1SIGNTOOL(1)                   NSS Security Tools                   SIGNTOOL(1)
2
3
4

NAME

6       signtool - Digitally sign objects and files.
7

SYNOPSIS

9       signtool [[-b basename]] [[-c Compression Level]] [[-d cert-dir]]
10                [[-e extension]] [[-f filename]] [[-i installer script]]
11                [[-h]] [[-H]] [[-v]] [[-w]] [[-G nickname]] [[-J]]
12                [[-j directory]] [-k keyName] [[--keysize | -s size]] [[-l]]
13                [[-L]] [[-M]] [[-m metafile]] [[--norecurse]] [[-O]] [[-o]]
14                [[--outfile]] [[-p password]] [[-t|--token tokenname]] [[-z]]
15                [[-X]] [[-x name]] [[--verbose value]] [[--leavearc]]
16                [[-Z jarfile]] [directory-tree] [archive]
17

STATUS

19       This documentation is still work in progress. Please contribute to the
20       initial review in Mozilla NSS bug 836477[1]
21

DESCRIPTION

23       The Signing Tool, signtool, creates digital signatures and uses a Java
24       Archive (JAR) file to associate the signatures with files in a
25       directory. Electronic software distribution over any network involves
26       potential security problems. To help address some of these problems,
27       you can associate digital signatures with the files in a JAR archive.
28       Digital signatures allow SSL-enabled clients to perform two important
29       operations:
30
31       * Confirm the identity of the individual, company, or other entity
32       whose digital signature is associated with the files
33
34       * Check whether the files have been tampered with since being signed
35
36       If you have a signing certificate, you can use Netscape Signing Tool to
37       digitally sign files and package them as a JAR file. An object-signing
38       certificate is a special kind of certificate that allows you to
39       associate your digital signature with one or more files.
40
41       An individual file can potentially be signed with multiple digital
42       signatures. For example, a commercial software developer might sign the
43       files that constitute a software product to prove that the files are
44       indeed from a particular company. A network administrator manager might
45       sign the same files with an additional digital signature based on a
46       company-generated certificate to indicate that the product is approved
47       for use within the company.
48
49       The significance of a digital signature is comparable to the
50       significance of a handwritten signature. Once you have signed a file,
51       it is difficult to claim later that you didn't sign it. In some
52       situations, a digital signature may be considered as legally binding as
53       a handwritten signature. Therefore, you should take great care to
54       ensure that you can stand behind any file you sign and distribute.
55
56       For example, if you are a software developer, you should test your code
57       to make sure it is virus-free before signing it. Similarly, if you are
58       a network administrator, you should make sure, before signing any code,
59       that it comes from a reliable source and will run correctly with the
60       software installed on the machines to which you are distributing it.
61
62       Before you can use Netscape Signing Tool to sign files, you must have
63       an object-signing certificate, which is a special certificate whose
64       associated private key is used to create digital signatures. For
65       testing purposes only, you can create an object-signing certificate
66       with Netscape Signing Tool 1.3. When testing is finished and you are
67       ready to disitribute your software, you should obtain an object-signing
68       certificate from one of two kinds of sources:
69
70       * An independent certificate authority (CA) that authenticates your
71       identity and charges you a fee. You typically get a certificate from an
72       independent CA if you want to sign software that will be distributed
73       over the Internet.
74
75       * CA server software running on your corporate intranet or extranet.
76       Netscape Certificate Management System provides a complete management
77       solution for creating, deploying, and managing certificates, including
78       CAs that issue object-signing certificates.
79
80       You must also have a certificate for the CA that issues your signing
81       certificate before you can sign files. If the certificate authority's
82       certificate isn't already installed in your copy of Communicator, you
83       typically install it by clicking the appropriate link on the
84       certificate authority's web site, for example on the page from which
85       you initiated enrollment for your signing certificate. This is the case
86       for some test certificates, as well as certificates issued by Netscape
87       Certificate Management System: you must download the the CA certificate
88       in addition to obtaining your own signing certificate. CA certificates
89       for several certificate authorities are preinstalled in the
90       Communicator certificate database.
91
92       When you receive an object-signing certificate for your own use, it is
93       automatically installed in your copy of the Communicator client
94       software. Communicator supports the public-key cryptography standard
95       known as PKCS #12, which governs key portability. You can, for example,
96       move an object-signing certificate and its associated private key from
97       one computer to another on a credit-card-sized device called a smart
98       card.
99

