signtool - Digitally sign objects and files. at Linux.org

Back to main site | Back to man page index

SIGNTOOL(1) NSS Security Tools SIGNTOOL(1)

NAME
signtool - Digitally sign objects and files.

SYNOPSIS
signtool [[-b basename]] [[-c Compression Level]] [[-d cert-dir]] [[-e extension]] [[-f filename]]
[[-i installer script]] [[-h]] [[-H]] [[-v]] [[-w]] [[-G nickname]] [[-J]] [[-j directory]]
[-k keyName] [[--keysize | -s size]] [[-l]] [[-L]] [[-M]] [[-m metafile]] [[--norecurse]] [[-O]]
[[-o]] [[--outfile]] [[-p password]] [[-t|--token tokenname]] [[-z]] [[-X]] [[-x name]]
[[--verbose value]] [[--leavearc]] [[-Z jarfile]] [directory-tree] [archive]

STATUS
This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug
836477[1]

DESCRIPTION
The Signing Tool, signtool, creates digital signatures and uses a Java Archive (JAR) file to associate the
signatures with files in a directory. Electronic software distribution over any network involves potential
security problems. To help address some of these problems, you can associate digital signatures with the files
in a JAR archive. Digital signatures allow SSL-enabled clients to perform two important operations:

* Confirm the identity of the individual, company, or other entity whose digital signature is associated with
the files

* Check whether the files have been tampered with since being signed

If you have a signing certificate, you can use Netscape Signing Tool to digitally sign files and package them
as a JAR file. An object-signing certificate is a special kind of certificate that allows you to associate
your digital signature with one or more files.

An individual file can potentially be signed with multiple digital signatures. For example, a commercial
software developer might sign the files that constitute a software product to prove that the files are indeed
from a particular company. A network administrator manager might sign the same files with an additional
digital signature based on a company-generated certificate to indicate that the product is approved for use
within the company.

The significance of a digital signature is comparable to the significance of a handwritten signature. Once you
have signed a file, it is difficult to claim later that you didn't sign it. In some situations, a digital
signature may be considered as legally binding as a handwritten signature. Therefore, you should take great
care to ensure that you can stand behind any file you sign and distribute.

For example, if you are a software developer, you should test your code to make sure it is virus-free before
signing it. Similarly, if you are a network administrator, you should make sure, before signing any code, that
it comes from a reliable source and will run correctly with the software installed on the machines to which
you are distributing it.

Before you can use Netscape Signing Tool to sign files, you must have an object-signing certificate, which is
a special certificate whose associated private key is used to create digital signatures. For testing purposes
only, you can create an object-signing certificate with Netscape Signing Tool 1.3. When testing is finished
and you are ready to disitribute your software, you should obtain an object-signing certificate from one of
two kinds of sources:

* An independent certificate authority (CA) that authenticates your identity and charges you a fee. You
typically get a certificate from an independent CA if you want to sign software that will be distributed over
the Internet.

* CA server software running on your corporate intranet or extranet. Netscape Certificate Management System
the Communicator client software. Communicator supports the public-key cryptography standard known as PKCS
#12, which governs key portability. You can, for example, move an object-signing certificate and its
associated private key from one computer to another on a credit-card-sized device called a smart card.

OPTIONS
-b basename
Specifies the base filename for the .rsa and .sf files in the META-INF directory to conform with the JAR
format. For example, -b signatures causes the files to be named signatures.rsa and signatures.sf. The
default is signtool.

-c#
Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9,
where 0 means no compression and 9 means maximum compression. The higher the level of compression, the
smaller the output but the longer the operation takes. If the -c# option is not used with either the -J or
the -Z option, the default compression value used by both the -J and -Z options is 6.

-d certdir
Specifies your certificate database directory; that is, the directory in which you placed your key3.db and
cert7.db files. To specify the current directory, use "-d." (including the period). The Unix version of
signtool assumes ~/.netscape unless told otherwise. The NT version of signtool always requires the use of
the -d option to specify where the database files are located.

