Package: libnss3-tools
Version: 2:3.106-1
Severity: minor
Tags: upstream
* What led up to the situation?
Checking for defects with a new version
test-[g|n]roff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=10 -ww -z < "man
page"
[Use "groff -e ' $' <file>" to find trailing spaces.]
["test-groff" is a script in the repository for "groff"; is not shipped]
(local copy and "troff" slightly changed by me).
[The fate of "test-nroff" was decided in groff bug #55941.]
* What was the outcome of this action?
troff:<stdin>:340: warning: trailing space in the line
troff:<stdin>:342: warning: trailing space in the line
troff:<stdin>:343: warning: trailing space in the line
troff:<stdin>:344: warning: trailing space in the line
troff:<stdin>:345: warning: trailing space in the line
troff:<stdin>:346: warning: trailing space in the line
troff:<stdin>:347: warning: trailing space in the line
troff:<stdin>:348: warning: trailing space in the line
troff:<stdin>:349: warning: trailing space in the line
troff:<stdin>:350: warning: trailing space in the line
troff:<stdin>:351: warning: trailing space in the line
troff:<stdin>:352: warning: trailing space in the line
troff:<stdin>:353: warning: trailing space in the line
troff:<stdin>:354: warning: trailing space in the line
troff:<stdin>:355: warning: trailing space in the line
troff:<stdin>:356: warning: trailing space in the line
troff:<stdin>:359: warning: trailing space in the line
troff:<stdin>:383: warning: trailing space in the line
troff:<stdin>:474: warning: trailing space in the line
troff:<stdin>:476: warning: trailing space in the line
troff:<stdin>:477: warning: trailing space in the line
troff:<stdin>:478: warning: trailing space in the line
troff:<stdin>:479: warning: trailing space in the line
troff:<stdin>:480: warning: trailing space in the line
troff:<stdin>:545: warning: trailing space in the line
troff:<stdin>:546: warning: trailing space in the line
troff:<stdin>:547: warning: trailing space in the line
troff:<stdin>:548: warning: trailing space in the line
troff:<stdin>:549: warning: trailing space in the line
troff:<stdin>:550: warning: trailing space in the line
troff:<stdin>:551: warning: trailing space in the line
troff:<stdin>:552: warning: trailing space in the line
troff:<stdin>:553: warning: trailing space in the line
troff:<stdin>:554: warning: trailing space in the line
troff:<stdin>:555: warning: trailing space in the line
troff:<stdin>:556: warning: trailing space in the line
troff:<stdin>:557: warning: trailing space in the line
troff:<stdin>:558: warning: trailing space in the line
troff:<stdin>:559: warning: trailing space in the line
troff:<stdin>:560: warning: trailing space in the line
troff:<stdin>:561: warning: trailing space in the line
troff:<stdin>:562: warning: trailing space in the line
* What outcome did you expect instead?
No output (no warnings).
-.-
General remarks and further material, if a diff-file exist, are in the
attachments.
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.6-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=is_IS.iso88591, LC_CTYPE=is_IS.iso88591 (charmap=ISO-8859-1),
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libnss3-tools depends on:
ii libc6 2.40-4
ii libnspr4 2:4.36-1
ii libnss3 2:3.106-1
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1
libnss3-tools recommends no packages.
libnss3-tools suggests no packages.
-- no debconf information
Input file is signtool.1
Any program (person), that produces man pages, should check the output
for defects by using (both groff and nroff)
[gn]roff -mandoc -t -ww -b -z -K utf8 <man page>
The same goes for man pages that are used as an input.
For a style guide use
mandoc -T lint
-.-
So any 'generator' should check its products with the above mentioned
'groff', 'mandoc', and additionally with 'nroff ...'.
This is just a simple quality control measure.
The 'generator' may have to be corrected to get a better man page,
the source file may, and any additional file may.
Common defects:
Input text line longer than 80 bytes.
Not removing trailing spaces (in in- and output).
The reason for these trailing spaces should be found and eliminated.
Not beginning each input sentence on a new line.
Lines should thus be shorter.
See man-pages(7), item 'semantic newline'.
-.-
The difference between the formatted output of the original and patched file
can be seen with:
nroff -mandoc <file1> > <out1>
nroff -mandoc <file2> > <out2>
diff -u <out1> <out2>
and for groff, using
"printf '%s\n%s\n' '.kern 0' '.ss 12 0' | groff -mandoc -Z - "
instead of 'nroff -mandoc'
Add the option '-t', if the file contains a table.
Read the output of 'diff -u' with 'less -R' or similar.
-.-.
If 'man' (man-db) is used to check the manual for warnings,
the following must be set:
The option "-warnings=w"
The environmental variable:
export MAN_KEEP_STDERR=yes (or any non-empty value)
or
(produce only warnings):
export MANROFFOPT="-ww -b -z"
export MAN_KEEP_STDERR=yes (or any non-empty value)
-.-.
Output from "mandoc -T lint signtool.1": (shortened list)
57 input text line longer than 80 bytes
9 skipping paragraph macro
-.-.
Output from "test-groff -mandoc -t -ww -z signtool.1": (shortened list)
42 trailing space in the line
-.-.
Lines containing '\c' (' \c' does not make sense):
641:\h'-04'\(bu\h'+03'\c
652:\h'-04'\(bu\h'+03'\c
-.-
Remove space characters (whitespace) at the end of lines.
Use "git apply ... --whitespace=fix" to fix extra space issues, or use
global configuration "core.whitespace".
Number of lines affected is
39
-.-.
Find a repeated word
! 62 --> the
-.-.
Strings longer than 3/4 of a standard line length (80)
Use "\:" to split the string at the end of an output line, for example a
long URLs (web address)
377
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
386
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
546
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
562
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
596
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
605
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
621
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
628
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
663 \m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&;.
The NSS site relates directly to NSS code changes and releases\&.
-.-.
Wrong distance between sentences in the input file.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
The best procedure is to always start a new sentence on a new line,
at least, if you are typing on a computer.
Remember coding: Only one command ("sentence") on each (logical) line.
E-mail: Easier to quote exactly the relevant lines.
Generally: Easier to edit the sentence.
Patches: Less unaffected text.
Search for two adjacent words is easier, when they belong to the same line,
and the same phrase.
The amount of space between sentences in the output can then be
controlled with the ".ss" request.
Mark a final abbreviation point as such by suffixing it with "\&".
N.B.
The number of lines affected can be too large to be in a patch.
37:This documentation is still work in progress\&. Please contribute to the
initial review in
42:\fBsigntool\fR, creates digital signatures and uses a Java Archive (JAR)
file to associate the signatures with files in a directory\&. Electronic
software distribution over any network involves potential security problems\&.
To help address some of these problems, you can associate digital signatures
with the files in a JAR archive\&. Digital signatures allow SSL\-enabled
clients to perform two important operations:
48:If you have a signing certificate, you can use Netscape Signing Tool to
digitally sign files and package them as a JAR file\&. An object\-signing
certificate is a special kind of certificate that allows you to associate your
digital signature with one or more files\&.
50:An individual file can potentially be signed with multiple digital
signatures\&. For example, a commercial software developer might sign the files
that constitute a software product to prove that the files are indeed from a
particular company\&. A network administrator manager might sign the same files
with an additional digital signature based on a company\-generated certificate
to indicate that the product is approved for use within the company\&.
52:The significance of a digital signature is comparable to the significance of
a handwritten signature\&. Once you have signed a file, it is difficult to
claim later that you didn\*(Aqt sign it\&. In some situations, a digital
signature may be considered as legally binding as a handwritten signature\&.
Therefore, you should take great care to ensure that you can stand behind any
file you sign and distribute\&.
54:For example, if you are a software developer, you should test your code to
make sure it is virus\-free before signing it\&. Similarly, if you are a
network administrator, you should make sure, before signing any code, that it
comes from a reliable source and will run correctly with the software installed
on the machines to which you are distributing it\&.
