signver(1)

1SIGNVER(1)                    NSS Security Tools                    SIGNVER(1)
2
3
4

NAME

6       signver - Verify a detached PKCS#7 signature for a file.
7

SYNOPSIS

9       signtool -A | -V  -d directory [-a] [-i input_file] [-o output_file]
10                [-s signature_file] [-v]
11

STATUS

13       This documentation is still work in progress. Please contribute to the
14       initial review in Mozilla NSS bug 836477[1]
15

DESCRIPTION

17       The Signature Verification Tool, signver, is a simple command-line
18       utility that unpacks a base-64-encoded PKCS#7 signed object and
19       verifies the digital signature using standard cryptographic techniques.
20       The Signature Verification Tool can also display the contents of the
21       signed object.
22

OPTIONS

24       -A
25           Displays all of the information in the PKCS#7 signature.
26
27       -V
28           Verifies the digital signature.
29
30       -d directory
31           Specify the database directory which contains the certificates and
32           keys.
33
34           signver supports two types of databases: the legacy security
35           databases (cert8.db, key3.db, and secmod.db) and new SQLite
36           databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm:
37           is not used, then the tool assumes that the given databases are in
38           the SQLite format.
39
40       -a
41           Sets that the given signature file is in ASCII format.
42
43       -i input_file
44           Gives the input file for the object with signed data.
45
46       -o output_file
47           Gives the output file to which to write the results.
48
49       -s signature_file
50           Gives the input file for the digital signature.
51
52       -v
53           Enables verbose output.
54

EXTENDED EXAMPLES

56   Verifying a Signature
57       The -V option verifies that the signature in a given signature file is
58       valid when used to sign the given object (from the input file).
59
60           signver -V -s signature_file -i signed_file -d /home/my/sharednssdb
61
62           signatureValid=yes
63
64   Printing Signature Data
65       The -A option prints all of the information contained in a signature
66       file. Using the -o option prints the signature file information to the
67       given output file rather than stdout.
68
69           signver -A -s signature_file -o output_file
70

NSS DATABASE TYPES

72       NSS originally used BerkeleyDB databases to store security information.
73       The last versions of these legacy databases are:
74
75       •   cert8.db for certificates
76
77       •   key3.db for keys
78
79       •   secmod.db for PKCS #11 module information
80
81       BerkeleyDB has performance limitations, though, which prevent it from
82       being easily used by multiple applications simultaneously. NSS has some
83       flexibility that allows applications to use their own, independent
84       database engine while keeping a shared database and working around the
85       access issues. Still, NSS requires more flexibility to provide a truly
86       shared security database.
87
88       In 2009, NSS introduced a new set of databases that are SQLite
89       databases rather than BerkleyDB. These new databases provide more
90       accessibility and performance:
91
92       •   cert9.db for certificates
93
94       •   key4.db for keys
95
96       •   pkcs11.txt, which is listing of all of the PKCS #11 modules
97           contained in a new subdirectory in the security databases directory
98
99       Because the SQLite databases are designed to be shared, these are the
100       shared database type. The shared database type is preferred; the legacy
101       format is included for backward compatibility.
102
103       By default, the tools (certutil, pk12util, modutil) assume that the
104       given security databases use the SQLite type Using the legacy databases
105       must be manually specified by using the dbm: prefix with the given
106       security directory. For example:
107
108           # signver -A -s signature -d dbm:/home/my/sharednssdb
109
110       To set the legacy database type as the default type for the tools, set
111       the NSS_DEFAULT_DB_TYPE environment variable to dbm:
112
113           export NSS_DEFAULT_DB_TYPE="dbm"
114
115       This line can be added to the ~/.bashrc file to make the change
116       permanent for the user.
117
118       •   https://wiki.mozilla.org/NSS_Shared_DB_Howto
119
120       For an engineering draft on the changes in the shared NSS databases,
121       see the NSS project wiki:
122
123       •   https://wiki.mozilla.org/NSS_Shared_DB
124

ADDITIONAL RESOURCES

140       For information about NSS and other tools related to NSS (like JSS),
141       check out the NSS project wiki at
142       http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
143       directly to NSS code changes and releases.
144
145       Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
146
147       IRC: Freenode at #dogtag-pki
148

AUTHORS

150       The NSS tools were written and maintained by developers with Netscape,
151       Red Hat, Sun, Oracle, Mozilla, and Google.
152
153       Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
154       <dlackey@redhat.com>.
155

LICENSE

157       Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL
158       was not distributed with this file, You can obtain one at
159       http://mozilla.org/MPL/2.0/.
160

NOTES

162        1. Mozilla NSS bug 836477
163           https://bugzilla.mozilla.org/show_bug.cgi?id=836477
164
165
166
167nss-tools                         29 May 2021                       SIGNVER(1)