OPTIONS

101       -b basename
102           Specifies the base filename for the .rsa and .sf files in the
103           META-INF directory to conform with the JAR format. For example, -b
104           signatures causes the files to be named signatures.rsa and
105           signatures.sf. The default is signtool.
106
107       -c#
108           Specifies the compression level for the -J or -Z option. The symbol
109           # represents a number from 0 to 9, where 0 means no compression and
110           9 means maximum compression. The higher the level of compression,
111           the smaller the output but the longer the operation takes. If the
112           -c# option is not used with either the -J or the -Z option, the
113           default compression value used by both the -J and -Z options is 6.
114
115       -d certdir
116           Specifies your certificate database directory; that is, the
117           directory in which you placed your key3.db and cert7.db files. To
118           specify the current directory, use "-d." (including the period).
119           The Unix version of signtool assumes ~/.netscape unless told
120           otherwise. The NT version of signtool always requires the use of
121           the -d option to specify where the database files are located.
122
123       -e extension
124           Tells signtool to sign only files with the given extension; for
125           example, use -e".class" to sign only Java class files. Note that
126           with Netscape Signing Tool version 1.1 and later this option can
127           appear multiple times on one command line, making it possible to
128           specify multiple file types or classes to include.
129
130       -f commandfile
131           Specifies a text file containing Netscape Signing Tool options and
132           arguments in keyword=value format. All options and arguments can be
133           expressed through this file. For more information about the syntax
134           used with this file, see "Tips and Techniques".
135
136       -G nickname
137           Generates a new private-public key pair and corresponding
138           object-signing certificate with the given nickname. The newly
139           generated keys and certificate are installed into the key and
140           certificate databases in the directory specified by the -d option.
141           With the NT version of Netscape Signing Tool, you must use the -d
142           option with the -G option. With the Unix version of Netscape
143           Signing Tool, omitting the -d option causes the tool to install the
144           keys and certificate in the Communicator key and certificate
145           databases. If you are installing the keys and certificate in the
146           Communicator databases, you must exit Communicator before using
147           this option; otherwise, you risk corrupting the databases. In all
148           cases, the certificate is also output to a file named x509.cacert,
149           which has the MIME-type application/x-x509-ca-cert. Unlike
150           certificates normally used to sign finished code to be distributed
151           over a network, a test certificate created with -G is not signed by
152           a recognized certificate authority. Instead, it is self-signed. In
153           addition, a single test signing certificate functions as both an
154           object-signing certificate and a CA. When you are using it to sign
155           objects, it behaves like an object-signing certificate. When it is
156           imported into browser software such as Communicator, it behaves
157           like an object-signing CA and cannot be used to sign objects. The
158           -G option is available in Netscape Signing Tool 1.0 and later
159           versions only. By default, it produces only RSA certificates with
160           1024-byte keys in the internal token. However, you can use the -s
161           option specify the required key size and the -t option to specify
162           the token.
163
164       -i scriptname
165           Specifies the name of an installer script for SmartUpdate. This
166           script installs files from the JAR archive in the local system
167           after SmartUpdate has validated the digital signature. For more
168           details, see the description of -m that follows. The -i option
169           provides a straightforward way to provide this information if you
170           don't need to specify any metadata other than an installer script.
171
172       -J
173           Signs a directory of HTML files containing JavaScript and creates
174           as many archive files as are specified in the HTML tags. Even if
175           signtool creates more than one archive file, you need to supply the
176           key database password only once. The -J option is available only in
177           Netscape Signing Tool 1.0 and later versions. The -J option cannot
178           be used at the same time as the -Z option. If the -c# option is not
179           used with the -J option, the default compression value is 6. Note
180           that versions 1.1 and later of Netscape Signing Tool correctly
181           recognizes the CODEBASE attribute, allows paths to be expressed for
182           the CLASS and SRC attributes instead of filenames only, processes
183           LINK tags and parses HTML correctly, and offers clearer error
184           messages.
185
186       -j directory
187           Specifies a special JavaScript directory. This option causes the
188           specified directory to be signed and tags its entries as inline
189           JavaScript. This special type of entry does not have to appear in
190           the JAR file itself. Instead, it is located in the HTML page
191           containing the inline scripts. When you use signtool -v, these
192           entries are displayed with the string NOT PRESENT.
193
194       -k key ... directory
195           Specifies the nickname (key) of the certificate you want to sign
196           with and signs the files in the specified directory. The directory
197           to sign is always specified as the last command-line argument.
198           Thus, it is possible to write signtool -k MyCert -d . signdir You
