Command Syntax

signtool options

Note Versions 1.0 and 1.1 of the Netscape Signing Tool are compatible with earlier versions, including .50 and .60. If you rename the executable to zigbert.exe, you may continue to use the term zigbert rather than signtool with all the options listed here. This may be desirable to ensure compatibility with scripts written for earlier versions.

Command Options

-b basename	Specifies the base filename for the .rsa and .sf files in the META-INF directory (required by The JAR Format). For example, -b signatures causes the files to be named signatures.rsa and signatures.sf. The default is signtool. The -b option is available in Netscape Signing Tool 1.0 and later versions only.
-c#	Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes. If the -c# option is not used with either the -J or the -Z option, the default compression value used by both the -J and -Z options is 6.
-d certdir	Specifies your certificate database directory; that is, the directory in which you placed your key3.db and cert7.db files. To specify the current directory, use "-d." (including the period). The Unix version of signtool assumes ~/.netscape unless told otherwise. The NT version of signtool always requires the use of the -d option to specify where the database files are located.
-e extension	Tells signtool to sign only files with the given extension; for example, use -e".class" to sign only Java class files. Note that with Netscape Signing Tool version 1.1 this option can appear multiple times on one command line, making it possible to specify multiple file types or classes to include.
-f commandfile	Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format. All options and arguments can be expressed through this file. For more information about the syntax used with this file, see Command File Syntax.
-G nickname	Generates a new private-public key pair and corresponding object-signing certificate with the given nickname. The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of the Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of the Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert. Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects. The -G option is available in Netscape Signing Tool 1.0 and later versions only. It produces only RSA certificates with 512-byte keys. For more information about the use of the -G option, see Chapter 4, "Generating Test Object-Signing Certificates."
-i scriptname	Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script.
-j directory	Specifies a special JavaScript directory. This option causes the specified directory to be signed and tags its entries as inline JavaScript. This special type of entry does not have to appear in the JAR file itself. Instead, it is located in the HTML page containing the inline scripts. When you use signtool -v, these entries are displayed with the string NOT PRESENT.
-J	Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once. The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option. If the -c# option is not used with the -J option, the default compression value is 6. Note that version 1.1 of the Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages.
-k key ... directory	Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified directory. The directory to sign is always specified as the last command-line argument. Thus, it is possible to write signtool -k MyCert -d . signdir   You may have trouble if the nickname contains a single quotation mark. To avoid problems, escape the quotation mark using the escape conventions for your platform. It's also possible to use the -k option without signing any files or specifying a directory. For example, you can use it with the -l option to get detailed information about a particular signing certificate.
-l	Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the list will so specify. This option can be used with the -k option to list detailed information about a particular signing certificate. The -l option is available in Netscape Signing Tool 1.0 and later versions only.
-L	Lists the certificates in your database. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool.
--leavearc	Retains the temporary .arc (archive) directories that the -J option creates. These directories are automatically erased by default. Retaining the temporary directories can be an aid to debugging.
-m metafile	Specifies the name of a metadata control file. Metadata is signed information attached either to the JAR archive itself or to files within the archive. This metadata can be any ASCII string, but is used mainly for specifying an installer script. The metadata file contains one entry per line, each with three fields:     field #1: file specification, or + if you want to specify global metadata (that is, metadata about the JAR archive itself or all entries in the archive)     field #2: the name of the data you are specifying; for example: Install-Script     field #3: data corresponding to the name in field #2 For example, the -i option uses the equivalent of this line: + Install-Script: script.js This example associates a MIME type with a file: movie.qt MIME-Type: video/quicktime For information about the way installer script information appears in the manifest file for a JAR archive, see The JAR Format on Netscape DevEdge.
-M	Lists the PKCS #11 modules available to signtool, including smart cards. The -M option is available in Netscape Signing Tool 1.0 and later versions only. For information on using the Netscape Signing Tool with smart cards, see Chapter 6, "Using the Netscape Signing Tool with Smart Cards." For information on using the -M option to verify FIPS-140-1 validated mode, see Chapter 7, "Netscape Signing Tool and FIPS-140-1."
--norecurse	Blocks recursion into subdirectories when signing a directory's contents or when parsing HTML.
-o	Optimizes the archive for size. Use this only if you are signing very large archives containing hundreds of files. This option makes the manifest files (required by the JAR format) considerably smaller, but they contain slightly less information.
--outfile outputfile	Specifies a file to receive redirected output from the Netscape Signing Tool.
-p password	Specifies a password for the private-key database. Note that the password entered on the command line is displayed as plain text.
-v archive	Displays the contents of an archive and verifies the cryptographic integrity of the digital signatures it contains and the files with which they are associated. This includes checking that the certificate for the issuer of the object-signing certificate is listed in the certificate database, that the CA's digital signature on the object-signing certificate is valid, that the relevant certificates have not expired, and so on.
--verbosity value	Sets the quantity of information the Netscape Signing Tool generates in operation. A value of 0 (zero) is the default and gives full information. A value of -1 suppresses most messages, but not error messages.
-w archive	Displays the names of signers of any files in the archive.
-x directory	Excludes the specified directory from signing. Note that with Netscape Signing Tool version 1.1 this option can appear multiple times on one command line, making it possible to specify several particular directories to exclude.
-z	Tells signtool not to store the signing time in the digital signature. This option is useful if you want the expiration date of the signature checked against the current date and time rather than the time the files were signed.
-Z jarfile	Creates a JAR file with the specified name. You must specify this option if you want signtool to create the JAR file; it does not do so automatically. If you don't specify -Z, you must use an external ZIP tool to create the JAR file. The -Z option cannot be used at the same time as the -J option. If the -c# option is not used with the -Z option, the default compression value is 6.

Command File Syntax

Command File Keywords and Example

Keyword	Value
basename	Same as -b option.
compression	Same as -c option.
certdir	Same as -d option.
extension	Same as -e option.
generate	Same as -G option.
installscript	Same as -i option.
javascriptdir	Same as -j option.
htmldir	Same as -J option.
certname	Nickname of certificate, as with -k and -l -k options.
signdir	The directory to be signed, as with -k option.
list	Same as -l option. Value is ignored, but = sign must be present.
listall	Same as -L option. Value is ignored, but = sign must be present.
metafile	Same as -m option.
modules	Same as -M option. Value is ignored, but = sign must be present.
optimize	Same as -o option. Value is ignored, but = sign must be present.
password	Same as -p option.
verify	Same as -v option.
who	Same as -w option.
exclude	Same as -x option.
notime	Same as -z option. value is ignored, but = sign must be present.
jarfile	Same as -Z option.
outfile	Name of a file to which output and error messages will be redirected. This option has no command-line equivalent.

signtool -d c:\netscape\users\james -k mycert -Z myjar.jar signdir > output.txt 

certdir=c:\netscape\users\james 
certname=mycert 
jarfile=myjar.jar 
signdir=signdir 
outfile=output.txt 

Last Updated: 06/19/98 13:23:48

Any sample code included above is provided for your use on an "AS IS" basis, under the Netscape License Agreement - Terms of Use