 move an object-signing certificate and its associated private key from
97 one computer to another on a credit-card-sized device called a smart
98 card.
99
101 -b basename
102 Specifies the base filename for the .rsa and .sf files in the
103 META-INF directory to conform with the JAR format. For example, -b
104 signatures causes the files to be named signatures.rsa and
105 signatures.sf. The default is signtool.
106
107 -c#
108 Specifies the compression level for the -J or -Z option. The symbol
109 # represents a number from 0 to 9, where 0 means no compression and
110 9 means maximum compression. The higher the level of compression,
111 the smaller the output but the longer the operation takes. If the
112 -c# option is not used with either the -J or the -Z option, the
113 default compression value used by both the -J and -Z options is 6.
114
115 -d certdir
116 Specifies your certificate database directory; that is, the
117 directory in which you placed your key3.db and cert7.db files. To
118 specify the current directory, use "-d." (including the period).
119 The Unix version of signtool assumes ~/.netscape unless told
120 otherwise. The NT version of signtool always requires the use of
121 the -d option to specify where the database files are located.
122
123 -e extension
124 Tells signtool to sign only files with the given extension; for
125 example, use -e".class" to sign only Java class files. Note that
126 with Netscape Signing Tool version 1.1 and later this option can
127 appear multiple times on one command line, making it possible to
128 specify multiple file types or classes to include.
129
130 -f commandfile
131 Specifies a text file containing Netscape Signing Tool options and
132 arguments in keyword=value format. All options and arguments can be
133 expressed through this file. For more information about the syntax
134 used with this file, see "Tips and Techniques".
135
136 -G nickname
137 Generates a new private-public key pair and corresponding
138 object-signing certificate with the given nickname. The newly
139 generated keys and certificate are installed into the key and
140 certificate databases in the directory specified by the -d option.
141 With the NT version of Netscape Signing Tool, you must use the -d
142 option with the -G option. With the Unix version of Netscape
143 Signing Tool, omitting the -d option causes the tool to install the
144 keys and certificate in the Communicator key and certificate
145 databases. If you are installing the keys and certificate in the
146 Communicator databases, you must exit Communicator before using
147 this option; otherwise, you risk corrupting the databases. In all
148 cases, the certificate is also output to a file named x509.cacert,
149 which has the MIME-type application/x-x509-ca-cert. Unlike
150 certificates normally used to sign finished code to be distributed
151 over a network, a test certificate created with -G is not signed by
152 a recognized certificate authority. Instead, it is self-signed. In
153 addition, a single test signing certificate functions as both an
154 object-signing certificate and a CA. When you are using it to sign
155 objects, it behaves like an object-signing certificate. When it is
156 imported into browser software such as Communicator, it behaves
157 like an object-signing CA and cannot be used to sign objects. The
158 -G option is available in Netscape Signing Tool 1.0 and later
159 versions only. By default, it produces only RSA certificates with
160 1024-byte keys in the internal token. However, you can use the -s
161 option specify the required key size and the -t option to specify
162 the token.
163
164 -i scriptname
165 Specifies the name of an installer script for SmartUpdate. This
166 script installs files from the JAR archive in the local system
167 after SmartUpdate has validated the digital signature. For more
168 details, see the description of -m that follows. The -i option
169 provides a straightforward way to provide this information if you
170 don't need to specify any metadata other than an installer script.
171
172 -J
173 Signs a directory of HTML files containing JavaScript and creates
174 as many archive files as are specified in the HTML tags. Even if
175 signtool creates more than one archive file, you need to supply the
176 key database password only once. The -J option is available only in
177 Netscape Signing Tool 1.0 and later versions. The -J option cannot
178 be used at the same time as the -Z option. If the -c# option is not
179 used with the -J option, the default compression value is 6. Note
180 that versions 1.1 and later of Netscape Signing Tool correctly
181 recognizes the CODEBASE attribute, allows paths to be expressed for
182 the CLASS and SRC attributes instead of filenames only, processes
183 LINK tags and parses HTML correctly, and offers clearer error
184 messages.