199           may have trouble if the nickname contains a single quotation mark.
200           To avoid problems, escape the quotation mark using the escape
201           conventions for your platform. It's also possible to use the -k
202           option without signing any files or specifying a directory. For
203           example, you can use it with the -l option to get detailed
204           information about a particular signing certificate.
205
206       -l
207           Lists signing certificates, including issuing CAs. If any of your
208           certificates are expired or invalid, the list will so specify. This
209           option can be used with the -k option to list detailed information
210           about a particular signing certificate. The -l option is available
211           in Netscape Signing Tool 1.0 and later versions only.
212
213       -L
214           Lists the certificates in your database. An asterisk appears to the
215           left of the nickname for any certificate that can be used to sign
216           objects with signtool.
217
218       --leavearc
219           Retains the temporary .arc (archive) directories that the -J option
220           creates. These directories are automatically erased by default.
221           Retaining the temporary directories can be an aid to debugging.
222
223       -m metafile
224           Specifies the name of a metadata control file. Metadata is signed
225           information attached either to the JAR archive itself or to files
226           within the archive. This metadata can be any ASCII string, but is
227           used mainly for specifying an installer script. The metadata file
228           contains one entry per line, each with three fields: field #1: file
229           specification, or + if you want to specify global metadata (that
230           is, metadata about the JAR archive itself or all entries in the
231           archive) field #2: the name of the data you are specifying; for
232           example: Install-Script field #3: data corresponding to the name in
233           field #2 For example, the -i option uses the equivalent of this
234           line: + Install-Script: script.js This example associates a MIME
235           type with a file: movie.qt MIME-Type: video/quicktime For
236           information about the way installer script information appears in
237           the manifest file for a JAR archive, see The JAR Format on Netscape
238           DevEdge.
239
240       -M
241           Lists the PKCS #11 modules available to signtool, including smart
242           cards. The -M option is available in Netscape Signing Tool 1.0 and
243           later versions only. For information on using Netscape Signing Tool
244           with smart cards, see "Using Netscape Signing Tool with Smart
245           Cards". For information on using the -M option to verify FIPS-140-1
246           validated mode, see "Netscape Signing Tool and FIPS-140-1".
247
248       --norecurse
249           Blocks recursion into subdirectories when signing a directory's
250           contents or when parsing HTML.
251
252       -o
253           Optimizes the archive for size. Use this only if you are signing
254           very large archives containing hundreds of files. This option makes
255           the manifest files (required by the JAR format) considerably
256           smaller, but they contain slightly less information.
257
258       --outfile outputfile
259           Specifies a file to receive redirected output from Netscape Signing
260           Tool.
261
262       -p password
263           Specifies a password for the private-key database. Note that the
264           password entered on the command line is displayed as plain text.
265
266       -s keysize
267           Specifies the size of the key for generated certificate. Use the -M
268           option to find out what tokens are available. The -s option can be
269           used with the -G option only.
270
271       -t token
272           Specifies which available token should generate the key and receive
273           the certificate. Use the -M option to find out what tokens are
274           available. The -t option can be used with the -G option only.
275
276       -v archive
277           Displays the contents of an archive and verifies the cryptographic
278           integrity of the digital signatures it contains and the files with
279           which they are associated. This includes checking that the
280           certificate for the issuer of the object-signing certificate is
281           listed in the certificate database, that the CA's digital signature
282           on the object-signing certificate is valid, that the relevant
283           certificates have not expired, and so on.
284
285       --verbosity value
286           Sets the quantity of information Netscape Signing Tool generates in
287           operation. A value of 0 (zero) is the default and gives full
288           information. A value of -1 suppresses most messages, but not error
289           messages.
290
291       -w archive
292           Displays the names of signers of any files in the archive.
293
294       -x directory
295           Excludes the specified directory from signing. Note that with
296           Netscape Signing Tool version 1.1 and later this option can appear
297           multiple times on one command line, making it possible to specify
298           several particular directories to exclude.
299
300       -z
301           Tells signtool not to store the signing time in the digital
302           signature. This option is useful if you want the expiration date of
303           the signature checked against the current date and time rather than
304           the time the files were signed.
305
306       -Z jarfile
307           Creates a JAR file with the specified name. You must specify this
308           option if you want signtool to create the JAR file; it does not do
309           so automatically. If you don't specify -Z, you must use an external
310           ZIP tool to create the JAR file. The -Z option cannot be used at
311           the same time as the -J option. If the -c# option is not used with
312           the -Z option, the default compression value is 6.
313