56:Before you can use Netscape Signing Tool to sign files, you must have an
object\-signing certificate, which is a special certificate whose associated
private key is used to create digital signatures\&. For testing purposes only,
you can create an object\-signing certificate with Netscape Signing Tool
1\&.3\&. When testing is finished and you are ready to disitribute your
software, you should obtain an object\-signing certificate from one of two
kinds of sources:
58:* An independent certificate authority (CA) that authenticates your identity
and charges you a fee\&. You typically get a certificate from an independent CA
if you want to sign software that will be distributed over the Internet\&.
60:* CA server software running on your corporate intranet or extranet\&.
Netscape Certificate Management System provides a complete management solution
for creating, deploying, and managing certificates, including CAs that issue
object\-signing certificates\&.
62:You must also have a certificate for the CA that issues your signing
certificate before you can sign files\&. If the certificate authority\*(Aqs
certificate isn\*(Aqt already installed in your copy of Communicator, you
typically install it by clicking the appropriate link on the certificate
authority\*(Aqs web site, for example on the page from which you initiated
enrollment for your signing certificate\&. This is the case for some test
certificates, as well as certificates issued by Netscape Certificate Management
System: you must download the the CA certificate in addition to obtaining your
own signing certificate\&. CA certificates for several certificate authorities
are preinstalled in the Communicator certificate database\&.
64:When you receive an object\-signing certificate for your own use, it is
automatically installed in your copy of the Communicator client software\&.
Communicator supports the public\-key cryptography standard known as PKCS #12,
which governs key portability\&. You can, for example, move an object\-signing
certificate and its associated private key from one computer to another on a
credit\-card\-sized device called a smart card\&.
69:Specifies the base filename for the \&.rsa and \&.sf files in the META\-INF
directory to conform with the JAR format\&. For example,
71:causes the files to be named signatures\&.rsa and signatures\&.sf\&. The
default is signtool\&.
76:Specifies the compression level for the \-J or \-Z option\&. The symbol #
represents a number from 0 to 9, where 0 means no compression and 9 means
maximum compression\&. The higher the level of compression, the smaller the
output but the longer the operation takes\&. If the \-c# option is not used
with either the \-J or the \-Z option, the default compression value used by
both the \-J and \-Z options is 6\&.
81:Specifies your certificate database directory; that is, the directory in
which you placed your key3\&.db and cert7\&.db files\&. To specify the current
directory, use "\-d\&." (including the period)\&. The Unix version of signtool
assumes ~/\&.netscape unless told otherwise\&. The NT version of signtool
always requires the use of the \-d option to specify where the database files
are located\&.
86:Tells signtool to sign only files with the given extension; for example, use
\-e"\&.class" to sign only Java class files\&. Note that with Netscape Signing
Tool version 1\&.1 and later this option can appear multiple times on one
command line, making it possible to specify multiple file types or classes to
include\&.
91:Specifies a text file containing Netscape Signing Tool options and arguments
in keyword=value format\&. All options and arguments can be expressed through
this file\&. For more information about the syntax used with this file, see
"Tips and Techniques"\&.
96:Generates a new private\-public key pair and corresponding object\-signing
certificate with the given nickname\&. The newly generated keys and certificate
are installed into the key and certificate databases in the directory specified
by the \-d option\&. With the NT version of Netscape Signing Tool, you must use
the \-d option with the \-G option\&. With the Unix version of Netscape Signing
Tool, omitting the \-d option causes the tool to install the keys and
certificate in the Communicator key and certificate databases\&. If you are
installing the keys and certificate in the Communicator databases, you must
exit Communicator before using this option; otherwise, you risk corrupting the
databases\&. In all cases, the certificate is also output to a file named
x509\&.cacert, which has the MIME\-type application/x\-x509\-ca\-cert\&. Unlike
certificates normally used to sign finished code to be distributed over a
network, a test certificate created with \-G is not signed by a recognized
certificate authority\&. Instead, it is self\-signed\&. In addition, a single
test signing certificate functions as both an object\-signing certificate and a
CA\&. When you are using it to sign objects, it behaves like an object\-signing
certificate\&. When it is imported into browser software such as Communicator,
it behaves like an object\-signing CA and cannot be used to sign objects\&. The
\-G option is available in Netscape Signing Tool 1\&.0 and later versions
only\&. By default, it produces only RSA certificates with 1024\-byte keys in
the internal token\&. However, you can use the \-s option specify the required
key size and the \-t option to specify the token\&.
101:Specifies the name of an installer script for SmartUpdate\&. This script
installs files from the JAR archive in the local system after SmartUpdate has
validated the digital signature\&. For more details, see the description of \-m
that follows\&. The \-i option provides a straightforward way to provide this
information if you don\*(Aqt need to specify any metadata other than an
installer script\&.
106:Signs a directory of HTML files containing JavaScript and creates as many
archive files as are specified in the HTML tags\&. Even if signtool creates
more than one archive file, you need to supply the key database password only
once\&. The \-J option is available only in Netscape Signing Tool 1\&.0 and
later versions\&. The \-J option cannot be used at the same time as the \-Z
option\&. If the \-c# option is not used with the \-J option, the default
compression value is 6\&. Note that versions 1\&.1 and later of Netscape
Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be
expressed for the CLASS and SRC attributes instead of filenames only, processes
LINK tags and parses HTML correctly, and offers clearer error messages\&.
111:Specifies a special JavaScript directory\&. This option causes the
specified directory to be signed and tags its entries as inline JavaScript\&.
This special type of entry does not have to appear in the JAR file itself\&.
Instead, it is located in the HTML page containing the inline scripts\&. When
you use signtool \-v, these entries are displayed with the string NOT PRESENT\&.
114:\-k key \&.\&.\&. directory
116:Specifies the nickname (key) of the certificate you want to sign with and
signs the files in the specified directory\&. The directory to sign is always
specified as the last command\-line argument\&. Thus, it is possible to write
signtool \-k MyCert \-d \&. signdir You may have trouble if the nickname
contains a single quotation mark\&. To avoid problems, escape the quotation
mark using the escape conventions for your platform\&. It\*(Aqs also possible
to use the \-k option without signing any files or specifying a directory\&.
For example, you can use it with the \-l option to get detailed information
about a particular signing certificate\&.
121:Lists signing certificates, including issuing CAs\&. If any of your
certificates are expired or invalid, the list will so specify\&. This option
can be used with the \-k option to list detailed information about a particular
signing certificate\&. The \-l option is available in Netscape Signing Tool
1\&.0 and later versions only\&.
126:Lists the certificates in your database\&. An asterisk appears to the left
of the nickname for any certificate that can be used to sign objects with
signtool\&.
131:Retains the temporary \&.arc (archive) directories that the \-J option
creates\&. These directories are automatically erased by default\&. Retaining
the temporary directories can be an aid to debugging\&.
136:Specifies the name of a metadata control file\&. Metadata is signed
information attached either to the JAR archive itself or to files within the
archive\&. This metadata can be any ASCII string, but is used mainly for
specifying an installer script\&. The metadata file contains one entry per
line, each with three fields: field #1: file specification, or + if you want to
specify global metadata (that is, metadata about the JAR archive itself or all
entries in the archive) field #2: the name of the data you are specifying; for
example: Install\-Script field #3: data corresponding to the name in field #2
For example, the \-i option uses the equivalent of this line: +
Install\-Script: script\&.js This example associates a MIME type with a file:
movie\&.qt MIME\-Type: video/quicktime For information about the way installer
script information appears in the manifest file for a JAR archive, see The JAR
Format on Netscape DevEdge\&.
141:Lists the PKCS #11 modules available to signtool, including smart cards\&.
The \-M option is available in Netscape Signing Tool 1\&.0 and later versions
only\&. For information on using Netscape Signing Tool with smart cards, see
"Using Netscape Signing Tool with Smart Cards"\&. For information on using the
\-M option to verify FIPS\-140\-1 validated mode, see "Netscape Signing Tool
and FIPS\-140\-1"\&.