185
186 -j directory
187 Specifies a special JavaScript directory. This option causes the
188 specified directory to be signed and tags its entries as inline
189 JavaScript. This special type of entry does not have to appear in
190 the JAR file itself. Instead, it is located in the HTML page
191 containing the inline scripts. When you use signtool -v, these
192 entries are displayed with the string NOT PRESENT.
193
194 -k key ... directory
195 Specifies the nickname (key) of the certificate you want to sign
196 with and signs the files in the specified directory. The directory
197 to sign is always specified as the last command-line argument.
198 Thus, it is possible to write signtool -k MyCert -d . signdir You
199 may have trouble if the nickname contains a single quotation mark.
200 To avoid problems, escape the quotation mark using the escape
201 conventions for your platform. It's also possible to use the -k
202 option without signing any files or specifying a directory. For
203 example, you can use it with the -l option to get detailed
204 information about a particular signing certificate.
205
206 -l
207 Lists signing certificates, including issuing CAs. If any of your
208 certificates are expired or invalid, the list will so specify. This
209 option can be used with the -k option to list detailed information
210 about a particular signing certificate. The -l option is available
211 in Netscape Signing Tool 1.0 and later versions only.
212
213 -L
214 Lists the certificates in your database. An asterisk appears to the
215 left of the nickname for any certificate that can be used to sign
216 objects with signtool.
217
218 --leavearc
219 Retains the temporary .arc (archive) directories that the -J option
220 creates. These directories are automatically erased by default.
221 Retaining the temporary directories can be an aid to debugging.
222
223 -m metafile
224 Specifies the name of a metadata control file. Metadata is signed
225 information attached either to the JAR archive itself or to files
226 within the archive. This metadata can be any ASCII string, but is
227 used mainly for specifying an installer script. The metadata file
228 contains one entry per line, each with three fields: field #1: file
229 specification, or + if you want to specify global metadata (that
230 is, metadata about the JAR archive itself or all entries in the
231 archive) field #2: the name of the data you are specifying; for
232 example: Install-Script field #3: data corresponding to the name in
233 field #2 For example, the -i option uses the equivalent of this
234 line: + Install-Script: script.js This example associates a MIME
235 type with a file: movie.qt MIME-Type: video/quicktime For
236 information about the way installer script information appears in
237 the manifest file for a JAR archive, see The JAR Format on Netscape
238 DevEdge.
239
240 -M
241 Lists the PKCS #11 modules available to signtool, including smart
242 cards. The -M option is available in Netscape Signing Tool 1.0 and
243 later versions only. For information on using Netscape Signing Tool
244 with smart cards, see "Using Netscape Signing Tool with Smart
245 Cards". For information on using the -M option to verify FIPS-140-1
246 validated mode, see "Netscape Signing Tool and FIPS-140-1".
247
248 --norecurse
249 Blocks recursion into subdirectories when signing a directory's
250 contents or when parsing HTML.
251
252 -o
253 Optimizes the archive for size. Use this only if you are signing
254 very large archives containing hundreds of files. This option makes
255 the manifest files (required by the JAR format) considerably
256 smaller, but they contain slightly less information.
257
258 --outfile outputfile
259 Specifies a file to receive redirected output from Netscape Signing
260 Tool.
261
262 -p password
263 Specifies a password for the private-key database. Note that the
264 password entered on the command line is displayed as plain text.
265
266 -s keysize
267 Specifies the size of the key for generated certificate. Use the -M
268 option to find out what tokens are available. The -s option can be
269 used with the -G option only.
270
271 -t token
272 Specifies which available token should generate the key and receive
273 the certificate. Use the -M option to find out what tokens are
274 available. The -t option can be used with the -G option only.
275
276 -v archive
277 Displays the contents of an archive and verifies the cryptographic
278 integrity of the digital signatures it contains and the files with
279 which they are associated. This includes checking that the
280 certificate for the issuer of the object-signing certificate is
281 listed in the certificate database, that the CA's digital signature
282 on the object-signing certificate is valid, that the relevant
283 certificates have not expired, and so on.
284
285 --verbosity value
286 Sets the quantity of information Netscape Signing Tool generates in
287 operation. A value of 0 (zero) is the default and gives full
288 information. A value of -1 suppresses most messages, but not error
289 messages.