THE COMMAND FILE FORMAT

315       Entries in a Netscape Signing Tool command file have this general
316       format: keyword=value Everything before the = sign on a single line is
317       a keyword, and everything from the = sign to the end of line is a
318       value. The value may include = signs; only the first = sign on a line
319       is interpreted. Blank lines are ignored, but white space on a line with
320       keywords and values is assumed to be part of the keyword (if it comes
321       before the equal sign) or part of the value (if it comes after the
322       first equal sign). Keywords are case insensitive, values are generally
323       case sensitive. Since the = sign and newline delimit the value, it
324       should not be quoted.
325
326       Subsection
327
328       basename
329           Same as -b option.
330
331       compression
332           Same as -c option.
333
334       certdir
335           Same as -d option.
336
337       extension
338           Same as -e option.
339
340       generate
341           Same as -G option.
342
343       installscript
344           Same as -i option.
345
346       javascriptdir
347           Same as -j option.
348
349       htmldir
350           Same as -J option.
351
352       certname
353           Nickname of certificate, as with -k and -l -k options.
354
355       signdir
356           The directory to be signed, as with -k option.
357
358       list
359           Same as -l option. Value is ignored, but = sign must be present.
360
361       listall
362           Same as -L option. Value is ignored, but = sign must be present.
363
364       metafile
365           Same as -m option.
366
367       modules
368           Same as -M option. Value is ignored, but = sign must be present.
369
370       optimize
371           Same as -o option. Value is ignored, but = sign must be present.
372
373       password
374           Same as -p option.
375
376       keysize
377           Same as -s option.
378
379       token
380           Same as -t option.
381
382       verify
383           Same as -v option.
384
385       who
386           Same as -w option.
387
388       exclude
389           Same as -x option.
390
391       notime
392           Same as -z option. value is ignored, but = sign must be present.
393
394       jarfile
395           Same as -Z option.
396
397       outfile
398           Name of a file to which output and error messages will be
399           redirected. This option has no command-line equivalent.
400

