Unix/Linux Go Back    


CentOS 7.0 - man page for signtool (centos section 1)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


SIGNTOOL(1)				NSS Security Tools			      SIGNTOOL(1)

NAME
       signtool - Digitally sign objects and files.

SYNOPSIS
       signtool [-k keyName] [[-h]] [[-H]] [[-l]] [[-L]] [[-M]] [[-v]] [[-w]] [[-G nickname]]
		[[--keysize | -s size]] [[-b basename]] [[-c Compression Level]] [[-d cert-dir]]
		[[-i installer script]] [[-m metafile]] [[-x name]] [[-f filename]]
		[[-t|--token tokenname]] [[-e extension]] [[-o]] [[-z]] [[-X]] [[--outfile]]
		[[--verbose value]] [[--norecurse]] [[--leavearc]] [[-j directory]]
		[[-Z jarfile]] [[-O]] [[-p password]] [directory-tree] [archive]

STATUS
       This documentation is still work in progress. Please contribute to the initial review in
       Mozilla NSS bug 836477[1]

DESCRIPTION
       The Signing Tool, signtool, creates digital signatures and uses a Java Archive (JAR) file
       to associate the signatures with files in a directory. Electronic software distribution
       over any network involves potential security problems. To help address some of these
       problems, you can associate digital signatures with the files in a JAR archive. Digital
       signatures allow SSL-enabled clients to perform two important operations:

       * Confirm the identity of the individual, company, or other entity whose digital signature
       is associated with the files

       * Check whether the files have been tampered with since being signed

       If you have a signing certificate, you can use Netscape Signing Tool to digitally sign
       files and package them as a JAR file. An object-signing certificate is a special kind of
       certificate that allows you to associate your digital signature with one or more files.

       An individual file can potentially be signed with multiple digital signatures. For
       example, a commercial software developer might sign the files that constitute a software
       product to prove that the files are indeed from a particular company. A network
       administrator manager might sign the same files with an additional digital signature based
       on a company-generated certificate to indicate that the product is approved for use within
       the company.

       The significance of a digital signature is comparable to the significance of a handwritten
       signature. Once you have signed a file, it is difficult to claim later that you didn't
       sign it. In some situations, a digital signature may be considered as legally binding as a
       handwritten signature. Therefore, you should take great care to ensure that you can stand
       behind any file you sign and distribute.

       For example, if you are a software developer, you should test your code to make sure it is
       virus-free before signing it. Similarly, if you are a network administrator, you should
       make sure, before signing any code, that it comes from a reliable source and will run
       correctly with the software installed on the machines to which you are distributing it.

       Before you can use Netscape Signing Tool to sign files, you must have an object-signing
       certificate, which is a special certificate whose associated private key is used to create
       digital signatures. For testing purposes only, you can create an object-signing
       certificate with Netscape Signing Tool 1.3. When testing is finished and you are ready to
       disitribute your software, you should obtain an object-signing certificate from one of two
       kinds of sources:

       * An independent certificate authority (CA) that authenticates your identity and charges
       you a fee. You typically get a certificate from an independent CA if you want to sign
       software that will be distributed over the Internet.

       * CA server software running on your corporate intranet or extranet. Netscape Certificate
       Management System provides a complete management solution for creating, deploying, and
       managing certificates, including CAs that issue object-signing certificates.

       You must also have a certificate for the CA that issues your signing certificate before
       you can sign files. If the certificate authority's certificate isn't already installed in
       your copy of Communicator, you typically install it by clicking the appropriate link on
       the certificate authority's web site, for example on the page from which you initiated
       enrollment for your signing certificate. This is the case for some test certificates, as
       well as certificates issued by Netscape Certificate Management System: you must download
       the the CA certificate in addition to obtaining your own signing certificate. CA
       certificates for several certificate authorities are preinstalled in the Communicator
       certificate database.