290
291 -w archive
292 Displays the names of signers of any files in the archive.
293
294 -x directory
295 Excludes the specified directory from signing. Note that with
296 Netscape Signing Tool version 1.1 and later this option can appear
297 multiple times on one command line, making it possible to specify
298 several particular directories to exclude.
299
300 -z
301 Tells signtool not to store the signing time in the digital
302 signature. This option is useful if you want the expiration date of
303 the signature checked against the current date and time rather than
304 the time the files were signed.
305
306 -Z jarfile
307 Creates a JAR file with the specified name. You must specify this
308 option if you want signtool to create the JAR file; it does not do
309 so automatically. If you don't specify -Z, you must use an external
310 ZIP tool to create the JAR file. The -Z option cannot be used at
311 the same time as the -J option. If the -c# option is not used with
312 the -Z option, the default compression value is 6.
313
315 Entries in a Netscape Signing Tool command file have this general
316 format: keyword=value Everything before the = sign on a single line is
317 a keyword, and everything from the = sign to the end of line is a
318 value. The value may include = signs; only the first = sign on a line
319 is interpreted. Blank lines are ignored, but white space on a line with
320 keywords and values is assumed to be part of the keyword (if it comes
321 before the equal sign) or part of the value (if it comes after the
322 first equal sign). Keywords are case insensitive, values are generally
323 case sensitive. Since the = sign and newline delimit the value, it
324 should not be quoted.
325
326 Subsection
327
328 basename
329 Same as -b option.
330
331 compression
332 Same as -c option.
333
334 certdir
335 Same as -d option.
336
337 extension
338 Same as -e option.
339
340 generate
341 Same as -G option.
342
343 installscript
344 Same as -i option.
345
346 javascriptdir
347 Same as -j option.
348
349 htmldir
350 Same as -J option.
351
352 certname
353 Nickname of certificate, as with -k and -l -k options.
354
355 signdir
356 The directory to be signed, as with -k option.
357
358 list
359 Same as -l option. Value is ignored, but = sign must be present.
360
361 listall
362 Same as -L option. Value is ignored, but = sign must be present.
363
364 metafile
365 Same as -m option.
366
367 modules
368 Same as -M option. Value is ignored, but = sign must be present.
369
370 optimize
371 Same as -o option. Value is ignored, but = sign must be present.
372
373 password
374 Same as -p option.
375
376 keysize
377 Same as -s option.
378
379 token
380 Same as -t option.
381
382 verify
383 Same as -v option.
384
385 who
386 Same as -w option.
387
388 exclude
389 Same as -x option.
390
391 notime
392 Same as -z option. value is ignored, but = sign must be present.
393
394 jarfile
395 Same as -Z option.
396
397 outfile
398 Name of a file to which output and error messages will be
399 redirected. This option has no command-line equivalent.
400
402 The following example will do this and that
403
404 Listing Available Signing Certificates
405
406 You use the -L option to list the nicknames for all available
407 certificates and check which ones are signing certificates.
408
409 signtool -L
410
411 using certificate directory: /u/jsmith/.netscape
412 S Certificates
413 - ------------
414 BBN Certificate Services CA Root 1
415 IBM World Registry CA
416 VeriSign Class 1 CA - Individual Subscriber - VeriSign, Inc.
417 GTE CyberTrust Root CA
418 Uptime Group Plc. Class 4 CA
419 * Verisign Object Signing Cert
420 Integrion CA
421 GTE CyberTrust Secure Server CA
422 AT&T Directory Services
423 * test object signing cert
424 Uptime Group Plc. Class 1 CA
425 VeriSign Class 1 Primary CA
426 - ------------
427
428 Certificates that can be used to sign objects have *'s to their left.
429
430 Two signing certificates are displayed: Verisign Object Signing Cert
431 and test object signing cert.
432
433 You use the -l option to get a list of signing certificates only,
434 including the signing CA for each.