EXTENDED EXAMPLES

402       The following example will do this and that
403
404       Listing Available Signing Certificates
405
406       You use the -L option to list the nicknames for all available
407       certificates and check which ones are signing certificates.
408
409           signtool -L
410
411           using certificate directory: /u/jsmith/.netscape
412           S Certificates
413           - ------------
414             BBN Certificate Services CA Root 1
415             IBM World Registry CA
416             VeriSign Class 1 CA - Individual Subscriber - VeriSign, Inc.
417             GTE CyberTrust Root CA
418             Uptime Group Plc. Class 4 CA
419           * Verisign Object Signing Cert
420             Integrion CA
421             GTE CyberTrust Secure Server CA
422             AT&T Directory Services
423           * test object signing cert
424             Uptime Group Plc. Class 1 CA
425             VeriSign Class 1 Primary CA
426           - ------------
427
428           Certificates that can be used to sign objects have *'s to their left.
429
430       Two signing certificates are displayed: Verisign Object Signing Cert
431       and test object signing cert.
432
433       You use the -l option to get a list of signing certificates only,
434       including the signing CA for each.
435
436           signtool -l
437
438           using certificate directory: /u/jsmith/.netscape
439           Object signing certificates
440           ---------------------------------------
441
442           Verisign Object Signing Cert
443               Issued by: VeriSign, Inc. - Verisign, Inc.
444               Expires: Tue May 19, 1998
445           test object signing cert
446               Issued by: test object signing cert (Signtool 1.0 Testing
447           Certificate (960187691))
448               Expires: Sun May 17, 1998
449           ---------------------------------------
450
451       For a list including CAs, use the -L option.
452
453       Signing a File
454
455       1. Create an empty directory.
456
457           mkdir signdir
458
459       2. Put some file into it.
460
461           echo boo > signdir/test.f
462
463       3. Specify the name of your object-signing certificate and sign the
464       directory.
465
466           signtool -k MySignCert -Z testjar.jar signdir
467
468           using key "MySignCert"
469           using certificate directory: /u/jsmith/.netscape
470           Generating signdir/META-INF/manifest.mf file..
471           --> test.f
472           adding signdir/test.f to testjar.jar
473           Generating signtool.sf file..
474           Enter Password or Pin for "Communicator Certificate DB":
475
476           adding signdir/META-INF/manifest.mf to testjar.jar
477           adding signdir/META-INF/signtool.sf to testjar.jar
478           adding signdir/META-INF/signtool.rsa to testjar.jar
479
480           tree "signdir" signed successfully
481
482       4. Test the archive you just created.
483
484           signtool -v testjar.jar
485
486           using certificate directory: /u/jsmith/.netscape
487           archive "testjar.jar" has passed crypto verification.
488                      status   path
489                ------------   -------------------
490                    verified   test.f
491
492       Using Netscape Signing Tool with a ZIP Utility
493
494       To use Netscape Signing Tool with a ZIP utility, you must have the
495       utility in your path environment variable. You should use the zip.exe
496       utility rather than pkzip.exe, which cannot handle long filenames. You
497       can use a ZIP utility instead of the -Z option to package a signed
498       archive into a JAR file after you have signed it:
499
500           cd signdir
501
502             zip -r ../myjar.jar *
503             adding: META-INF/ (stored 0%)
504             adding: META-INF/manifest.mf (deflated 15%)
505             adding: META-INF/signtool.sf (deflated 28%)
506             adding: META-INF/signtool.rsa (stored 0%)
507             adding: text.txt (stored 0%)
508
509       Generating the Keys and Certificate
510
511       The signtool option -G generates a new public-private key pair and
512       certificate. It takes the nickname of the new certificate as an
513       argument. The newly generated keys and certificate are installed into
514       the key and certificate databases in the directory specified by the -d
515       option. With the NT version of Netscape Signing Tool, you must use the
516       -d option with the -G option. With the Unix version of Netscape Signing
517       Tool, omitting the -d option causes the tool to install the keys and
518       certificate in the Communicator key and certificate databases. In all
519       cases, the certificate is also output to a file named x509.cacert,
520       which has the MIME-type application/x-x509-ca-cert.
521
522       Certificates contain standard information about the entity they
523       identify, such as the common name and organization name. Netscape
524       Signing Tool prompts you for this information when you run the command
525       with the -G option. However, all of the requested fields are optional
526       for test certificates. If you do not enter a common name, the tool
527       provides a default name. In the following example, the user input is in
528       boldface:
529
530           signtool -G MyTestCert
531
532           using certificate directory: /u/someuser/.netscape
533           Enter certificate information. All fields are optional. Acceptable
534           characters are numbers, letters, spaces, and apostrophes.
535           certificate common name: Test Object Signing Certificate
536           organization: Netscape Communications Corp.
537           organization unit: Server Products Division
538           state or province: California
539           country (must be exactly 2 characters): US
540           username: someuser
541           email address: someuser@netscape.com