       When you receive an object-signing certificate for your own use, it is automatically
       installed in your copy of the Communicator client software. Communicator supports the
       public-key cryptography standard known as PKCS #12, which governs key portability. You
       can, for example, move an object-signing certificate and its associated private key from
       one computer to another on a credit-card-sized device called a smart card.

OPTIONS
       -b basename
	   Specifies the base filename for the .rsa and .sf files in the META-INF directory to
	   conform with the JAR format. For example, -b signatures causes the files to be named
	   signatures.rsa and signatures.sf. The default is signtool.

       -c#
	   Specifies the compression level for the -J or -Z option. The symbol # represents a
	   number from 0 to 9, where 0 means no compression and 9 means maximum compression. The
	   higher the level of compression, the smaller the output but the longer the operation
	   takes. If the -c# option is not used with either the -J or the -Z option, the default
	   compression value used by both the -J and -Z options is 6.

       -d certdir
	   Specifies your certificate database directory; that is, the directory in which you
	   placed your key3.db and cert7.db files. To specify the current directory, use "-d."
	   (including the period). The Unix version of signtool assumes ~/.netscape unless told
	   otherwise. The NT version of signtool always requires the use of the -d option to
	   specify where the database files are located.

       -e extension
	   Tells signtool to sign only files with the given extension; for example, use
	   -e".class" to sign only Java class files. Note that with Netscape Signing Tool version
	   1.1 and later this option can appear multiple times on one command line, making it
	   possible to specify multiple file types or classes to include.

       -f commandfile
	   Specifies a text file containing Netscape Signing Tool options and arguments in
	   keyword=value format. All options and arguments can be expressed through this file.
	   For more information about the syntax used with this file, see "Tips and Techniques".

       -i scriptname
	   Specifies the name of an installer script for SmartUpdate. This script installs files
	   from the JAR archive in the local system after SmartUpdate has validated the digital
	   signature. For more details, see the description of -m that follows. The -i option
	   provides a straightforward way to provide this information if you don't need to
	   specify any metadata other than an installer script.

       -j directory
	   Specifies a special JavaScript directory. This option causes the specified directory
	   to be signed and tags its entries as inline JavaScript. This special type of entry
	   does not have to appear in the JAR file itself. Instead, it is located in the HTML
	   page containing the inline scripts. When you use signtool -v, these entries are
	   displayed with the string NOT PRESENT.

       -k key ... directory
	   Specifies the nickname (key) of the certificate you want to sign with and signs the
	   files in the specified directory. The directory to sign is always specified as the
	   last command-line argument. Thus, it is possible to write signtool -k MyCert -d .
	   signdir You may have trouble if the nickname contains a single quotation mark. To
	   avoid problems, escape the quotation mark using the escape conventions for your
	   platform. It's also possible to use the -k option without signing any files or
	   specifying a directory. For example, you can use it with the -l option to get detailed
	   information about a particular signing certificate.

       -G nickname
	   Generates a new private-public key pair and corresponding object-signing certificate
	   with the given nickname. The newly generated keys and certificate are installed into
	   the key and certificate databases in the directory specified by the -d option. With
	   the NT version of Netscape Signing Tool, you must use the -d option with the -G
	   option. With the Unix version of Netscape Signing Tool, omitting the -d option causes
	   the tool to install the keys and certificate in the Communicator key and certificate
	   databases. If you are installing the keys and certificate in the Communicator
	   databases, you must exit Communicator before using this option; otherwise, you risk
	   corrupting the databases. In all cases, the certificate is also output to a file named
	   x509.cacert, which has the MIME-type application/x-x509-ca-cert. Unlike certificates
	   normally used to sign finished code to be distributed over a network, a test
	   certificate created with -G is not signed by a recognized certificate authority.
	   Instead, it is self-signed. In addition, a single test signing certificate functions
	   as both an object-signing certificate and a CA. When you are using it to sign objects,
	   it behaves like an object-signing certificate. When it is imported into browser
	   software such as Communicator, it behaves like an object-signing CA and cannot be used
	   to sign objects. The -G option is available in Netscape Signing Tool 1.0 and later
	   versions only. By default, it produces only RSA certificates with 1024-byte keys in
	   the internal token. However, you can use the -s option specify the required key size
	   and the -t option to specify the token. For more information about the use of the -G
	   option, see "Generating Test Object-Signing Certificates""Generating Test
	   Object-Signing Certificates" on page 1241.

