Signed Packages
A signed package is a normal stream-format package that
has a digital signature (PEM-encoded PKCS7 digital signature which is defined
below) that verifies the following:
-
The package came from the entity who signed it
-
The entity indeed signed it
-
The package has not been modified since the entity signed
it
-
The entity who signed it is a trusted entity
A signed package is identical to an unsigned package, except for the
signature. A signed package is binary-compatible with an unsigned package.
Therefore, a signed package can be used with older versions of the packaging
tools. However, the signature is ignored in this case.
The signed packaging technology introduces some new terminology and
abbreviations, which are described in the following table.
Term
|
Definition
|
ASN.1
|
Abstract Syntax Notation 1 - A way of expressing abstract objects.
For example, ASN.1 defines a public key certificate, all of the objects that
make up the certificate, and the order in which the objects are collected.
However, ASN.1 does not specify how the objects are serialized for storage
or transmission.
|
X.509
|
ITU-T Recommendation
X.509 - Specifies the widely-adopted X.509 public key certificate syntax.
|
DER
|
Distinguished Encoding Rules - A binary representation of an
ASN.1 object and defines how an ASN.1 object is serialized for storage or
transmission in computing environments.
|
PEM
|
Privacy Enhanced Message - A way to encode a file (in DER or another
binary format) using base 64 encoding and some optional headers. PEM was initially
used for encoding MIME-type email messages. PEM is also used extensively for
encoding certificates and private keys into a file that exists on a file system
or in an email message.
|
PKCS7
|
Public Key Cryptography Standard #7 - This standard describes
a general syntax for data that may have cryptography applied to it, such as
digital signatures and digital envelopes. A signed package contains an embedded
PKCS7 signature. This signature contains at a minimum the encrypted digest
of the package, along with the signer's X.509 public key certificate. The
signed package can also contain chain certificates. Chain certificates can
be used when forming a chain of trust from the signer's certificate to a locally-stored
trusted certificate.
|
PKCS12
|
Public Key Cryptography Standard #12 - This standard describes
a syntax for storing cryptographic objects on disk. The package keystore is
maintained in this format.
|
Package keystore
|
A repository of certificates and keys that can be queried by the package tools.
|