-e extension
Tells signtool to sign only files with the given extension; for example, use -e".class" to sign only Java
class files. Note that with Netscape Signing Tool version 1.1 and later this option can appear multiple
times on one command line, making it possible to specify multiple file types or classes to include.

-f commandfile
Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format. All
options and arguments can be expressed through this file. For more information about the syntax used with
this file, see "Tips and Techniques".

-G nickname
Generates a new private-public key pair and corresponding object-signing certificate with the given
nickname. The newly generated keys and certificate are installed into the key and certificate databases in
the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the
-d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option
causes the tool to install the keys and certificate in the Communicator key and certificate databases. If
you are installing the keys and certificate in the Communicator databases, you must exit Communicator
before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is
also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert. Unlike
certificates normally used to sign finished code to be distributed over a network, a test certificate
created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In
addition, a single test signing certificate functions as both an object-signing certificate and a CA. When
you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into
browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign
objects. The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it
produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s
option specify the required key size and the -t option to specify the token.

-i scriptname
Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive
in the local system after SmartUpdate has validated the digital signature. For more details, see the
description of -m that follows. The -i option provides a straightforward way to provide this information

-j directory
Specifies a special JavaScript directory. This option causes the specified directory to be signed and tags
its entries as inline JavaScript. This special type of entry does not have to appear in the JAR file
itself. Instead, it is located in the HTML page containing the inline scripts. When you use signtool -v,
these entries are displayed with the string NOT PRESENT.

-k key ... directory
Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified
directory. The directory to sign is always specified as the last command-line argument. Thus, it is
possible to write signtool -k MyCert -d . signdir You may have trouble if the nickname contains a single
quotation mark. To avoid problems, escape the quotation mark using the escape conventions for your
platform. It's also possible to use the -k option without signing any files or specifying a directory. For
example, you can use it with the -l option to get detailed information about a particular signing
certificate.

-l
Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the
list will so specify. This option can be used with the -k option to list detailed information about a
particular signing certificate. The -l option is available in Netscape Signing Tool 1.0 and later versions
only.

-L
Lists the certificates in your database. An asterisk appears to the left of the nickname for any
certificate that can be used to sign objects with signtool.

--leavearc
Retains the temporary .arc (archive) directories that the -J option creates. These directories are
automatically erased by default. Retaining the temporary directories can be an aid to debugging.

-m metafile
Specifies the name of a metadata control file. Metadata is signed information attached either to the JAR
archive itself or to files within the archive. This metadata can be any ASCII string, but is used mainly
for specifying an installer script. The metadata file contains one entry per line, each with three fields:
field #1: file specification, or + if you want to specify global metadata (that is, metadata about the JAR
archive itself or all entries in the archive) field #2: the name of the data you are specifying; for
example: Install-Script field #3: data corresponding to the name in field #2 For example, the -i option
uses the equivalent of this line: + Install-Script: script.js This example associates a MIME type with a
file: movie.qt MIME-Type: video/quicktime For information about the way installer script information
appears in the manifest file for a JAR archive, see The JAR Format on Netscape DevEdge.

-M
Lists the PKCS #11 modules available to signtool, including smart cards. The -M option is available in
Netscape Signing Tool 1.0 and later versions only. For information on using Netscape Signing Tool with
smart cards, see "Using Netscape Signing Tool with Smart Cards". For information on using the -M option to
verify FIPS-140-1 validated mode, see "Netscape Signing Tool and FIPS-140-1".

--norecurse
Blocks recursion into subdirectories when signing a directory's contents or when parsing HTML.

-o
Optimizes the archive for size. Use this only if you are signing very large archives containing hundreds
of files. This option makes the manifest files (required by the JAR format) considerably smaller, but they
contain slightly less information.

Specifies which available token should generate the key and receive the certificate. Use the -M option to
find out what tokens are available. The -t option can be used with the -G option only.

