README (5472B)
1 Signing Tool (signtool) 2 3.10 Release Notes 3 ======================================== 4 5 Documentation is provided online at mozilla.org 6 7 Problems or questions not covered by the online documentation can be 8 discussed in the DevEdge Security Newsgroup. 9 10 === New Features in 3.10 11 ======================= 12 One new option (-X) has been added to create a Mozilla aware signed XPI archive. 13 The option must be accompanied by the -Z option. This new option 14 creates a JAR file with the META-INF/zigbert.rsa/dsa file as the first file in 15 the archive instead of the default third to last. This will enable the archive 16 to be seen as signed by products incorporating XPInstall. i.e. .xpi extensions 17 for FireFox or Mozilla. 18 19 === New Features in 1.3 20 ======================= 21 22 The security library components have been upgraded to utilize NSS_2_7_1_RTM. 23 This means that the maximum RSA keysize now supported should be 4096 bits. 24 25 === Zigbert 0.6 Support 26 ======================= 27 This program was previously named Zigbert. The last version of zigbert 28 was Zigbert 0.6. Because all the functionality of Zigbert is maintained in 29 signtool 1.2, Zigbert is no longer supported. If you have problems 30 using Zigbert, please upgrade to signtool 1.2. 31 32 === New Features in 1.2 33 ======================= 34 35 Certificate Generation Improvements 36 ----------------------------------- 37 Two new options have been added to control generation of self-signed object 38 signing certificates with the -G option. The -s option takes the size (in bits) 39 of the generated RSA private key. The -t option takes the name of the PKCS #11 40 token on which to generate the keypair and install the certificate. Both 41 options are optional. By default, the private key is 1024 bits and is generated 42 on the internal software token. 43 44 45 === New Features in 1.1 46 ======================= 47 48 File I/O 49 -------- 50 Signtool can now read its options from a command file specified with the -f 51 option on the command line. The format for the file is described in the 52 documentation. 53 Error messages and informational output can be redirected to an output file 54 by supplying the "--outfile" option on the command line or the "outfile=" 55 option in the command file. 56 57 New Options 58 ----------- 59 "--norecurse" tells Signtool not to recurse into subdirectories when signing 60 directories or parsing HTML with the -J option. 61 "--leavearc" tells Signtool not to delete the temporary .arc directories 62 produced by the -J option. This can aid debugging. 63 "--verbosity" tells Signtool how much information to display. 0 is the 64 default. -1 suppresses most messages, except for errors. 65 66 === Bug Fixes in 1.1 67 ==================== 68 69 -J option revamped 70 ------------------ 71 The -J option, which parses HTML files, extracts Java and Javascript code, 72 and stores them in signed JAR files, has been re-implemented. Several bugs 73 have been fixed: 74 - CODEBASE attribute is no longer ignored 75 - CLASS and SRC attributes can be be paths ("xxx/xxx/x.class") rather than 76 just filenames ("x.class"). 77 - LINK tags are handled correctly 78 - various HTML parsing bugs fixed 79 - error messages are more informative 80 81 No Password on Key Database 82 --------------------------- 83 If you had not yet set a Communicator password (which locks key3.db, the 84 key database), signtool would fail with a cryptic error message whenever it 85 attempted to verify the password. Now this condition is detected at the 86 beginning of the program, and a more informative message is displayed. 87 88 -x and -e Options 89 ----------------- 90 Previously, only one of each of these options could be specified on the command 91 line. Now arbitrarily many can be specified. For example, to sign only files 92 with .class or .js extensions, the arguments "-eclass -ejs" could both be 93 specified. To exclude the directories "subdir1" and "subdir2" from signing, 94 the arguments "-x subdir1 -x subdir2" could both be specified. 95 96 New Features in 1.0 97 =================== 98 99 Creation of JAR files 100 ---------------------- 101 The -Z option causes signtool to output a JAR file formed by storing the 102 signed archive in ZIP format. This eliminates the need to use a separate ZIP 103 utility. The -c option specifies the compression level of the resulting 104 JAR file. 105 106 Generation of Object-Signing Certificates and Keys 107 -------------------------------------------------- 108 The -G option will create a new, self-signed object-signing certificate 109 which can be used for testing purposes. The generated certificate and 110 associated public and private keys will be installed in the cert7.db and 111 key3.db files in the directory specified with the -d option (unless the key 112 is generated on an external token using the -t option). On Unix systems, 113 if no directory is specified, the user's Netscape directory (~/.netscape) 114 will be used. In addition, the certificate is output in X509 format to the 115 files x509.raw and x509.cacert in the current directory. x509.cacert can 116 be published on a web page and imported into browsers that visit that page. 117 118 Extraction and Signing of JavaScript from HTML 119 ---------------------------------------------- 120 The -J option activates the same functionality provided by the signpages 121 Perl script. It will parse a directory of html files, creating archives 122 of the JavaScript called from the HTML. These archives are then signed and 123 made into JAR files. 124 125 Enhanced Smart Card Support 126 --------------------------- 127 Certificates that reside on smart cards are displayed when using the -L and 128 -l options.