151:Optimizes the archive for size\&. Use this only if you are signing very
large archives containing hundreds of files\&. This option makes the manifest
files (required by the JAR format) considerably smaller, but they contain
slightly less information\&.
161:Specifies a password for the private\-key database\&. Note that the
password entered on the command line is displayed as plain text\&.
166:Specifies the size of the key for generated certificate\&. Use the \-M
option to find out what tokens are available\&. The \-s option can be used with
the \-G option only\&.
171:Specifies which available token should generate the key and receive the
certificate\&. Use the \-M option to find out what tokens are available\&. The
\-t option can be used with the \-G option only\&.
176:Displays the contents of an archive and verifies the cryptographic
integrity of the digital signatures it contains and the files with which they
are associated\&. This includes checking that the certificate for the issuer of
the object\-signing certificate is listed in the certificate database, that the
CA\*(Aqs digital signature on the object\-signing certificate is valid, that
the relevant certificates have not expired, and so on\&.
181:Sets the quantity of information Netscape Signing Tool generates in
operation\&. A value of 0 (zero) is the default and gives full information\&. A
value of \-1 suppresses most messages, but not error messages\&.
191:Excludes the specified directory from signing\&. Note that with Netscape
Signing Tool version 1\&.1 and later this option can appear multiple times on
one command line, making it possible to specify several particular directories
to exclude\&.
196:Tells signtool not to store the signing time in the digital signature\&.
This option is useful if you want the expiration date of the signature checked
against the current date and time rather than the time the files were signed\&.
201:Creates a JAR file with the specified name\&. You must specify this option
if you want signtool to create the JAR file; it does not do so automatically\&.
If you don\*(Aqt specify \-Z, you must use an external ZIP tool to create the
JAR file\&. The \-Z option cannot be used at the same time as the \-J option\&.
If the \-c# option is not used with the \-Z option, the default compression
value is 6\&.
205:Entries in a Netscape Signing Tool command file have this general format:
keyword=value Everything before the = sign on a single line is a keyword, and
everything from the = sign to the end of line is a value\&. The value may
include = signs; only the first = sign on a line is interpreted\&. Blank lines
are ignored, but white space on a line with keywords and values is assumed to
be part of the keyword (if it comes before the equal sign) or part of the value
(if it comes after the first equal sign)\&. Keywords are case insensitive,
values are generally case sensitive\&. Since the = sign and newline delimit the
value, it should not be quoted\&.
261:Same as \-l option\&. Value is ignored, but = sign must be present\&.
266:Same as \-L option\&. Value is ignored, but = sign must be present\&.
276:Same as \-M option\&. Value is ignored, but = sign must be present\&.
281:Same as \-o option\&. Value is ignored, but = sign must be present\&.
316:Same as \-z option\&. value is ignored, but = sign must be present\&.
326:Name of a file to which output and error messages will be redirected\&.
This option has no command\-line equivalent\&.
349: Uptime Group Plc\&. Class 4 CA
355: Uptime Group Plc\&. Class 1 CA
380: Issued by: VeriSign, Inc\&. \- Verisign, Inc\&.
398:1\&. Create an empty directory\&.
410:2\&. Put some file into it\&.
422:3\&. Specify the name of your object\-signing certificate and sign the
directory\&.
448:4\&. Test the archive you just created\&.
468:To use Netscape Signing Tool with a ZIP utility, you must have the utility
in your path environment variable\&. You should use the zip\&.exe utility
rather than pkzip\&.exe, which cannot handle long filenames\&. You can use a
ZIP utility instead of the \-Z option to package a signed archive into a JAR
file after you have signed it:
489:The signtool option \-G generates a new public\-private key pair and
certificate\&. It takes the nickname of the new certificate as an argument\&.
The newly generated keys and certificate are installed into the key and
certificate databases in the directory specified by the \-d option\&. With the
NT version of Netscape Signing Tool, you must use the \-d option with the \-G
option\&. With the Unix version of Netscape Signing Tool, omitting the \-d
option causes the tool to install the keys and certificate in the Communicator
key and certificate databases\&. In all cases, the certificate is also output
to a file named x509\&.cacert, which has the MIME\-type
application/x\-x509\-ca\-cert\&.
491:Certificates contain standard information about the entity they identify,
such as the common name and organization name\&. Netscape Signing Tool prompts
you for this information when you run the command with the \-G option\&.
However, all of the requested fields are optional for test certificates\&. If
you do not enter a common name, the tool provides a default name\&. In the
following example, the user input is in boldface:
500:Enter certificate information\&. All fields are optional\&. Acceptable
520:The certificate information is read from standard input\&. Therefore, the
information can be read from a file using the redirection operator (<) in some
operating systems\&. To create a file for this purpose, enter each of the seven
input fields, in order, on a separate line\&. Make sure there is a newline
character at the end of the last line\&. Then run signtool with standard input
redirected from your file as follows:
532:The prompts show up on the screen, but the responses will be automatically
read from the file\&. The password will still be read from the console unless
you use the \-p option to give the password on the command line\&.
547: 1\&. Netscape Internal PKCS #11 Module
555: 2\&. CryptOS
570:The signtool command normally takes an argument of the \-k option to
specify a signing certificate\&. To sign with a smart card, you supply only the
fully qualified name of the certificate\&.
572:To see fully qualified certificate names when you run Communicator, click
the Security button in Navigator, then click Yours under Certificates in the
left frame\&. Fully qualified names are of the format smart card:certificate,
for example "MyCard:My Signing Cert"\&. You use this name with the \-k argument
as follows:
597: 1\&. Netscape Internal PKCS #11 Module
622:1\&. Netscape Internal FIPS PKCS #11 Module
663:\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&;.
The NSS site relates directly to NSS code changes and releases\&.
675:Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the
MPL was not distributed with this file, You can obtain one at
http://mozilla\&.org/MPL/2\&.0/\&;.
-.-.
Split lines longer than 80 characters into two or more lines.
Appropriate break points are the end of a sentence and a subordinate
clause; after punctuation marks.
N.B.
The number of lines affected can be too large to be in a patch.
Line 34, length 519
\fBsigntool\fR [[\-b\ basename]] [[\-c\ Compression\ Level]] [[\-d\ cert\-dir]]
[[\-e\ extension]] [[\-f\ filename]] [[\-i\ installer\ script]] [[\-h]] [[\-H]]
[[\-v]] [[\-w]] [[\-G\ nickname]] [[\-J]] [[\-j\ directory]] [\-k\ keyName]
[[\-\-keysize\ |\ \-s\ size]] [[\-l]] [[\-L]] [[\-M]] [[\-m\ metafile]]
[[\-\-norecurse]] [[\-O]] [[\-o]] [[\-\-outfile]] [[\-p\ password]]
[[\-t|\-\-token\ tokenname]] [[\-z]] [[\-X]] [[\-x\ name]] [[\-\-verbose\
value]] [[\-\-leavearc]] [[\-Z\ jarfile]] [directory\-tree] [archive]
Line 37, length 90
This documentation is still work in progress\&. Please contribute to the
initial review in
Line 42, length 419
\fBsigntool\fR, creates digital signatures and uses a Java Archive (JAR) file
to associate the signatures with files in a directory\&. Electronic software
distribution over any network involves potential security problems\&. To help
address some of these problems, you can associate digital signatures with the
files in a JAR archive\&. Digital signatures allow SSL\-enabled clients to
perform two important operations:
Line 44, length 119
* Confirm the identity of the individual, company, or other entity whose
digital signature is associated with the files
Line 48, length 268
If you have a signing certificate, you can use Netscape Signing Tool to
digitally sign files and package them as a JAR file\&. An object\-signing
certificate is a special kind of certificate that allows you to associate your
digital signature with one or more files\&.
Line 50, length 453
An individual file can potentially be signed with multiple digital
signatures\&. For example, a commercial software developer might sign the files
that constitute a software product to prove that the files are indeed from a
particular company\&. A network administrator manager might sign the same files
with an additional digital signature based on a company\-generated certificate
to indicate that the product is approved for use within the company\&.