435
436 signtool -l
437
438 using certificate directory: /u/jsmith/.netscape
439 Object signing certificates
440 ---------------------------------------
441
442 Verisign Object Signing Cert
443 Issued by: VeriSign, Inc. - Verisign, Inc.
444 Expires: Tue May 19, 1998
445 test object signing cert
446 Issued by: test object signing cert (Signtool 1.0 Testing
447 Certificate (960187691))
448 Expires: Sun May 17, 1998
449 ---------------------------------------
450
451 For a list including CAs, use the -L option.
452
453 Signing a File
454
455 1. Create an empty directory.
456
457 mkdir signdir
458
459 2. Put some file into it.
460
461 echo boo > signdir/test.f
462
463 3. Specify the name of your object-signing certificate and sign the
464 directory.
465
466 signtool -k MySignCert -Z testjar.jar signdir
467
468 using key "MySignCert"
469 using certificate directory: /u/jsmith/.netscape
470 Generating signdir/META-INF/manifest.mf file..
471 --> test.f
472 adding signdir/test.f to testjar.jar
473 Generating signtool.sf file..
474 Enter Password or Pin for "Communicator Certificate DB":
475
476 adding signdir/META-INF/manifest.mf to testjar.jar
477 adding signdir/META-INF/signtool.sf to testjar.jar
478 adding signdir/META-INF/signtool.rsa to testjar.jar
479
480 tree "signdir" signed successfully
481
482 4. Test the archive you just created.
483
484 signtool -v testjar.jar
485
486 using certificate directory: /u/jsmith/.netscape
487 archive "testjar.jar" has passed crypto verification.
488 status path
489 ------------ -------------------
490 verified test.f
491
492 Using Netscape Signing Tool with a ZIP Utility
493
494 To use Netscape Signing Tool with a ZIP utility, you must have the
495 utility in your path environment variable. You should use the zip.exe
496 utility rather than pkzip.exe, which cannot handle long filenames. You
497 can use a ZIP utility instead of the -Z option to package a signed
498 archive into a JAR file after you have signed it:
499
500 cd signdir
501
502 zip -r ../myjar.jar *
503 adding: META-INF/ (stored 0%)
504 adding: META-INF/manifest.mf (deflated 15%)
505 adding: META-INF/signtool.sf (deflated 28%)
506 adding: META-INF/signtool.rsa (stored 0%)
507 adding: text.txt (stored 0%)
508
509 Generating the Keys and Certificate
510
511 The signtool option -G generates a new public-private key pair and
512 certificate. It takes the nickname of the new certificate as an
513 argument. The newly generated keys and certificate are installed into
514 the key and certificate databases in the directory specified by the -d
515 option. With the NT version of Netscape Signing Tool, you must use the
516 -d option with the -G option. With the Unix version of Netscape Signing
517 Tool, omitting the -d option causes the tool to install the keys and
518 certificate in the Communicator key and certificate databases. In all
519 cases, the certificate is also output to a file named x509.cacert,
520 which has the MIME-type application/x-x509-ca-cert.
521
522 Certificates contain standard information about the entity they
523 identify, such as the common name and organization name. Netscape
524 Signing Tool prompts you for this information when you run the command
525 with the -G option. However, all of the requested fields are optional
526 for test certificates. If you do not enter a common name, the tool
527 provides a default name. In the following example, the user input is in
528 boldface:
529
530 signtool -G MyTestCert
531
532 using certificate directory: /u/someuser/.netscape
533 Enter certificate information. All fields are optional. Acceptable
534 characters are numbers, letters, spaces, and apostrophes.
535 certificate common name: Test Object Signing Certificate
536 organization: Netscape Communications Corp.
537 organization unit: Server Products Division
538 state or province: California
539 country (must be exactly 2 characters): US
540 username: someuser
541 email address: someuser@netscape.com
542 Enter Password or Pin for "Communicator Certificate DB": [Password will not echo]
543 generated public/private key pair
544 certificate request generated
545 certificate has been signed
546 certificate "MyTestCert" added to database
547 Exported certificate to x509.raw and x509.cacert.
548
549 The certificate information is read from standard input. Therefore, the
550 information can be read from a file using the redirection operator (<)
551 in some operating systems. To create a file for this purpose, enter
552 each of the seven input fields, in order, on a separate line. Make sure
553 there is a newline character at the end of the last line. Then run
554 signtool with standard input redirected from your file as follows:
555
556 signtool -G MyTestCert inputfile
557
558 The prompts show up on the screen, but the responses will be
559 automatically read from the file. The password will still be read from
560 the console unless you use the -p option to give the password on the
561 command line.