       -l
	   Lists signing certificates, including issuing CAs. If any of your certificates are
	   expired or invalid, the list will so specify. This option can be used with the -k
	   option to list detailed information about a particular signing certificate. The -l
	   option is available in Netscape Signing Tool 1.0 and later versions only.

       -J
	   Signs a directory of HTML files containing JavaScript and creates as many archive
	   files as are specified in the HTML tags. Even if signtool creates more than one
	   archive file, you need to supply the key database password only once. The -J option is
	   available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot
	   be used at the same time as the -Z option. If the -c# option is not used with the -J
	   option, the default compression value is 6. Note that versions 1.1 and later of
	   Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be
	   expressed for the CLASS and SRC attributes instead of filenames only, processes LINK
	   tags and parses HTML correctly, and offers clearer error messages.

       -L
	   Lists the certificates in your database. An asterisk appears to the left of the
	   nickname for any certificate that can be used to sign objects with signtool.

       --leavearc
	   Retains the temporary .arc (archive) directories that the -J option creates. These
	   directories are automatically erased by default. Retaining the temporary directories
	   can be an aid to debugging.

       -m metafile
	   Specifies the name of a metadata control file. Metadata is signed information attached
	   either to the JAR archive itself or to files within the archive. This metadata can be
	   any ASCII string, but is used mainly for specifying an installer script. The metadata
	   file contains one entry per line, each with three fields: field #1: file
	   specification, or + if you want to specify global metadata (that is, metadata about
	   the JAR archive itself or all entries in the archive) field #2: the name of the data
	   you are specifying; for example: Install-Script field #3: data corresponding to the
	   name in field #2 For example, the -i option uses the equivalent of this line: +
	   Install-Script: script.js This example associates a MIME type with a file: movie.qt
	   MIME-Type: video/quicktime For information about the way installer script information
	   appears in the manifest file for a JAR archive, see The JAR Format on Netscape
	   DevEdge.

       -M
	   Lists the PKCS #11 modules available to signtool, including smart cards. The -M option
	   is available in Netscape Signing Tool 1.0 and later versions only. For information on
	   using Netscape Signing Tool with smart cards, see "Using Netscape Signing Tool with
	   Smart Cards". For information on using the -M option to verify FIPS-140-1 validated
	   mode, see "Netscape Signing Tool and FIPS-140-1".

       --norecurse
	   Blocks recursion into subdirectories when signing a directory's contents or when
	   parsing HTML.

       -o
	   Optimizes the archive for size. Use this only if you are signing very large archives
	   containing hundreds of files. This option makes the manifest files (required by the
	   JAR format) considerably smaller, but they contain slightly less information.

       --outfile outputfile
	   Specifies a file to receive redirected output from Netscape Signing Tool.

       -p password
	   Specifies a password for the private-key database. Note that the password entered on
	   the command line is displayed as plain text.

       -s keysize
	   Specifies the size of the key for generated certificate. Use the -M option to find out
	   what tokens are available. The -s option can be used with the -G option only.

       -t token
	   Specifies which available token should generate the key and receive the certificate.
	   Use the -M option to find out what tokens are available. The -t option can be used
	   with the -G option only.

       -v archive
	   Displays the contents of an archive and verifies the cryptographic integrity of the
	   digital signatures it contains and the files with which they are associated. This
	   includes checking that the certificate for the issuer of the object-signing
	   certificate is listed in the certificate database, that the CA's digital signature on
	   the object-signing certificate is valid, that the relevant certificates have not
	   expired, and so on.

