I tried to use the signtool you cited but I've got a windows when call the signtool command.
Strange. I wonder if there's not something causing troubles in the structure of your .db.
This said I'm not so happy anymore with using that version.
When I'm using a fake certificate, it won't include it inside zigbert.rsa (zigbert.rsa is a PKCS#7) inside the .jar file, the consequence is I the SUN plug-in will refuse to handle the signed applet. The NSS-3.2.1 will include the cert, and everything is OK.
The NSS-3.2.1 signtool always outputs "++ Error ++ ISSUER CERT "MyCert" IS NOT VALID" for fake certs, even thought the 1999 version did not complain.
Now I success to create a fake certificate and sign. It's a good idea to try to import the certificate with pk12util(I didn't know this tool I'll see) and change its alias.
I think you could try too to export the certificate, and import it back inside a Netscape 4 to get a database that is strictly compatible with the old tools.
If this all doesn't work, I've seen I can verify succesfully the signature with openssl :
openssl smime -verify -noverify -content zigbert.sf -in zigbert.rsa -inform der
which means it should be possible to generate a valid zigbert.rsa with openssl and update the JAR with it.
But it might be that you should get the order of entries inside the JAR right too.