562
563 Using the -M Option to List Smart Cards
564
565 You can use the -M option to list the PKCS #11 modules, including smart
566 cards, that are available to signtool:
567
568 signtool -d "c:\netscape\users\jsmith" -M
569
570 using certificate directory: c:\netscape\users\username
571 Listing of PKCS11 modules
572 -----------------------------------------------
573 1. Netscape Internal PKCS #11 Module
574 (this module is internally loaded)
575 slots: 2 slots attached
576 status: loaded
577 slot: Communicator Internal Cryptographic Services Version 4.0
578 token: Communicator Generic Crypto Svcs
579 slot: Communicator User Private Key and Certificate Services
580 token: Communicator Certificate DB
581 2. CryptOS
582 (this is an external module)
583 DLL name: core32
584 slots: 1 slots attached
585 status: loaded
586 slot: Litronic 210
587 token:
588 -----------------------------------------------
589
590 Using Netscape Signing Tool and a Smart Card to Sign Files
591
592 The signtool command normally takes an argument of the -k option to
593 specify a signing certificate. To sign with a smart card, you supply
594 only the fully qualified name of the certificate.
595
596 To see fully qualified certificate names when you run Communicator,
597 click the Security button in Navigator, then click Yours under
598 Certificates in the left frame. Fully qualified names are of the format
599 smart card:certificate, for example "MyCard:My Signing Cert". You use
600 this name with the -k argument as follows:
601
602 signtool -k "MyCard:My Signing Cert" directory
603
604 Verifying FIPS Mode
605
606 Use the -M option to verify that you are using the FIPS-140-1 module.
607
608 signtool -d "c:\netscape\users\jsmith" -M
609
610 using certificate directory: c:\netscape\users\jsmith
611 Listing of PKCS11 modules
612 -----------------------------------------------
613 1. Netscape Internal PKCS #11 Module
614 (this module is internally loaded)
615 slots: 2 slots attached
616 status: loaded
617 slot: Communicator Internal Cryptographic Services Version 4.0
618 token: Communicator Generic Crypto Svcs
619 slot: Communicator User Private Key and Certificate Services
620 token: Communicator Certificate DB
621 -----------------------------------------------
622
623 This Unix example shows that Netscape Signing Tool is using a
624 FIPS-140-1 module:
625
626 signtool -d "c:\netscape\users\jsmith" -M
627 using certificate directory: c:\netscape\users\jsmith
628 Enter Password or Pin for "Communicator Certificate DB": [password will not echo]
629 Listing of PKCS11 modules
630 -----------------------------------------------
631 1. Netscape Internal FIPS PKCS #11 Module
632 (this module is internally loaded)
633 slots: 1 slots attached
634 status: loaded
635 slot: Netscape Internal FIPS-140-1 Cryptographic Services
636 token: Communicator Certificate DB
637 -----------------------------------------------
638
640 signver (1)
641
642 The NSS wiki has information on the new database design and how to
643 configure applications to use it.
644
645 · https://wiki.mozilla.org/NSS_Shared_DB_Howto
646
647 · https://wiki.mozilla.org/NSS_Shared_DB
648
650 For information about NSS and other tools related to NSS (like JSS),
651 check out the NSS project wiki at
652 http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
653 directly to NSS code changes and releases.
654
655 Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
656
657 IRC: Freenode at #dogtag-pki
658
660 The NSS tools were written and maintained by developers with Netscape,
661 Red Hat, Sun, Oracle, Mozilla, and Google.
662
663 Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
664 <dlackey@redhat.com>.
665
667 Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL
668 was not distributed with this file, You can obtain one at
669 http://mozilla.org/MPL/2.0/.
670
672 1. Mozilla NSS bug 836477
673 https://bugzilla.mozilla.org/show_bug.cgi?id=836477
674
675
676
677nss-tools 3.44.0 Nov 13 2013 SIGNTOOL(1)