       --verbosity value
	   Sets the quantity of information Netscape Signing Tool generates in operation. A value
	   of 0 (zero) is the default and gives full information. A value of -1 suppresses most
	   messages, but not error messages.

       -w archive
	   Displays the names of signers of any files in the archive.

       -x directory
	   Excludes the specified directory from signing. Note that with Netscape Signing Tool
	   version 1.1 and later this option can appear multiple times on one command line,
	   making it possible to specify several particular directories to exclude.

       -z
	   Tells signtool not to store the signing time in the digital signature. This option is
	   useful if you want the expiration date of the signature checked against the current
	   date and time rather than the time the files were signed.

       -Z jarfile
	   Creates a JAR file with the specified name. You must specify this option if you want
	   signtool to create the JAR file; it does not do so automatically. If you don't specify
	   -Z, you must use an external ZIP tool to create the JAR file. The -Z option cannot be
	   used at the same time as the -J option. If the -c# option is not used with the -Z
	   option, the default compression value is 6.

THE COMMAND FILE FORMAT
       Entries in a Netscape Signing Tool command file have this general format: keyword=value
       Everything before the = sign on a single line is a keyword, and everything from the = sign
       to the end of line is a value. The value may include = signs; only the first = sign on a
       line is interpreted. Blank lines are ignored, but white space on a line with keywords and
       values is assumed to be part of the keyword (if it comes before the equal sign) or part of
       the value (if it comes after the first equal sign). Keywords are case insensitive, values
       are generally case sensitive. Since the = sign and newline delimit the value, it should
       not be quoted.

       Subsection

       basename
	   Same as -b option.

       compression
	   Same as -c option.

       certdir
	   Same as -d option.

       extension
	   Same as -e option.

       generate
	   Same as -G option.

       installscript
	   Same as -i option.

       javascriptdir
	   Same as -j option.

       htmldir
	   Same as -J option.

       certname
	   Nickname of certificate, as with -k and -l -k options.

       signdir
	   The directory to be signed, as with -k option.

       list
	   Same as -l option. Value is ignored, but = sign must be present.

       listall
	   Same as -L option. Value is ignored, but = sign must be present.

       metafile
	   Same as -m option.

       modules
	   Same as -M option. Value is ignored, but = sign must be present.

       optimize
	   Same as -o option. Value is ignored, but = sign must be present.

       password
	   Same as -p option.

       keysize
	   Same as -s option.

       token
	   Same as -t option.

       verify
	   Same as -v option.

       who
	   Same as -w option.

       exclude
	   Same as -x option.

       notime
	   Same as -z option. value is ignored, but = sign must be present.

       jarfile
	   Same as -Z option.

       outfile
	   Name of a file to which output and error messages will be redirected. This option has
	   no command-line equivalent.

EXTENDED EXAMPLES
       The following example will do this and that

       Listing Available Signing Certificates

       You use the -L option to list the nicknames for all available certificates and check which
       ones are signing certificates.

	   signtool -L

	   using certificate directory: /u/jsmith/.netscape
	   S Certificates
	   - ------------
	     BBN Certificate Services CA Root 1
	     IBM World Registry CA
	     VeriSign Class 1 CA - Individual Subscriber - VeriSign, Inc.
	     GTE CyberTrust Root CA
	     Uptime Group Plc. Class 4 CA
	   * Verisign Object Signing Cert
	     Integrion CA
	     GTE CyberTrust Secure Server CA
	     AT&T Directory Services
	   * test object signing cert
	     Uptime Group Plc. Class 1 CA
	     VeriSign Class 1 Primary CA
	   - ------------

	   Certificates that can be used to sign objects have *'s to their left.

       Two signing certificates are displayed: Verisign Object Signing Cert and test object
       signing cert.