-v archive
Displays the contents of an archive and verifies the cryptographic integrity of the digital signatures it
contains and the files with which they are associated. This includes checking that the certificate for the
issuer of the object-signing certificate is listed in the certificate database, that the CA's digital
signature on the object-signing certificate is valid, that the relevant certificates have not expired, and
so on.

--verbosity value
Sets the quantity of information Netscape Signing Tool generates in operation. A value of 0 (zero) is the
default and gives full information. A value of -1 suppresses most messages, but not error messages.

-w archive
Displays the names of signers of any files in the archive.

-x directory
Excludes the specified directory from signing. Note that with Netscape Signing Tool version 1.1 and later
this option can appear multiple times on one command line, making it possible to specify several
particular directories to exclude.

-z
Tells signtool not to store the signing time in the digital signature. This option is useful if you want
the expiration date of the signature checked against the current date and time rather than the time the
files were signed.

-Z jarfile
Creates a JAR file with the specified name. You must specify this option if you want signtool to create
the JAR file; it does not do so automatically. If you don't specify -Z, you must use an external ZIP tool
to create the JAR file. The -Z option cannot be used at the same time as the -J option. If the -c# option
is not used with the -Z option, the default compression value is 6.

THE COMMAND FILE FORMAT
Entries in a Netscape Signing Tool command file have this general format: keyword=value Everything before the
= sign on a single line is a keyword, and everything from the = sign to the end of line is a value. The value
may include = signs; only the first = sign on a line is interpreted. Blank lines are ignored, but white space
on a line with keywords and values is assumed to be part of the keyword (if it comes before the equal sign) or
part of the value (if it comes after the first equal sign). Keywords are case insensitive, values are
generally case sensitive. Since the = sign and newline delimit the value, it should not be quoted.

Subsection

basename
Same as -b option.

compression
Same as -c option.

certdir
Same as -d option.

extension
Same as -e option.

certname
Nickname of certificate, as with -k and -l -k options.

signdir
The directory to be signed, as with -k option.

list
Same as -l option. Value is ignored, but = sign must be present.

listall
Same as -L option. Value is ignored, but = sign must be present.

metafile
Same as -m option.

modules
Same as -M option. Value is ignored, but = sign must be present.

optimize
Same as -o option. Value is ignored, but = sign must be present.

password
Same as -p option.

keysize
Same as -s option.

token
Same as -t option.

verify
Same as -v option.

who
Same as -w option.

exclude
Same as -x option.

notime
Same as -z option. value is ignored, but = sign must be present.

jarfile
Same as -Z option.

outfile
Name of a file to which output and error messages will be redirected. This option has no command-line
equivalent.

EXTENDED EXAMPLES
The following example will do this and that

Listing Available Signing Certificates

GTE CyberTrust Root CA
Uptime Group Plc. Class 4 CA
* Verisign Object Signing Cert
Integrion CA
GTE CyberTrust Secure Server CA
AT&T Directory Services
* test object signing cert
Uptime Group Plc. Class 1 CA
VeriSign Class 1 Primary CA
- ------------

Certificates that can be used to sign objects have *'s to their left.

Two signing certificates are displayed: Verisign Object Signing Cert and test object signing cert.

You use the -l option to get a list of signing certificates only, including the signing CA for each.

signtool -l

using certificate directory: /u/jsmith/.netscape
Object signing certificates
---------------------------------------

Verisign Object Signing Cert
Issued by: VeriSign, Inc. - Verisign, Inc.
Expires: Tue May 19, 1998
test object signing cert
Issued by: test object signing cert (Signtool 1.0 Testing
Certificate (960187691))
Expires: Sun May 17, 1998
---------------------------------------

For a list including CAs, use the -L option.

