index.rst (5993B)
1 .. _mozilla_projects_nss_tools_signver: 2 3 NSS tools : signver 4 =================== 5 6 .. container:: 7 8 | Name 9 | signver — Verify a detached PKCS#7 signature for a file. 10 | Synopsis 11 | signtool -A \| -V -d directory [-a] [-i input_file] [-o output_file] [-s 12 | signature_file] [-v] 13 | Description 14 | The Signature Verification Tool, signver, is a simple command-line utility 15 | that unpacks a base-64-encoded PKCS#7 signed object and verifies the 16 | digital signature using standard cryptographic techniques. The Signature 17 | Verification Tool can also display the contents of the signed object. 18 | Options 19 | -A 20 | Displays all of the information in the PKCS#7 signature. 21 | -V 22 | Verifies the digital signature. 23 | -d [sql:]directory 24 | Specify the database directory which contains the certificates and 25 | keys. 26 | signver supports two types of databases: the legacy security 27 | databases (cert8.db, key3.db, and secmod.db) and new SQLite 28 | databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: 29 | is not used, then the tool assumes that the given databases are in 30 | the old format. 31 | -a 32 | Sets that the given signature file is in ASCII format. 33 | -i input_file 34 | Gives the input file for the object with signed data. 35 | -o output_file 36 | Gives the output file to which to write the results. 37 | -s signature_file 38 | Gives the input file for the digital signature. 39 | -v 40 | Enables verbose output. 41 | Extended Examples 42 | Verifying a Signature 43 | The -V option verifies that the signature in a given signature file is 44 | valid when used to sign the given object (from the input file). 45 | signver -V -s signature_file -i signed_file -d sql:/home/my/sharednssdb 46 | signatureValid=yes 47 | Printing Signature Data 48 | The -A option prints all of the information contained in a signature file. 49 | Using the -o option prints the signature file information to the given 50 | output file rather than stdout. 51 | signver -A -s signature_file -o output_file 52 | NSS Database Types 53 | NSS originally used BerkeleyDB databases to store security information. 54 | The last versions of these legacy databases are: 55 | o cert8.db for certificates 56 | o key3.db for keys 57 | o secmod.db for PKCS #11 module information 58 | BerkeleyDB has performance limitations, though, which prevent it from 59 | being easily used by multiple applications simultaneously. NSS has some 60 | flexibility that allows applications to use their own, independent 61 | database engine while keeping a shared database and working around the 62 | access issues. Still, NSS requires more flexibility to provide a truly 63 | shared security database. 64 | In 2009, NSS introduced a new set of databases that are SQLite databases 65 | rather than BerkleyDB. These new databases provide more accessibility and 66 | performance: 67 | o cert9.db for certificates 68 | o key4.db for keys 69 | o pkcs11.txt, which is listing of all of the PKCS #11 modules contained 70 | in a new subdirectory in the security databases directory 71 | Because the SQLite databases are designed to be shared, these are the 72 | shared database type. The shared database type is preferred; the legacy 73 | format is included for backward compatibility. 74 | By default, the tools (certutil, pk12util, modutil) assume that the given 75 | security databases follow the more common legacy type. Using the SQLite 76 | databases must be manually specified by using the sql: prefix with the 77 | given security directory. For example: 78 | # signver -A -s signature -d sql:/home/my/sharednssdb 79 | To set the shared database type as the default type for the tools, set the 80 | NSS_DEFAULT_DB_TYPE environment variable to sql: 81 | export NSS_DEFAULT_DB_TYPE="sql" 82 | This line can be set added to the ~/.bashrc file to make the change 83 | permanent. 84 | Most applications do not use the shared database by default, but they can 85 | be configured to use them. For example, this how-to article covers how to 86 | configure Firefox and Thunderbird to use the new shared NSS databases: 87 | o https://wiki.mozilla.org/NSS_Shared_DB_Howto 88 | For an engineering draft on the changes in the shared NSS databases, see 89 | the NSS project wiki: 90 | o https://wiki.mozilla.org/NSS_Shared_DB 91 | See Also 92 | signtool (1) 93 | The NSS wiki has information on the new database design and how to 94 | configure applications to use it. 95 | o Setting up the shared NSS database 96 | https://wiki.mozilla.org/NSS_Shared_DB_Howto 97 | o Engineering and technical information about the shared NSS database 98 | https://wiki.mozilla.org/NSS_Shared_DB 99 | Additional Resources 100 | For information about NSS and other tools related to NSS (like JSS), check 101 | out the NSS project wiki at 102 | 103 [1]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. 104 The NSS site relates 105 | directly to NSS code changes and releases. 106 | Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto 107 | IRC: Freenode at #dogtag-pki 108 | Authors 109 | The NSS tools were written and maintained by developers with Netscape, Red 110 | Hat, and Sun. 111 | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey 112 | <dlackey@redhat.com>. 113 | Copyright 114 | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. 115 | References 116 | Visible links 117 | 1. 118 `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__