Line 52, length 411
The significance of a digital signature is comparable to the significance of a
handwritten signature\&. Once you have signed a file, it is difficult to claim
later that you didn\*(Aqt sign it\&. In some situations, a digital signature
may be considered as legally binding as a handwritten signature\&. Therefore,
you should take great care to ensure that you can stand behind any file you
sign and distribute\&.
Line 54, length 357
For example, if you are a software developer, you should test your code to make
sure it is virus\-free before signing it\&. Similarly, if you are a network
administrator, you should make sure, before signing any code, that it comes
from a reliable source and will run correctly with the software installed on
the machines to which you are distributing it\&.
Line 56, length 466
Before you can use Netscape Signing Tool to sign files, you must have an
object\-signing certificate, which is a special certificate whose associated
private key is used to create digital signatures\&. For testing purposes only,
you can create an object\-signing certificate with Netscape Signing Tool
1\&.3\&. When testing is finished and you are ready to disitribute your
software, you should obtain an object\-signing certificate from one of two
kinds of sources:
Line 58, length 231
* An independent certificate authority (CA) that authenticates your identity
and charges you a fee\&. You typically get a certificate from an independent CA
if you want to sign software that will be distributed over the Internet\&.
Line 60, length 258
* CA server software running on your corporate intranet or extranet\&. Netscape
Certificate Management System provides a complete management solution for
creating, deploying, and managing certificates, including CAs that issue
object\-signing certificates\&.
Line 62, length 739
You must also have a certificate for the CA that issues your signing
certificate before you can sign files\&. If the certificate authority\*(Aqs
certificate isn\*(Aqt already installed in your copy of Communicator, you
typically install it by clicking the appropriate link on the certificate
authority\*(Aqs web site, for example on the page from which you initiated
enrollment for your signing certificate\&. This is the case for some test
certificates, as well as certificates issued by Netscape Certificate Management
System: you must download the the CA certificate in addition to obtaining your
own signing certificate\&. CA certificates for several certificate authorities
are preinstalled in the Communicator certificate database\&.
Line 64, length 432
When you receive an object\-signing certificate for your own use, it is
automatically installed in your copy of the Communicator client software\&.
Communicator supports the public\-key cryptography standard known as PKCS #12,
which governs key portability\&. You can, for example, move an object\-signing
certificate and its associated private key from one computer to another on a
credit\-card\-sized device called a smart card\&.
Line 69, length 132
Specifies the base filename for the \&.rsa and \&.sf files in the META\-INF
directory to conform with the JAR format\&. For example,
Line 71, length 95
causes the files to be named signatures\&.rsa and signatures\&.sf\&. The
default is signtool\&.
Line 76, length 413
Specifies the compression level for the \-J or \-Z option\&. The symbol #
represents a number from 0 to 9, where 0 means no compression and 9 means
maximum compression\&. The higher the level of compression, the smaller the
output but the longer the operation takes\&. If the \-c# option is not used
with either the \-J or the \-Z option, the default compression value used by
both the \-J and \-Z options is 6\&.
Line 81, length 397
Specifies your certificate database directory; that is, the directory in which
you placed your key3\&.db and cert7\&.db files\&. To specify the current
directory, use "\-d\&." (including the period)\&. The Unix version of signtool
assumes ~/\&.netscape unless told otherwise\&. The NT version of signtool
always requires the use of the \-d option to specify where the database files
are located\&.
Line 86, length 318
Tells signtool to sign only files with the given extension; for example, use
\-e"\&.class" to sign only Java class files\&. Note that with Netscape Signing
Tool version 1\&.1 and later this option can appear multiple times on one
command line, making it possible to specify multiple file types or classes to
include\&.
Line 91, length 255
Specifies a text file containing Netscape Signing Tool options and arguments in
keyword=value format\&. All options and arguments can be expressed through this
file\&. For more information about the syntax used with this file, see "Tips
and Techniques"\&.
Line 96, length 1678
Generates a new private\-public key pair and corresponding object\-signing
certificate with the given nickname\&. The newly generated keys and certificate
are installed into the key and certificate databases in the directory specified
by the \-d option\&. With the NT version of Netscape Signing Tool, you must use
the \-d option with the \-G option\&. With the Unix version of Netscape Signing
Tool, omitting the \-d option causes the tool to install the keys and
certificate in the Communicator key and certificate databases\&. If you are
installing the keys and certificate in the Communicator databases, you must
exit Communicator before using this option; otherwise, you risk corrupting the
databases\&. In all cases, the certificate is also output to a file named
x509\&.cacert, which has the MIME\-type application/x\-x509\-ca\-cert\&. Unlike
certificates normally used to sign finished code to be distributed over a
network, a test certificate created with \-G is not signed by a recognized
certificate authority\&. Instead, it is self\-signed\&. In addition, a single
test signing certificate functions as both an object\-signing certificate and a
CA\&. When you are using it to sign objects, it behaves like an object\-signing
certificate\&. When it is imported into browser software such as Communicator,
it behaves like an object\-signing CA and cannot be used to sign objects\&. The
\-G option is available in Netscape Signing Tool 1\&.0 and later versions
only\&. By default, it produces only RSA certificates with 1024\-byte keys in
the internal token\&. However, you can use the \-s option specify the required
key size and the \-t option to specify the token\&.
Line 101, length 400
Specifies the name of an installer script for SmartUpdate\&. This script
installs files from the JAR archive in the local system after SmartUpdate has
validated the digital signature\&. For more details, see the description of \-m
that follows\&. The \-i option provides a straightforward way to provide this
information if you don\*(Aqt need to specify any metadata other than an
installer script\&.
Line 106, length 757
Signs a directory of HTML files containing JavaScript and creates as many
archive files as are specified in the HTML tags\&. Even if signtool creates
more than one archive file, you need to supply the key database password only
once\&. The \-J option is available only in Netscape Signing Tool 1\&.0 and
later versions\&. The \-J option cannot be used at the same time as the \-Z
option\&. If the \-c# option is not used with the \-J option, the default
compression value is 6\&. Note that versions 1\&.1 and later of Netscape
Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be
expressed for the CLASS and SRC attributes instead of filenames only, processes
LINK tags and parses HTML correctly, and offers clearer error messages\&.
Line 111, length 380
Specifies a special JavaScript directory\&. This option causes the specified
directory to be signed and tags its entries as inline JavaScript\&. This
special type of entry does not have to appear in the JAR file itself\&.
Instead, it is located in the HTML page containing the inline scripts\&. When
you use signtool \-v, these entries are displayed with the string NOT PRESENT\&.
Line 116, length 651
Specifies the nickname (key) of the certificate you want to sign with and signs
the files in the specified directory\&. The directory to sign is always
specified as the last command\-line argument\&. Thus, it is possible to write
signtool \-k MyCert \-d \&. signdir You may have trouble if the nickname
contains a single quotation mark\&. To avoid problems, escape the quotation
mark using the escape conventions for your platform\&. It\*(Aqs also possible
to use the \-k option without signing any files or specifying a directory\&.
For example, you can use it with the \-l option to get detailed information
about a particular signing certificate\&.
Line 121, length 333
Lists signing certificates, including issuing CAs\&. If any of your
certificates are expired or invalid, the list will so specify\&. This option
can be used with the \-k option to list detailed information about a particular
signing certificate\&. The \-l option is available in Netscape Signing Tool
1\&.0 and later versions only\&.
Line 126, length 160
Lists the certificates in your database\&. An asterisk appears to the left of
the nickname for any certificate that can be used to sign objects with
signtool\&.
Line 131, length 204
Retains the temporary \&.arc (archive) directories that the \-J option
creates\&. These directories are automatically erased by default\&. Retaining
the temporary directories can be an aid to debugging\&.
Line 136, length 938
Specifies the name of a metadata control file\&. Metadata is signed information
attached either to the JAR archive itself or to files within the archive\&.