       You use the -l option to get a list of signing certificates only, including the signing CA
       for each.

	   signtool -l

	   using certificate directory: /u/jsmith/.netscape
	   Object signing certificates
	   ---------------------------------------

	   Verisign Object Signing Cert
	       Issued by: VeriSign, Inc. - Verisign, Inc.
	       Expires: Tue May 19, 1998
	   test object signing cert
	       Issued by: test object signing cert (Signtool 1.0 Testing
	   Certificate (960187691))
	       Expires: Sun May 17, 1998
	   ---------------------------------------

       For a list including CAs, use the -L option.

       Signing a File

       1. Create an empty directory.

	   mkdir signdir

       2. Put some file into it.

	   echo boo > signdir/test.f

       3. Specify the name of your object-signing certificate and sign the directory.

	   signtool -k MySignCert -Z testjar.jar signdir

	   using key "MySignCert"
	   using certificate directory: /u/jsmith/.netscape
	   Generating signdir/META-INF/manifest.mf file..
	   --> test.f
	   adding signdir/test.f to testjar.jar
	   Generating signtool.sf file..
	   Enter Password or Pin for "Communicator Certificate DB":

	   adding signdir/META-INF/manifest.mf to testjar.jar
	   adding signdir/META-INF/signtool.sf to testjar.jar
	   adding signdir/META-INF/signtool.rsa to testjar.jar

	   tree "signdir" signed successfully

       4. Test the archive you just created.

	   signtool -v testjar.jar

	   using certificate directory: /u/jsmith/.netscape
	   archive "testjar.jar" has passed crypto verification.
		      status   path
		------------   -------------------
		    verified   test.f

       Using Netscape Signing Tool with a ZIP Utility

       To use Netscape Signing Tool with a ZIP utility, you must have the utility in your path
       environment variable. You should use the zip.exe utility rather than pkzip.exe, which
       cannot handle long filenames. You can use a ZIP utility instead of the -Z option to
       package a signed archive into a JAR file after you have signed it:

	   cd signdir

	     zip -r ../myjar.jar *
	     adding: META-INF/ (stored 0%)
	     adding: META-INF/manifest.mf (deflated 15%)
	     adding: META-INF/signtool.sf (deflated 28%)
	     adding: META-INF/signtool.rsa (stored 0%)
	     adding: text.txt (stored 0%)

       Generating the Keys and Certificate

       The signtool option -G generates a new public-private key pair and certificate. It takes
       the nickname of the new certificate as an argument. The newly generated keys and
       certificate are installed into the key and certificate databases in the directory
       specified by the -d option. With the NT version of Netscape Signing Tool, you must use the
       -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the
       -d option causes the tool to install the keys and certificate in the Communicator key and
       certificate databases. In all cases, the certificate is also output to a file named
       x509.cacert, which has the MIME-type application/x-x509-ca-cert.

       Certificates contain standard information about the entity they identify, such as the
       common name and organization name. Netscape Signing Tool prompts you for this information
       when you run the command with the -G option. However, all of the requested fields are
       optional for test certificates. If you do not enter a common name, the tool provides a
       default name. In the following example, the user input is in boldface:

	   signtool -G MyTestCert

	   using certificate directory: /u/someuser/.netscape
	   Enter certificate information. All fields are optional. Acceptable
	   characters are numbers, letters, spaces, and apostrophes.
	   certificate common name: Test Object Signing Certificate
	   organization: Netscape Communications Corp.
	   organization unit: Server Products Division
	   state or province: California
	   country (must be exactly 2 characters): US
	   username: someuser
	   email address: someuser@netscape.com
	   Enter Password or Pin for "Communicator Certificate DB": [Password will not echo]
	   generated public/private key pair
	   certificate request generated
	   certificate has been signed
	   certificate "MyTestCert" added to database
	   Exported certificate to x509.raw and x509.cacert.