542           Enter Password or Pin for "Communicator Certificate DB": [Password will not echo]
543           generated public/private key pair
544           certificate request generated
545           certificate has been signed
546           certificate "MyTestCert" added to database
547           Exported certificate to x509.raw and x509.cacert.
548
549       The certificate information is read from standard input. Therefore, the
550       information can be read from a file using the redirection operator (<)
551       in some operating systems. To create a file for this purpose, enter
552       each of the seven input fields, in order, on a separate line. Make sure
553       there is a newline character at the end of the last line. Then run
554       signtool with standard input redirected from your file as follows:
555
556           signtool -G MyTestCert inputfile
557
558       The prompts show up on the screen, but the responses will be
559       automatically read from the file. The password will still be read from
560       the console unless you use the -p option to give the password on the
561       command line.
562
563       Using the -M Option to List Smart Cards
564
565       You can use the -M option to list the PKCS #11 modules, including smart
566       cards, that are available to signtool:
567
568           signtool -d "c:\netscape\users\jsmith" -M
569
570           using certificate directory: c:\netscape\users\username
571           Listing of PKCS11 modules
572           -----------------------------------------------
573                1. Netscape Internal PKCS #11 Module
574                            (this module is internally loaded)
575                            slots: 2 slots attached
576                            status: loaded
577                  slot: Communicator Internal Cryptographic Services Version 4.0
578                 token: Communicator Generic Crypto Svcs
579                  slot: Communicator User Private Key and Certificate Services
580                 token: Communicator Certificate DB
581                2. CryptOS
582                            (this is an external module)
583            DLL name: core32
584                 slots: 1 slots attached
585                status: loaded
586                  slot: Litronic 210
587                 token:
588                -----------------------------------------------
589
590       Using Netscape Signing Tool and a Smart Card to Sign Files
591
592       The signtool command normally takes an argument of the -k option to
593       specify a signing certificate. To sign with a smart card, you supply
594       only the fully qualified name of the certificate.
595
596       To see fully qualified certificate names when you run Communicator,
597       click the Security button in Navigator, then click Yours under
598       Certificates in the left frame. Fully qualified names are of the format
599       smart card:certificate, for example "MyCard:My Signing Cert". You use
600       this name with the -k argument as follows:
601
602           signtool -k "MyCard:My Signing Cert" directory
603
604       Verifying FIPS Mode
605
606       Use the -M option to verify that you are using the FIPS-140-1 module.
607
608           signtool -d "c:\netscape\users\jsmith" -M
609
610           using certificate directory: c:\netscape\users\jsmith
611           Listing of PKCS11 modules
612           -----------------------------------------------
613             1. Netscape Internal PKCS #11 Module
614                     (this module is internally loaded)
615                     slots: 2 slots attached
616                     status: loaded
617               slot: Communicator Internal Cryptographic Services Version 4.0
618              token: Communicator Generic Crypto Svcs
619               slot: Communicator User Private Key and Certificate Services
620              token: Communicator Certificate DB
621           -----------------------------------------------
622
623       This Unix example shows that Netscape Signing Tool is using a
624       FIPS-140-1 module:
625
626           signtool -d "c:\netscape\users\jsmith" -M
627           using certificate directory: c:\netscape\users\jsmith
628           Enter Password or Pin for "Communicator Certificate DB": [password will not echo]
629           Listing of PKCS11 modules
630           -----------------------------------------------
631           1. Netscape Internal FIPS PKCS #11 Module
632           (this module is internally loaded)
633           slots: 1 slots attached
634           status: loaded
635           slot: Netscape Internal FIPS-140-1 Cryptographic Services
636           token: Communicator Certificate DB
637           -----------------------------------------------
638

SEE ALSO

640       signver (1)
641
642       The NSS wiki has information on the new database design and how to
643       configure applications to use it.
644
645https://wiki.mozilla.org/NSS_Shared_DB_Howto
646
647https://wiki.mozilla.org/NSS_Shared_DB
648

ADDITIONAL RESOURCES

650       For information about NSS and other tools related to NSS (like JSS),
651       check out the NSS project wiki at
652       http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
653       directly to NSS code changes and releases.
654
655       Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
656
657       IRC: Freenode at #dogtag-pki
658

AUTHORS

660       The NSS tools were written and maintained by developers with Netscape,
661       Red Hat, Sun, Oracle, Mozilla, and Google.
662
663       Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
664       <dlackey@redhat.com>.
665

LICENSE

667       Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL
668       was not distributed with this file, You can obtain one at
669       http://mozilla.org/MPL/2.0/.
670

NOTES

672        1. Mozilla NSS bug 836477
673           https://bugzilla.mozilla.org/show_bug.cgi?id=836477
674
675
676
677nss-tools                         19 May 2021                      SIGNTOOL(1)
Impressum