This metadata can be any ASCII string, but is used mainly for specifying an
installer script\&. The metadata file contains one entry per line, each with
three fields: field #1: file specification, or + if you want to specify global
metadata (that is, metadata about the JAR archive itself or all entries in the
archive) field #2: the name of the data you are specifying; for example:
Install\-Script field #3: data corresponding to the name in field #2 For
example, the \-i option uses the equivalent of this line: + Install\-Script:
script\&.js This example associates a MIME type with a file: movie\&.qt
MIME\-Type: video/quicktime For information about the way installer script
information appears in the manifest file for a JAR archive, see The JAR Format
on Netscape DevEdge\&.
Line 141, length 406
Lists the PKCS #11 modules available to signtool, including smart cards\&. The
\-M option is available in Netscape Signing Tool 1\&.0 and later versions
only\&. For information on using Netscape Signing Tool with smart cards, see
"Using Netscape Signing Tool with Smart Cards"\&. For information on using the
\-M option to verify FIPS\-140\-1 validated mode, see "Netscape Signing Tool
and FIPS\-140\-1"\&.
Line 146, length 100
Blocks recursion into subdirectories when signing a directory\*(Aqs contents or
when parsing HTML\&.
Line 151, length 252
Optimizes the archive for size\&. Use this only if you are signing very large
archives containing hundreds of files\&. This option makes the manifest files
(required by the JAR format) considerably smaller, but they contain slightly
less information\&.
Line 161, length 134
Specifies a password for the private\-key database\&. Note that the password
entered on the command line is displayed as plain text\&.
Line 166, length 173
Specifies the size of the key for generated certificate\&. Use the \-M option
to find out what tokens are available\&. The \-s option can be used with the
\-G option only\&.
Line 171, length 201
Specifies which available token should generate the key and receive the
certificate\&. Use the \-M option to find out what tokens are available\&. The
\-t option can be used with the \-G option only\&.
Line 176, length 438
Displays the contents of an archive and verifies the cryptographic integrity of
the digital signatures it contains and the files with which they are
associated\&. This includes checking that the certificate for the issuer of the
object\-signing certificate is listed in the certificate database, that the
CA\*(Aqs digital signature on the object\-signing certificate is valid, that
the relevant certificates have not expired, and so on\&.
Line 181, length 212
Sets the quantity of information Netscape Signing Tool generates in
operation\&. A value of 0 (zero) is the default and gives full information\&. A
value of \-1 suppresses most messages, but not error messages\&.
Line 191, length 243
Excludes the specified directory from signing\&. Note that with Netscape
Signing Tool version 1\&.1 and later this option can appear multiple times on
one command line, making it possible to specify several particular directories
to exclude\&.
Line 196, length 231
Tells signtool not to store the signing time in the digital signature\&. This
option is useful if you want the expiration date of the signature checked
against the current date and time rather than the time the files were signed\&.
Line 201, length 402
Creates a JAR file with the specified name\&. You must specify this option if
you want signtool to create the JAR file; it does not do so automatically\&. If
you don\*(Aqt specify \-Z, you must use an external ZIP tool to create the JAR
file\&. The \-Z option cannot be used at the same time as the \-J option\&. If
the \-c# option is not used with the \-Z option, the default compression value
is 6\&.
Line 205, length 651
Entries in a Netscape Signing Tool command file have this general format:
keyword=value Everything before the = sign on a single line is a keyword, and
everything from the = sign to the end of line is a value\&. The value may
include = signs; only the first = sign on a line is interpreted\&. Blank lines
are ignored, but white space on a line with keywords and values is assumed to
be part of the keyword (if it comes before the equal sign) or part of the value
(if it comes after the first equal sign)\&. Keywords are case insensitive,
values are generally case sensitive\&. Since the = sign and newline delimit the
value, it should not be quoted\&.
Line 326, length 118
Name of a file to which output and error messages will be redirected\&. This
option has no command\-line equivalent\&.
Line 334, length 124
You use the \-L option to list the nicknames for all available certificates and
check which ones are signing certificates\&.
Line 365, length 100
Two signing certificates are displayed: Verisign Object Signing Cert and test
object signing cert\&.
Line 367, length 103
You use the \-l option to get a list of signing certificates only, including
the signing CA for each\&.
Line 422, length 83
3\&. Specify the name of your object\-signing certificate and sign the
directory\&.
Line 468, length 333
To use Netscape Signing Tool with a ZIP utility, you must have the utility in
your path environment variable\&. You should use the zip\&.exe utility rather
than pkzip\&.exe, which cannot handle long filenames\&. You can use a ZIP
utility instead of the \-Z option to package a signed archive into a JAR file
after you have signed it:
Line 489, length 696
The signtool option \-G generates a new public\-private key pair and
certificate\&. It takes the nickname of the new certificate as an argument\&.
The newly generated keys and certificate are installed into the key and
certificate databases in the directory specified by the \-d option\&. With the
NT version of Netscape Signing Tool, you must use the \-d option with the \-G
option\&. With the Unix version of Netscape Signing Tool, omitting the \-d
option causes the tool to install the keys and certificate in the Communicator
key and certificate databases\&. In all cases, the certificate is also output
to a file named x509\&.cacert, which has the MIME\-type
application/x\-x509\-ca\-cert\&.
Line 491, length 428
Certificates contain standard information about the entity they identify, such
as the common name and organization name\&. Netscape Signing Tool prompts you
for this information when you run the command with the \-G option\&. However,
all of the requested fields are optional for test certificates\&. If you do not
enter a common name, the tool provides a default name\&. In the following
example, the user input is in boldface:
Line 509, length 81
Enter Password or Pin for "Communicator Certificate DB": [Password will not
echo]
Line 520, length 424
The certificate information is read from standard input\&. Therefore, the
information can be read from a file using the redirection operator (<) in some
operating systems\&. To create a file for this purpose, enter each of the seven
input fields, in order, on a separate line\&. Make sure there is a newline
character at the end of the last line\&. Then run signtool with standard input
redirected from your file as follows:
Line 532, length 219
The prompts show up on the screen, but the responses will be automatically read
from the file\&. The password will still be read from the console unless you
use the \-p option to give the password on the command line\&.
Line 536, length 111
You can use the \-M option to list the PKCS #11 modules, including smart cards,
that are available to signtool:
Line 546, length 95
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
Line 562, length 103
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
Line 570, length 191
The signtool command normally takes an argument of the \-k option to specify a
signing certificate\&. To sign with a smart card, you supply only the fully
qualified name of the certificate\&.
Line 572, length 320
To see fully qualified certificate names when you run Communicator, click the
Security button in Navigator, then click Yours under Certificates in the left
frame\&. Fully qualified names are of the format smart card:certificate, for
example "MyCard:My Signing Cert"\&. You use this name with the \-k argument as
follows:
Line 596, length 94
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
Line 605, length 94
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
Line 611, length 82
This Unix example shows that Netscape Signing Tool is using a FIPS\-140\-1
module:
Line 619, length 81
Enter Password or Pin for "Communicator Certificate DB": [password will not
echo]
Line 621, length 94
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
Line 628, length 94
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
Line 637, length 102
The NSS wiki has information on the new database design and how to configure
applications to use it\&.
Line 662, length 102
For information about NSS and other tools related to NSS (like JSS), check out
the NSS project wiki at
Line 663, length 140
\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&;. The
NSS site relates directly to NSS code changes and releases\&.
Line 670, length 115
The NSS tools were written and maintained by developers with Netscape, Red Hat,
Sun, Oracle, Mozilla, and Google\&.
Line 672, length 86
Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey
<dlackey@redhat\&.com>\&.
Line 675, length 170
Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL
was not distributed with this file, You can obtain one at
http://mozilla\&.org/MPL/2\&.0/\&;.
-.-.
Show if docman-to-man created this
4:.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.-.
Put a parenthetical sentence, phrase on a separate line,
if not part of a code.
See man-pages(7), item "semantic newline".