       The certificate information is read from standard input. Therefore, the information can be
       read from a file using the redirection operator (<) in some operating systems. To create a
       file for this purpose, enter each of the seven input fields, in order, on a separate line.
       Make sure there is a newline character at the end of the last line. Then run signtool with
       standard input redirected from your file as follows:

	   signtool -G MyTestCert inputfile

       The prompts show up on the screen, but the responses will be automatically read from the
       file. The password will still be read from the console unless you use the -p option to
       give the password on the command line.

       Using the -M Option to List Smart Cards

       You can use the -M option to list the PKCS #11 modules, including smart cards, that are
       available to signtool:

	   signtool -d "c:\netscape\users\jsmith" -M

	   using certificate directory: c:\netscape\users\username
	   Listing of PKCS11 modules
	   -----------------------------------------------
		1. Netscape Internal PKCS #11 Module
			    (this module is internally loaded)
			    slots: 2 slots attached
			    status: loaded
		  slot: Communicator Internal Cryptographic Services Version 4.0
		 token: Communicator Generic Crypto Svcs
		  slot: Communicator User Private Key and Certificate Services
		 token: Communicator Certificate DB
		2. CryptOS
			    (this is an external module)
	    DLL name: core32
		 slots: 1 slots attached
		status: loaded
		  slot: Litronic 210
		 token:
		-----------------------------------------------

       Using Netscape Signing Tool and a Smart Card to Sign Files

       The signtool command normally takes an argument of the -k option to specify a signing
       certificate. To sign with a smart card, you supply only the fully qualified name of the
       certificate.

       To see fully qualified certificate names when you run Communicator, click the Security
       button in Navigator, then click Yours under Certificates in the left frame. Fully
       qualified names are of the format smart card:certificate, for example "MyCard:My Signing
       Cert". You use this name with the -k argument as follows:

	   signtool -k "MyCard:My Signing Cert" directory

       Verifying FIPS Mode

       Use the -M option to verify that you are using the FIPS-140-1 module.

	   signtool -d "c:\netscape\users\jsmith" -M

	   using certificate directory: c:\netscape\users\jsmith
	   Listing of PKCS11 modules
	   -----------------------------------------------
	     1. Netscape Internal PKCS #11 Module
		     (this module is internally loaded)
		     slots: 2 slots attached
		     status: loaded
	       slot: Communicator Internal Cryptographic Services Version 4.0
	      token: Communicator Generic Crypto Svcs
	       slot: Communicator User Private Key and Certificate Services
	      token: Communicator Certificate DB
	   -----------------------------------------------

       This Unix example shows that Netscape Signing Tool is using a FIPS-140-1 module:

	   signtool -d "c:\netscape\users\jsmith" -M
	   using certificate directory: c:\netscape\users\jsmith
	   Enter Password or Pin for "Communicator Certificate DB": [password will not echo]
	   Listing of PKCS11 modules
	   -----------------------------------------------
	   1. Netscape Internal FIPS PKCS #11 Module
	   (this module is internally loaded)
	   slots: 1 slots attached
	   status: loaded
	   slot: Netscape Internal FIPS-140-1 Cryptographic Services
	   token: Communicator Certificate DB
	   -----------------------------------------------

SEE ALSO
       signver (1)

       The NSS wiki has information on the new database design and how to configure applications
       to use it.

       o   https://wiki.mozilla.org/NSS_Shared_DB_Howto

       o   https://wiki.mozilla.org/NSS_Shared_DB

ADDITIONAL RESOURCES
       For information about NSS and other tools related to NSS (like JSS), check out the NSS
       project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
       directly to NSS code changes and releases.

       Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

       IRC: Freenode at #dogtag-pki

AUTHORS
       The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun,
       Oracle, Mozilla, and Google.

       Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>.

LICENSE
       Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not
       distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

NOTES
	1. Mozilla NSS bug 836477
	   https://bugzilla.mozilla.org/show_bug.cgi?id=836477

nss-tools				 12 November 2013			      SIGNTOOL(1)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 05:32 AM.