diff options
Diffstat (limited to 'security/nss/cmd/signtool/README')
-rw-r--r-- | security/nss/cmd/signtool/README | 128 |
1 files changed, 128 insertions, 0 deletions
diff --git a/security/nss/cmd/signtool/README b/security/nss/cmd/signtool/README new file mode 100644 index 0000000000..100fb27785 --- /dev/null +++ b/security/nss/cmd/signtool/README @@ -0,0 +1,128 @@ + Signing Tool (signtool) + 3.10 Release Notes + ======================================== + +Documentation is provided online at mozilla.org + +Problems or questions not covered by the online documentation can be +discussed in the DevEdge Security Newsgroup. + +=== New Features in 3.10 +======================= +One new option (-X) has been added to create a Mozilla aware signed XPI archive. +The option must be accompanied by the -Z option. This new option +creates a JAR file with the META-INF/zigbert.rsa/dsa file as the first file in +the archive instead of the default third to last. This will enable the archive +to be seen as signed by products incorporating XPInstall. i.e. .xpi extensions +for FireFox or Mozilla. + +=== New Features in 1.3 +======================= + +The security library components have been upgraded to utilize NSS_2_7_1_RTM. +This means that the maximum RSA keysize now supported should be 4096 bits. + +=== Zigbert 0.6 Support +======================= +This program was previously named Zigbert. The last version of zigbert +was Zigbert 0.6. Because all the functionality of Zigbert is maintained in +signtool 1.2, Zigbert is no longer supported. If you have problems +using Zigbert, please upgrade to signtool 1.2. + +=== New Features in 1.2 +======================= + +Certificate Generation Improvements +----------------------------------- +Two new options have been added to control generation of self-signed object +signing certificates with the -G option. The -s option takes the size (in bits) +of the generated RSA private key. The -t option takes the name of the PKCS #11 +token on which to generate the keypair and install the certificate. Both +options are optional. By default, the private key is 1024 bits and is generated +on the internal software token. + + +=== New Features in 1.1 +======================= + +File I/O +-------- +Signtool can now read its options from a command file specified with the -f +option on the command line. The format for the file is described in the +documentation. +Error messages and informational output can be redirected to an output file +by supplying the "--outfile" option on the command line or the "outfile=" +option in the command file. + +New Options +----------- +"--norecurse" tells Signtool not to recurse into subdirectories when signing +directories or parsing HTML with the -J option. +"--leavearc" tells Signtool not to delete the temporary .arc directories +produced by the -J option. This can aid debugging. +"--verbosity" tells Signtool how much information to display. 0 is the +default. -1 suppresses most messages, except for errors. + +=== Bug Fixes in 1.1 +==================== + +-J option revamped +------------------ +The -J option, which parses HTML files, extracts Java and Javascript code, +and stores them in signed JAR files, has been re-implemented. Several bugs +have been fixed: +- CODEBASE attribute is no longer ignored +- CLASS and SRC attributes can be be paths ("xxx/xxx/x.class") rather than + just filenames ("x.class"). +- LINK tags are handled correctly +- various HTML parsing bugs fixed +- error messages are more informative + +No Password on Key Database +--------------------------- +If you had not yet set a Communicator password (which locks key3.db, the +key database), signtool would fail with a cryptic error message whenever it +attempted to verify the password. Now this condition is detected at the +beginning of the program, and a more informative message is displayed. + +-x and -e Options +----------------- +Previously, only one of each of these options could be specified on the command +line. Now arbitrarily many can be specified. For example, to sign only files +with .class or .js extensions, the arguments "-eclass -ejs" could both be +specified. To exclude the directories "subdir1" and "subdir2" from signing, +the arguments "-x subdir1 -x subdir2" could both be specified. + +New Features in 1.0 +=================== + +Creation of JAR files +---------------------- +The -Z option causes signtool to output a JAR file formed by storing the +signed archive in ZIP format. This eliminates the need to use a separate ZIP +utility. The -c option specifies the compression level of the resulting +JAR file. + +Generation of Object-Signing Certificates and Keys +-------------------------------------------------- +The -G option will create a new, self-signed object-signing certificate +which can be used for testing purposes. The generated certificate and +associated public and private keys will be installed in the cert7.db and +key3.db files in the directory specified with the -d option (unless the key +is generated on an external token using the -t option). On Unix systems, +if no directory is specified, the user's Netscape directory (~/.netscape) +will be used. In addition, the certificate is output in X509 format to the +files x509.raw and x509.cacert in the current directory. x509.cacert can +be published on a web page and imported into browsers that visit that page. + +Extraction and Signing of JavaScript from HTML +---------------------------------------------- +The -J option activates the same functionality provided by the signpages +Perl script. It will parse a directory of html files, creating archives +of the JavaScript called from the HTML. These archives are then signed and +made into JAR files. + +Enhanced Smart Card Support +--------------------------- +Certificates that reside on smart cards are displayed when using the -L and +-l options. |