Not considered in a patch, too many lines.
signtool.1:81:Specifies your certificate database directory; that is, the
directory in which you placed your key3\&.db and cert7\&.db files\&. To specify
the current directory, use "\-d\&." (including the period)\&. The Unix version
of signtool assumes ~/\&.netscape unless told otherwise\&. The NT version of
signtool always requires the use of the \-d option to specify where the
database files are located\&.
signtool.1:136:Specifies the name of a metadata control file\&. Metadata is
signed information attached either to the JAR archive itself or to files within
the archive\&. This metadata can be any ASCII string, but is used mainly for
specifying an installer script\&. The metadata file contains one entry per
line, each with three fields: field #1: file specification, or + if you want to
specify global metadata (that is, metadata about the JAR archive itself or all
entries in the archive) field #2: the name of the data you are specifying; for
example: Install\-Script field #3: data corresponding to the name in field #2
For example, the \-i option uses the equivalent of this line: +
Install\-Script: script\&.js This example associates a MIME type with a file:
movie\&.qt MIME\-Type: video/quicktime For information about the way installer
script information appears in the manifest file for a JAR archive, see The JAR
Format on Netscape DevEdge\&.
signtool.1:151:Optimizes the archive for size\&. Use this only if you are
signing very large archives containing hundreds of files\&. This option makes
the manifest files (required by the JAR format) considerably smaller, but they
contain slightly less information\&.
signtool.1:205:Entries in a Netscape Signing Tool command file have this
general format: keyword=value Everything before the = sign on a single line is
a keyword, and everything from the = sign to the end of line is a value\&. The
value may include = signs; only the first = sign on a line is interpreted\&.
Blank lines are ignored, but white space on a line with keywords and values is
assumed to be part of the keyword (if it comes before the equal sign) or part
of the value (if it comes after the first equal sign)\&. Keywords are case
insensitive, values are generally case sensitive\&. Since the = sign and
newline delimit the value, it should not be quoted\&.
signtool.1:478: adding: META\-INF/manifest\&.mf (deflated 15%)
signtool.1:479: adding: META\-INF/signtool\&.sf (deflated 28%)
signtool.1:506:country (must be exactly 2 characters): US
signtool.1:548: (this module is internally loaded)
signtool.1:556: (this is an external module)
signtool.1:598: (this module is internally loaded)
-.-.
Use a character "\(->" instead of plain "->"
433:\-\-> test\&.f
-.-.
No need for "\&" to be in front of a period (.),
if there is a character in front of it
31:signtool \- Digitally sign objects and files\&.
37:This documentation is still work in progress\&. Please contribute to the
initial review in
42:\fBsigntool\fR, creates digital signatures and uses a Java Archive (JAR)
file to associate the signatures with files in a directory\&. Electronic
software distribution over any network involves potential security problems\&.
To help address some of these problems, you can associate digital signatures
with the files in a JAR archive\&. Digital signatures allow SSL\-enabled
clients to perform two important operations:
48:If you have a signing certificate, you can use Netscape Signing Tool to
digitally sign files and package them as a JAR file\&. An object\-signing
certificate is a special kind of certificate that allows you to associate your
digital signature with one or more files\&.
50:An individual file can potentially be signed with multiple digital
signatures\&. For example, a commercial software developer might sign the files
that constitute a software product to prove that the files are indeed from a
particular company\&. A network administrator manager might sign the same files
with an additional digital signature based on a company\-generated certificate
to indicate that the product is approved for use within the company\&.
52:The significance of a digital signature is comparable to the significance of
a handwritten signature\&. Once you have signed a file, it is difficult to
claim later that you didn\*(Aqt sign it\&. In some situations, a digital
signature may be considered as legally binding as a handwritten signature\&.
Therefore, you should take great care to ensure that you can stand behind any
file you sign and distribute\&.
54:For example, if you are a software developer, you should test your code to
make sure it is virus\-free before signing it\&. Similarly, if you are a
network administrator, you should make sure, before signing any code, that it
comes from a reliable source and will run correctly with the software installed
on the machines to which you are distributing it\&.
56:Before you can use Netscape Signing Tool to sign files, you must have an
object\-signing certificate, which is a special certificate whose associated
private key is used to create digital signatures\&. For testing purposes only,
you can create an object\-signing certificate with Netscape Signing Tool
1\&.3\&. When testing is finished and you are ready to disitribute your
software, you should obtain an object\-signing certificate from one of two
kinds of sources:
58:* An independent certificate authority (CA) that authenticates your identity
and charges you a fee\&. You typically get a certificate from an independent CA
if you want to sign software that will be distributed over the Internet\&.
60:* CA server software running on your corporate intranet or extranet\&.
Netscape Certificate Management System provides a complete management solution
for creating, deploying, and managing certificates, including CAs that issue
object\-signing certificates\&.
62:You must also have a certificate for the CA that issues your signing
certificate before you can sign files\&. If the certificate authority\*(Aqs
certificate isn\*(Aqt already installed in your copy of Communicator, you
typically install it by clicking the appropriate link on the certificate
authority\*(Aqs web site, for example on the page from which you initiated
enrollment for your signing certificate\&. This is the case for some test
certificates, as well as certificates issued by Netscape Certificate Management
System: you must download the the CA certificate in addition to obtaining your
own signing certificate\&. CA certificates for several certificate authorities
are preinstalled in the Communicator certificate database\&.
64:When you receive an object\-signing certificate for your own use, it is
automatically installed in your copy of the Communicator client software\&.
Communicator supports the public\-key cryptography standard known as PKCS #12,
which governs key portability\&. You can, for example, move an object\-signing
certificate and its associated private key from one computer to another on a
credit\-card\-sized device called a smart card\&.
69:Specifies the base filename for the \&.rsa and \&.sf files in the META\-INF
directory to conform with the JAR format\&. For example,
71:causes the files to be named signatures\&.rsa and signatures\&.sf\&. The
default is signtool\&.
76:Specifies the compression level for the \-J or \-Z option\&. The symbol #
represents a number from 0 to 9, where 0 means no compression and 9 means
maximum compression\&. The higher the level of compression, the smaller the
output but the longer the operation takes\&. If the \-c# option is not used
with either the \-J or the \-Z option, the default compression value used by
both the \-J and \-Z options is 6\&.
81:Specifies your certificate database directory; that is, the directory in
which you placed your key3\&.db and cert7\&.db files\&. To specify the current
directory, use "\-d\&." (including the period)\&. The Unix version of signtool
assumes ~/\&.netscape unless told otherwise\&. The NT version of signtool
always requires the use of the \-d option to specify where the database files
are located\&.
86:Tells signtool to sign only files with the given extension; for example, use
\-e"\&.class" to sign only Java class files\&. Note that with Netscape Signing
Tool version 1\&.1 and later this option can appear multiple times on one
command line, making it possible to specify multiple file types or classes to
include\&.
91:Specifies a text file containing Netscape Signing Tool options and arguments
in keyword=value format\&. All options and arguments can be expressed through
this file\&. For more information about the syntax used with this file, see
"Tips and Techniques"\&.
96:Generates a new private\-public key pair and corresponding object\-signing
certificate with the given nickname\&. The newly generated keys and certificate
are installed into the key and certificate databases in the directory specified
by the \-d option\&. With the NT version of Netscape Signing Tool, you must use
the \-d option with the \-G option\&. With the Unix version of Netscape Signing
Tool, omitting the \-d option causes the tool to install the keys and
certificate in the Communicator key and certificate databases\&. If you are
installing the keys and certificate in the Communicator databases, you must
exit Communicator before using this option; otherwise, you risk corrupting the
databases\&. In all cases, the certificate is also output to a file named
x509\&.cacert, which has the MIME\-type application/x\-x509\-ca\-cert\&. Unlike
certificates normally used to sign finished code to be distributed over a
network, a test certificate created with \-G is not signed by a recognized
certificate authority\&. Instead, it is self\-signed\&. In addition, a single
test signing certificate functions as both an object\-signing certificate and a
CA\&. When you are using it to sign objects, it behaves like an object\-signing
certificate\&. When it is imported into browser software such as Communicator,
it behaves like an object\-signing CA and cannot be used to sign objects\&. The
\-G option is available in Netscape Signing Tool 1\&.0 and later versions
only\&. By default, it produces only RSA certificates with 1024\-byte keys in
the internal token\&. However, you can use the \-s option specify the required
key size and the \-t option to specify the token\&.
