| Signing Tool (signtool) |
| 3.10 Release Notes |
| ======================================== |
| |
| Documentation is provided online at mozilla.org |
| |
| Problems or questions not covered by the online documentation can be |
| discussed in the DevEdge Security Newsgroup. |
| |
| === New Features in 3.10 |
| ======================= |
| One new option (-X) has been added to create a Mozilla aware signed XPI archive. |
| The option must be accompanied by the -Z option. This new option |
| creates a JAR file with the META-INF/zigbert.rsa/dsa file as the first file in |
| the archive instead of the default third to last. This will enable the archive |
| to be seen as signed by products incorporating XPInstall. i.e. .xpi extensions |
| for FireFox or Mozilla. |
| |
| === New Features in 1.3 |
| ======================= |
| |
| The security library components have been upgraded to utilize NSS_2_7_1_RTM. |
| This means that the maximum RSA keysize now supported should be 4096 bits. |
| |
| === Zigbert 0.6 Support |
| ======================= |
| This program was previously named Zigbert. The last version of zigbert |
| was Zigbert 0.6. Because all the functionality of Zigbert is maintained in |
| signtool 1.2, Zigbert is no longer supported. If you have problems |
| using Zigbert, please upgrade to signtool 1.2. |
| |
| === New Features in 1.2 |
| ======================= |
| |
| Certificate Generation Improvements |
| ----------------------------------- |
| Two new options have been added to control generation of self-signed object |
| signing certificates with the -G option. The -s option takes the size (in bits) |
| of the generated RSA private key. The -t option takes the name of the PKCS #11 |
| token on which to generate the keypair and install the certificate. Both |
| options are optional. By default, the private key is 1024 bits and is generated |
| on the internal software token. |
| |
| |
| === New Features in 1.1 |
| ======================= |
| |
| File I/O |
| -------- |
| Signtool can now read its options from a command file specified with the -f |
| option on the command line. The format for the file is described in the |
| documentation. |
| Error messages and informational output can be redirected to an output file |
| by supplying the "--outfile" option on the command line or the "outfile=" |
| option in the command file. |
| |
| New Options |
| ----------- |
| "--norecurse" tells Signtool not to recurse into subdirectories when signing |
| directories or parsing HTML with the -J option. |
| "--leavearc" tells Signtool not to delete the temporary .arc directories |
| produced by the -J option. This can aid debugging. |
| "--verbosity" tells Signtool how much information to display. 0 is the |
| default. -1 suppresses most messages, except for errors. |
| |
| === Bug Fixes in 1.1 |
| ==================== |
| |
| -J option revamped |
| ------------------ |
| The -J option, which parses HTML files, extracts Java and Javascript code, |
| and stores them in signed JAR files, has been re-implemented. Several bugs |
| have been fixed: |
| - CODEBASE attribute is no longer ignored |
| - CLASS and SRC attributes can be be paths ("xxx/xxx/x.class") rather than |
| just filenames ("x.class"). |
| - LINK tags are handled correctly |
| - various HTML parsing bugs fixed |
| - error messages are more informative |
| |
| No Password on Key Database |
| --------------------------- |
| If you had not yet set a Communicator password (which locks key3.db, the |
| key database), signtool would fail with a cryptic error message whenever it |
| attempted to verify the password. Now this condition is detected at the |
| beginning of the program, and a more informative message is displayed. |
| |
| -x and -e Options |
| ----------------- |
| Previously, only one of each of these options could be specified on the command |
| line. Now arbitrarily many can be specified. For example, to sign only files |
| with .class or .js extensions, the arguments "-eclass -ejs" could both be |
| specified. To exclude the directories "subdir1" and "subdir2" from signing, |
| the arguments "-x subdir1 -x subdir2" could both be specified. |
| |
| New Features in 1.0 |
| =================== |
| |
| Creation of JAR files |
| ---------------------- |
| The -Z option causes signtool to output a JAR file formed by storing the |
| signed archive in ZIP format. This eliminates the need to use a separate ZIP |
| utility. The -c option specifies the compression level of the resulting |
| JAR file. |
| |
| Generation of Object-Signing Certificates and Keys |
| -------------------------------------------------- |
| The -G option will create a new, self-signed object-signing certificate |
| which can be used for testing purposes. The generated certificate and |
| associated public and private keys will be installed in the cert7.db and |
| key3.db files in the directory specified with the -d option (unless the key |
| is generated on an external token using the -t option). On Unix systems, |
| if no directory is specified, the user's Netscape directory (~/.netscape) |
| will be used. In addition, the certificate is output in X509 format to the |
| files x509.raw and x509.cacert in the current directory. x509.cacert can |
| be published on a web page and imported into browsers that visit that page. |
| |
| Extraction and Signing of JavaScript from HTML |
| ---------------------------------------------- |
| The -J option activates the same functionality provided by the signpages |
| Perl script. It will parse a directory of html files, creating archives |
| of the JavaScript called from the HTML. These archives are then signed and |
| made into JAR files. |
| |
| Enhanced Smart Card Support |
| --------------------------- |
| Certificates that reside on smart cards are displayed when using the -L and |
| -l options. |