README
1 Signing Tool (signtool)
2 3.10 Release Notes
3 ========================================
4
5Documentation is provided online at mozilla.org
6
7Problems or questions not covered by the online documentation can be
8discussed in the DevEdge Security Newsgroup.
9
10=== New Features in 3.10
11=======================
12One new option (-X) has been added to create a Mozilla aware signed XPI archive.
13The option must be accompanied by the -Z option. This new option
14creates a JAR file with the META-INF/zigbert.rsa/dsa file as the first file in
15the archive instead of the default third to last. This will enable the archive
16to be seen as signed by products incorporating XPInstall. i.e. .xpi extensions
17for FireFox or Mozilla.
18
19=== New Features in 1.3
20=======================
21
22The security library components have been upgraded to utilize NSS_2_7_1_RTM.
23This means that the maximum RSA keysize now supported should be 4096 bits.
24
25=== Zigbert 0.6 Support
26=======================
27This program was previously named Zigbert. The last version of zigbert
28was Zigbert 0.6. Because all the functionality of Zigbert is maintained in
29signtool 1.2, Zigbert is no longer supported. If you have problems
30using Zigbert, please upgrade to signtool 1.2.
31
32=== New Features in 1.2
33=======================
34
35Certificate Generation Improvements
36-----------------------------------
37Two new options have been added to control generation of self-signed object
38signing certificates with the -G option. The -s option takes the size (in bits)
39of the generated RSA private key. The -t option takes the name of the PKCS #11
40token on which to generate the keypair and install the certificate. Both
41options are optional. By default, the private key is 1024 bits and is generated
42on the internal software token.
43
44
45=== New Features in 1.1
46=======================
47
48File I/O
49--------
50Signtool can now read its options from a command file specified with the -f
51option on the command line. The format for the file is described in the
52documentation.
53Error messages and informational output can be redirected to an output file
54by supplying the "--outfile" option on the command line or the "outfile="
55option in the command file.
56
57New Options
58-----------
59"--norecurse" tells Signtool not to recurse into subdirectories when signing
60directories or parsing HTML with the -J option.
61"--leavearc" tells Signtool not to delete the temporary .arc directories
62produced by the -J option. This can aid debugging.
63"--verbosity" tells Signtool how much information to display. 0 is the
64default. -1 suppresses most messages, except for errors.
65
66=== Bug Fixes in 1.1
67====================
68
69-J option revamped
70------------------
71The -J option, which parses HTML files, extracts Java and Javascript code,
72and stores them in signed JAR files, has been re-implemented. Several bugs
73have been fixed:
74- CODEBASE attribute is no longer ignored
75- CLASS and SRC attributes can be be paths ("xxx/xxx/x.class") rather than
76 just filenames ("x.class").
77- LINK tags are handled correctly
78- various HTML parsing bugs fixed
79- error messages are more informative
80
81No Password on Key Database
82---------------------------
83If you had not yet set a Communicator password (which locks key3.db, the
84key database), signtool would fail with a cryptic error message whenever it
85attempted to verify the password. Now this condition is detected at the
86beginning of the program, and a more informative message is displayed.
87
88-x and -e Options
89-----------------
90Previously, only one of each of these options could be specified on the command
91line. Now arbitrarily many can be specified. For example, to sign only files
92with .class or .js extensions, the arguments "-eclass -ejs" could both be
93specified. To exclude the directories "subdir1" and "subdir2" from signing,
94the arguments "-x subdir1 -x subdir2" could both be specified.
95
96New Features in 1.0
97===================
98
99Creation of JAR files
100----------------------
101The -Z option causes signtool to output a JAR file formed by storing the
102signed archive in ZIP format. This eliminates the need to use a separate ZIP
103utility. The -c option specifies the compression level of the resulting
104JAR file.
105
106Generation of Object-Signing Certificates and Keys
107--------------------------------------------------
108The -G option will create a new, self-signed object-signing certificate
109which can be used for testing purposes. The generated certificate and
110associated public and private keys will be installed in the cert7.db and
111key3.db files in the directory specified with the -d option (unless the key
112is generated on an external token using the -t option). On Unix systems,
113if no directory is specified, the user's Netscape directory (~/.netscape)
114will be used. In addition, the certificate is output in X509 format to the
115files x509.raw and x509.cacert in the current directory. x509.cacert can
116be published on a web page and imported into browsers that visit that page.
117
118Extraction and Signing of JavaScript from HTML
119----------------------------------------------
120The -J option activates the same functionality provided by the signpages
121Perl script. It will parse a directory of html files, creating archives
122of the JavaScript called from the HTML. These archives are then signed and
123made into JAR files.
124
125Enhanced Smart Card Support
126---------------------------
127Certificates that reside on smart cards are displayed when using the -L and
128-l options.
129