signtool executable in your path environment variable. You must also have an object-signing certificate.
Netscape Signing Tool 1.1 includes an option that allows you to generate an object-signing certificate for testing purposes. For information about using this option, see Chapter 4, "Generating Test Object-Signing Certificates."
Although suitable for testing purposes, the object-signing certificate produced by the Netscape Signing Tool is not recommended for signing finished software that will be widely distributed over the Internet or an intranet. When you are ready to sign finished software, you will need to get an object-signing certificate from your company's internal certificate authority, if it has one, or from a third-party certificate authority. Follow the instructions at Object-Signing Tools on Netscape DevEdge to obtain an object-signing certificate from a third party.
The sections that follow describe how to prepare the Netscape Signing Tool for signing files:
Setting Up Your Certificate key3.db and cert7.db. For example, on a typical Windows NT system, these files are found at C:\Program Files\NETSCAPE\USERS\username\. You must copy these files to the system where you intend to sign pages. (If you use FTP, be sure to transfer in binary mode.)
If you are running the Netscape Signing Tool on a Unix system and you don't already have a ~/.netscape directory, first run Communicator once to create one. If you want to maintain whatever certificates are already in your ~/.netscape directory, put the existing key3.db and cert7.db files in some other directory before replacing them with the versions that include the object-signing certificate you want to use with the Netscape Signing Tool.
If you are using Unix, set up an alias to call signtool, or place it in your path.
If you are using Windows 95 or NT, the signtool executable doesn't know where your certificates are, so either put the key3.db and cert7.db files in the current directory and use "-d." or use -d to point to the directory in which they are located.
WARNING: Keep copies of thekey3.dbandcert7.dbfiles somewhere separate from the copies you use with thesigntoolexecutable. This ensures that you won't lose your certificates if you accidentally damage the files. §
-L option to list the nicknames for all available certificates and check which ones are signing certificates, as shown in this Unix example:
% signtool -LIn the above example, two signing certificates are displayed:
using certificate directory: /u/jsmith/.netscape
S Certificates
- ------------
BBN Certificate Services CA Root 1
IBM World Registry CA
VeriSign Class 1 CA - Individual Subscriber - VeriSign, Inc.
GTE CyberTrust Root CA
Douglas J. Nicolson's Netscape Communications Corporation ID
Uptime Group Plc. Class 4 CA
* Verisign Object Signing Cert
Integrion CA
GTE CyberTrust Secure Server CA
AT&T Directory Services
* test object signing cert
Uptime Group Plc. Class 1 CA
VeriSign Class 1 Primary CA
- ------------
Certificates that can be used to sign objects have *'s to their left.
%
Verisign Object Signing Cert and test object signing cert.
You use the -l option to get a list of signing certificates only, including the signing CA for each, as shown in this Unix example:
% signtool -l
using certificate directory: /u/jsmith/.netscape
Object signing certificates
---------------------------------------
Verisign Object Signing Cert
Issued by: VeriSign, Inc. - Verisign, Inc.
Expires: Tue May 19, 1998
test object signing cert
Issued by: test object signing cert (Signtool 1.0 Testing Certificate (960187691))
Expires: Sun May 17, 1998
---------------------------------------
For a list including CAs, use "signtool -L"
% mkdir signdir2. Put some file into it.
% echo boo > signdir/test.f3. Specify the name of your object-signing certificate and sign the directory.
If you are using Unix, this example assumes you have put your.dbfiles in the
~/.netscapedirectory, as explained in Setting Up Your Certificate.
% signtool -k MySignCert -Z testjar.jar signdir4. At the prompt, type the password to your private-key database.
using key "MySignCert"
using certificate directory: /u/jsmith/.netscape
Generating signdir/META-INF/manifest.mf file..
--> test.f
adding signdir/test.f to testjar.jar
Generating signtool.sf file..
Enter Password or Pin for "Communicator Certificate DB":
If it accepts the password, signtool responds as follows:
adding signdir/META-INF/manifest.mf to testjar.jar5. Test the archive you just created.
adding signdir/META-INF/signtool.sf to testjar.jar
adding signdir/META-INF/signtool.rsa to testjar.jar
tree "signdir" signed successfully
% signtool -v testjar.jar
using certificate directory: /u/jsmith/.netscape
archive "testjar.jar" has passed crypto verification.
status pathYou can also use the Netscape Signing Tool from within a script to automate some aspects of signing. For example, here's a Windows script that starts with an unsigned JAR file, unpackages it, signs it, and then repackages it:
------------ -------------------
verified test.f
rem Expand the jar file into a new directory
unzip -qq myjar.jar -d signjar
del myjar.jar
rem Sign everything in the new directory and recompress
signtool -k MySignCert -Z myjar.jar signdir
zip.exe utility rather than pkzip.exe, which cannot handle long filenames.
You can use a ZIP utility instead of the -Z option to package a signed archive into a JAR file after you have signed it:
% cd signdir
% zip -r ../myjar.jar *
adding: META-INF/ (stored 0%)
adding: META-INF/manifest.mf (deflated 15%)
adding: META-INF/signtool.sf (deflated 28%)
adding: META-INF/signtool.rsa (stored 0%)
adding: text.txt (stored 0%)
%
signtool -L should list your object-signing certificate with an asterisk (*) beside it. If it doesn't, you cannot sign files.signtool -v on your final archive.-G option while Communicator is running. The -G option writes to the security databases as it generates certificates, and corruption could occur if Communicator simultaneously attempts to write to these files. All other Netscape Signing Tool options are read-only and can't harm these files. Unknown issuer, you need to get the certificate of the certificate authority that issued your signing certificate. Alternatively, you may have the certificate authority's certificate, but it may not be trusted for object signing. Issuer not trusted, open Communicator on the system you used when you obtained the certificate and follow these steps:
You then need to transfer the cert7.db file to the appropriate directory on the
system on which you are running the Netscape Signing Tool, as described in Setting
Up Your Certificate.
Last Updated: 06/19/98 13:23:47
Any sample code included above is provided for your use on an "AS IS" basis, under the Netscape License Agreement - Terms of Use