101:Specifies the name of an installer script for SmartUpdate\&. This script
installs files from the JAR archive in the local system after SmartUpdate has
validated the digital signature\&. For more details, see the description of \-m
that follows\&. The \-i option provides a straightforward way to provide this
information if you don\*(Aqt need to specify any metadata other than an
installer script\&.
106:Signs a directory of HTML files containing JavaScript and creates as many
archive files as are specified in the HTML tags\&. Even if signtool creates
more than one archive file, you need to supply the key database password only
once\&. The \-J option is available only in Netscape Signing Tool 1\&.0 and
later versions\&. The \-J option cannot be used at the same time as the \-Z
option\&. If the \-c# option is not used with the \-J option, the default
compression value is 6\&. Note that versions 1\&.1 and later of Netscape
Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be
expressed for the CLASS and SRC attributes instead of filenames only, processes
LINK tags and parses HTML correctly, and offers clearer error messages\&.
111:Specifies a special JavaScript directory\&. This option causes the
specified directory to be signed and tags its entries as inline JavaScript\&.
This special type of entry does not have to appear in the JAR file itself\&.
Instead, it is located in the HTML page containing the inline scripts\&. When
you use signtool \-v, these entries are displayed with the string NOT PRESENT\&.
114:\-k key \&.\&.\&. directory
116:Specifies the nickname (key) of the certificate you want to sign with and
signs the files in the specified directory\&. The directory to sign is always
specified as the last command\-line argument\&. Thus, it is possible to write
signtool \-k MyCert \-d \&. signdir You may have trouble if the nickname
contains a single quotation mark\&. To avoid problems, escape the quotation
mark using the escape conventions for your platform\&. It\*(Aqs also possible
to use the \-k option without signing any files or specifying a directory\&.
For example, you can use it with the \-l option to get detailed information
about a particular signing certificate\&.
121:Lists signing certificates, including issuing CAs\&. If any of your
certificates are expired or invalid, the list will so specify\&. This option
can be used with the \-k option to list detailed information about a particular
signing certificate\&. The \-l option is available in Netscape Signing Tool
1\&.0 and later versions only\&.
126:Lists the certificates in your database\&. An asterisk appears to the left
of the nickname for any certificate that can be used to sign objects with
signtool\&.
131:Retains the temporary \&.arc (archive) directories that the \-J option
creates\&. These directories are automatically erased by default\&. Retaining
the temporary directories can be an aid to debugging\&.
136:Specifies the name of a metadata control file\&. Metadata is signed
information attached either to the JAR archive itself or to files within the
archive\&. This metadata can be any ASCII string, but is used mainly for
specifying an installer script\&. The metadata file contains one entry per
line, each with three fields: field #1: file specification, or + if you want to
specify global metadata (that is, metadata about the JAR archive itself or all
entries in the archive) field #2: the name of the data you are specifying; for
example: Install\-Script field #3: data corresponding to the name in field #2
For example, the \-i option uses the equivalent of this line: +
Install\-Script: script\&.js This example associates a MIME type with a file:
movie\&.qt MIME\-Type: video/quicktime For information about the way installer
script information appears in the manifest file for a JAR archive, see The JAR
Format on Netscape DevEdge\&.
141:Lists the PKCS #11 modules available to signtool, including smart cards\&.
The \-M option is available in Netscape Signing Tool 1\&.0 and later versions
only\&. For information on using Netscape Signing Tool with smart cards, see
"Using Netscape Signing Tool with Smart Cards"\&. For information on using the
\-M option to verify FIPS\-140\-1 validated mode, see "Netscape Signing Tool
and FIPS\-140\-1"\&.
146:Blocks recursion into subdirectories when signing a directory\*(Aqs
contents or when parsing HTML\&.
151:Optimizes the archive for size\&. Use this only if you are signing very
large archives containing hundreds of files\&. This option makes the manifest
files (required by the JAR format) considerably smaller, but they contain
slightly less information\&.
156:Specifies a file to receive redirected output from Netscape Signing Tool\&.
161:Specifies a password for the private\-key database\&. Note that the
password entered on the command line is displayed as plain text\&.
166:Specifies the size of the key for generated certificate\&. Use the \-M
option to find out what tokens are available\&. The \-s option can be used with
the \-G option only\&.
171:Specifies which available token should generate the key and receive the
certificate\&. Use the \-M option to find out what tokens are available\&. The
\-t option can be used with the \-G option only\&.
176:Displays the contents of an archive and verifies the cryptographic
integrity of the digital signatures it contains and the files with which they
are associated\&. This includes checking that the certificate for the issuer of
the object\-signing certificate is listed in the certificate database, that the
CA\*(Aqs digital signature on the object\-signing certificate is valid, that
the relevant certificates have not expired, and so on\&.
181:Sets the quantity of information Netscape Signing Tool generates in
operation\&. A value of 0 (zero) is the default and gives full information\&. A
value of \-1 suppresses most messages, but not error messages\&.
186:Displays the names of signers of any files in the archive\&.
191:Excludes the specified directory from signing\&. Note that with Netscape
Signing Tool version 1\&.1 and later this option can appear multiple times on
one command line, making it possible to specify several particular directories
to exclude\&.
196:Tells signtool not to store the signing time in the digital signature\&.
This option is useful if you want the expiration date of the signature checked
against the current date and time rather than the time the files were signed\&.
201:Creates a JAR file with the specified name\&. You must specify this option
if you want signtool to create the JAR file; it does not do so automatically\&.
If you don\*(Aqt specify \-Z, you must use an external ZIP tool to create the
JAR file\&. The \-Z option cannot be used at the same time as the \-J option\&.
If the \-c# option is not used with the \-Z option, the default compression
value is 6\&.
205:Entries in a Netscape Signing Tool command file have this general format:
keyword=value Everything before the = sign on a single line is a keyword, and
everything from the = sign to the end of line is a value\&. The value may
include = signs; only the first = sign on a line is interpreted\&. Blank lines
are ignored, but white space on a line with keywords and values is assumed to
be part of the keyword (if it comes before the equal sign) or part of the value
(if it comes after the first equal sign)\&. Keywords are case insensitive,
values are generally case sensitive\&. Since the = sign and newline delimit the
value, it should not be quoted\&.
211:Same as \-b option\&.
216:Same as \-c option\&.
221:Same as \-d option\&.
226:Same as \-e option\&.
231:Same as \-G option\&.
236:Same as \-i option\&.
241:Same as \-j option\&.
246:Same as \-J option\&.
251:Nickname of certificate, as with \-k and \-l \-k options\&.
256:The directory to be signed, as with \-k option\&.
261:Same as \-l option\&. Value is ignored, but = sign must be present\&.
266:Same as \-L option\&. Value is ignored, but = sign must be present\&.
271:Same as \-m option\&.
276:Same as \-M option\&. Value is ignored, but = sign must be present\&.
281:Same as \-o option\&. Value is ignored, but = sign must be present\&.
286:Same as \-p option\&.
291:Same as \-s option\&.
296:Same as \-t option\&.
301:Same as \-v option\&.
306:Same as \-w option\&.
311:Same as \-x option\&.
316:Same as \-z option\&. value is ignored, but = sign must be present\&.
321:Same as \-Z option\&.
326:Name of a file to which output and error messages will be redirected\&.
This option has no command\-line equivalent\&.
334:You use the \-L option to list the nicknames for all available certificates
and check which ones are signing certificates\&.
342:using certificate directory: /u/jsmith/\&.netscape
347: VeriSign Class 1 CA \- Individual Subscriber \- VeriSign, Inc\&.
349: Uptime Group Plc\&. Class 4 CA
355: Uptime Group Plc\&. Class 1 CA
359:Certificates that can be used to sign objects have *\*(Aqs to their left\&.
365:Two signing certificates are displayed: Verisign Object Signing Cert and
test object signing cert\&.
