Application Packaging Developer's Guide

Signed Packages

A signed package is a normal stream-format package that has a digital signature (PEM-encoded PKCS7 digital signature which is defined below) that verifies the following:

A signed package is identical to an unsigned package, except for the signature. A signed package is binary-compatible with an unsigned package. Therefore, a signed package can be used with older versions of the packaging tools. However, the signature is ignored in this case.

The signed packaging technology introduces some new terminology and abbreviations, which are described in the following table.




Abstract Syntax Notation 1 - A way of expressing abstract objects. For example, ASN.1 defines a public key certificate, all of the objects that make up the certificate, and the order in which the objects are collected. However, ASN.1 does not specify how the objects are serialized for storage or transmission.


ITU-T Recommendation X.509 - Specifies the widely-adopted X.509 public key certificate syntax.


Distinguished Encoding Rules - A binary representation of an ASN.1 object and defines how an ASN.1 object is serialized for storage or transmission in computing environments. 


Privacy Enhanced Message - A way to encode a file (in DER or another binary format) using base 64 encoding and some optional headers. PEM was initially used for encoding MIME-type email messages. PEM is also used extensively for encoding certificates and private keys into a file that exists on a file system or in an email message.


Public Key Cryptography Standard #7 - This standard describes a general syntax for data that may have cryptography applied to it, such as digital signatures and digital envelopes. A signed package contains an embedded PKCS7 signature. This signature contains at a minimum the encrypted digest of the package, along with the signer's X.509 public key certificate. The signed package can also contain chain certificates. Chain certificates can be used when forming a chain of trust from the signer's certificate to a locally-stored trusted certificate. 


Public Key Cryptography Standard #12 - This standard describes a syntax for storing cryptographic objects on disk. The package keystore is maintained in this format. 

Package keystore 

A repository of certificates and keys that can be queried by the package tools.