Signing a File

1. Create an empty directory.

mkdir signdir

2. Put some file into it.

echo boo > signdir/test.f

3. Specify the name of your object-signing certificate and sign the directory.

signtool -k MySignCert -Z testjar.jar signdir

using key "MySignCert"
using certificate directory: /u/jsmith/.netscape
Generating signdir/META-INF/manifest.mf file..
--> test.f
adding signdir/test.f to testjar.jar
Generating signtool.sf file..
using certificate directory: /u/jsmith/.netscape
archive "testjar.jar" has passed crypto verification.
status path
------------ -------------------
verified test.f

Using Netscape Signing Tool with a ZIP Utility

To use Netscape Signing Tool with a ZIP utility, you must have the utility in your path environment variable.
You should use the zip.exe utility rather than pkzip.exe, which cannot handle long filenames. You can use a
ZIP utility instead of the -Z option to package a signed archive into a JAR file after you have signed it:

cd signdir

zip -r ../myjar.jar *
adding: META-INF/ (stored 0%)
adding: META-INF/manifest.mf (deflated 15%)
adding: META-INF/signtool.sf (deflated 28%)
adding: META-INF/signtool.rsa (stored 0%)
adding: text.txt (stored 0%)

Generating the Keys and Certificate

The signtool option -G generates a new public-private key pair and certificate. It takes the nickname of the
new certificate as an argument. The newly generated keys and certificate are installed into the key and
certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing
Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting
the -d option causes the tool to install the keys and certificate in the Communicator key and certificate
databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type
application/x-x509-ca-cert.

Certificates contain standard information about the entity they identify, such as the common name and
organization name. Netscape Signing Tool prompts you for this information when you run the command with the -G
option. However, all of the requested fields are optional for test certificates. If you do not enter a common
name, the tool provides a default name. In the following example, the user input is in boldface:

signtool -G MyTestCert

using certificate directory: /u/someuser/.netscape
Enter certificate information. All fields are optional. Acceptable
characters are numbers, letters, spaces, and apostrophes.
certificate common name: Test Object Signing Certificate
organization: Netscape Communications Corp.
organization unit: Server Products Division
state or province: California
country (must be exactly 2 characters): US
username: someuser
email address: [email protected]
Enter Password or Pin for "Communicator Certificate DB": [Password will not echo]
generated public/private key pair
certificate request generated
certificate has been signed
certificate "MyTestCert" added to database
Exported certificate to x509.raw and x509.cacert.

You can use the -M option to list the PKCS #11 modules, including smart cards, that are available to signtool:

signtool -d "c:\netscape\users\jsmith" -M

using certificate directory: c:\netscape\users\username
Listing of PKCS11 modules
-----------------------------------------------
1. Netscape Internal PKCS #11 Module
(this module is internally loaded)
slots: 2 slots attached
status: loaded
slot: Communicator Internal Cryptographic Services Version 4.0
token: Communicator Generic Crypto Svcs
slot: Communicator User Private Key and Certificate Services
token: Communicator Certificate DB
2. CryptOS
(this is an external module)
DLL name: core32
slots: 1 slots attached
status: loaded
slot: Litronic 210
token:
-----------------------------------------------

Using Netscape Signing Tool and a Smart Card to Sign Files

The signtool command normally takes an argument of the -k option to specify a signing certificate. To sign
with a smart card, you supply only the fully qualified name of the certificate.

To see fully qualified certificate names when you run Communicator, click the Security button in Navigator,
then click Yours under Certificates in the left frame. Fully qualified names are of the format smart
card:certificate, for example "MyCard:My Signing Cert". You use this name with the -k argument as follows:

signtool -k "MyCard:My Signing Cert" directory

Verifying FIPS Mode

Use the -M option to verify that you are using the FIPS-140-1 module.

signtool -d "c:\netscape\users\jsmith" -M

using certificate directory: c:\netscape\users\jsmith
Listing of PKCS11 modules
-----------------------------------------------
1. Netscape Internal PKCS #11 Module
(this module is internally loaded)
slots: 2 slots attached
status: loaded
slot: Communicator Internal Cryptographic Services Version 4.0
token: Communicator Generic Crypto Svcs
slot: Communicator User Private Key and Certificate Services
token: Communicator Certificate DB
-----------------------------------------------
slot: Netscape Internal FIPS-140-1 Cryptographic Services
token: Communicator Certificate DB
-----------------------------------------------