367:You use the \-l option to get a list of signing certificates only,
including the signing CA for each\&.
375:using certificate directory: /u/jsmith/\&.netscape
380: Issued by: VeriSign, Inc\&. \- Verisign, Inc\&.
383: Issued by: test object signing cert (Signtool 1\&.0 Testing
394:option\&.
398:1\&. Create an empty directory\&.
410:2\&. Put some file into it\&.
416:echo boo > signdir/test\&.f
422:3\&. Specify the name of your object\-signing certificate and sign the
directory\&.
428:signtool \-k MySignCert \-Z testjar\&.jar signdir
431:using certificate directory: /u/jsmith/\&.netscape
432:Generating signdir/META\-INF/manifest\&.mf file\&.\&.
433:\-\-> test\&.f
434:adding signdir/test\&.f to testjar\&.jar
435:Generating signtool\&.sf file\&.\&.
438:adding signdir/META\-INF/manifest\&.mf to testjar\&.jar
439:adding signdir/META\-INF/signtool\&.sf to testjar\&.jar
440:adding signdir/META\-INF/signtool\&.rsa to testjar\&.jar
448:4\&. Test the archive you just created\&.
454:signtool \-v testjar\&.jar
456:using certificate directory: /u/jsmith/\&.netscape
457:archive "testjar\&.jar" has passed crypto verification\&.
460: verified test\&.f
468:To use Netscape Signing Tool with a ZIP utility, you must have the utility
in your path environment variable\&. You should use the zip\&.exe utility
rather than pkzip\&.exe, which cannot handle long filenames\&. You can use a
ZIP utility instead of the \-Z option to package a signed archive into a JAR
file after you have signed it:
476: zip \-r \&.\&./myjar\&.jar *
478: adding: META\-INF/manifest\&.mf (deflated 15%)
479: adding: META\-INF/signtool\&.sf (deflated 28%)
480: adding: META\-INF/signtool\&.rsa (stored 0%)
481: adding: text\&.txt (stored 0%)
489:The signtool option \-G generates a new public\-private key pair and
certificate\&. It takes the nickname of the new certificate as an argument\&.
The newly generated keys and certificate are installed into the key and
certificate databases in the directory specified by the \-d option\&. With the
NT version of Netscape Signing Tool, you must use the \-d option with the \-G
option\&. With the Unix version of Netscape Signing Tool, omitting the \-d
option causes the tool to install the keys and certificate in the Communicator
key and certificate databases\&. In all cases, the certificate is also output
to a file named x509\&.cacert, which has the MIME\-type
application/x\-x509\-ca\-cert\&.
491:Certificates contain standard information about the entity they identify,
such as the common name and organization name\&. Netscape Signing Tool prompts
you for this information when you run the command with the \-G option\&.
However, all of the requested fields are optional for test certificates\&. If
you do not enter a common name, the tool provides a default name\&. In the
following example, the user input is in boldface:
499:using certificate directory: /u/someuser/\&.netscape
500:Enter certificate information\&. All fields are optional\&. Acceptable
501:characters are numbers, letters, spaces, and apostrophes\&.
503:organization: Netscape Communications Corp\&.
508:email address: someuser@netscape\&.com
514:Exported certificate to x509\&.raw and x509\&.cacert\&.
520:The certificate information is read from standard input\&. Therefore, the
information can be read from a file using the redirection operator (<) in some
operating systems\&. To create a file for this purpose, enter each of the seven
input fields, in order, on a separate line\&. Make sure there is a newline
character at the end of the last line\&. Then run signtool with standard input
redirected from your file as follows:
532:The prompts show up on the screen, but the responses will be automatically
read from the file\&. The password will still be read from the console unless
you use the \-p option to give the password on the command line\&.
547: 1\&. Netscape Internal PKCS #11 Module
551: slot: Communicator Internal Cryptographic Services Version 4\&.0
555: 2\&. CryptOS
570:The signtool command normally takes an argument of the \-k option to
specify a signing certificate\&. To sign with a smart card, you supply only the
fully qualified name of the certificate\&.
572:To see fully qualified certificate names when you run Communicator, click
the Security button in Navigator, then click Yours under Certificates in the
left frame\&. Fully qualified names are of the format smart card:certificate,
for example "MyCard:My Signing Cert"\&. You use this name with the \-k argument
as follows:
586:Use the \-M option to verify that you are using the FIPS\-140\-1 module\&.
597: 1\&. Netscape Internal PKCS #11 Module
601: slot: Communicator Internal Cryptographic Services Version 4\&.0
622:1\&. Netscape Internal FIPS PKCS #11 Module
637:The NSS wiki has information on the new database design and how to
configure applications to use it\&.
647:https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto
658:https://wiki\&.mozilla\&.org/NSS_Shared_DB
663:\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&;.
The NSS site relates directly to NSS code changes and releases\&.
665:Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
670:The NSS tools were written and maintained by developers with Netscape, Red
Hat, Sun, Oracle, Mozilla, and Google\&.
672:Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey
<dlackey@redhat\&.com>\&.
675:Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the
MPL was not distributed with this file, You can obtain one at
http://mozilla\&.org/MPL/2\&.0/\&;.
-.-.
Lines longer than about(?) 1023 forces a mail program to use quoted-printable
encoding which is bad. Generator program is unusable.
Line 96, length 1678
Generates a new private\-public key pair and corresponding object\-signing
certificate with the given nickname\&. The newly generated keys and certificate
are installed into the key and certificate databases in the directory specified
by the \-d option\&. With the NT version of Netscape Signing Tool, you must use
the \-d option with the \-G option\&. With the Unix version of Netscape Signing
Tool, omitting the \-d option causes the tool to install the keys and
certificate in the Communicator key and certificate databases\&. If you are
installing the keys and certificate in the Communicator databases, you must
exit Communicator before using this option; otherwise, you risk corrupting the
databases\&. In all cases, the certificate is also output to a file named
x509\&.cacert, which has the MIME\-type application/x\-x509\-ca\-cert\&. Unlike
certificates normally used to sign finished code to be distributed over a
network, a test certificate created with \-G is not signed by a recognized
certificate authority\&. Instead, it is self\-signed\&. In addition, a single
test signing certificate functions as both an object\-signing certificate and a
CA\&. When you are using it to sign objects, it behaves like an object\-signing
certificate\&. When it is imported into browser software such as Communicator,
it behaves like an object\-signing CA and cannot be used to sign objects\&. The
\-G option is available in Netscape Signing Tool 1\&.0 and later versions
only\&. By default, it produces only RSA certificates with 1024\-byte keys in
the internal token\&. However, you can use the \-s option specify the required
key size and the \-t option to specify the token\&.
-.-.
Put a subordinate sentence (after a comma) on a new line.
42:\fBsigntool\fR, creates digital signatures and uses a Java Archive (JAR)
file to associate the signatures with files in a directory\&. Electronic
software distribution over any network involves potential security problems\&.
To help address some of these problems, you can associate digital signatures
with the files in a JAR archive\&. Digital signatures allow SSL\-enabled
clients to perform two important operations:
44:* Confirm the identity of the individual, company, or other entity whose
digital signature is associated with the files
48:If you have a signing certificate, you can use Netscape Signing Tool to
digitally sign files and package them as a JAR file\&. An object\-signing
certificate is a special kind of certificate that allows you to associate your
digital signature with one or more files\&.
50:An individual file can potentially be signed with multiple digital
signatures\&. For example, a commercial software developer might sign the files
that constitute a software product to prove that the files are indeed from a
particular company\&. A network administrator manager might sign the same files
with an additional digital signature based on a company\-generated certificate
to indicate that the product is approved for use within the company\&.
52:The significance of a digital signature is comparable to the significance of
a handwritten signature\&. Once you have signed a file, it is difficult to
claim later that you didn\*(Aqt sign it\&. In some situations, a digital
signature may be considered as legally binding as a handwritten signature\&.
Therefore, you should take great care to ensure that you can stand behind any
file you sign and distribute\&.
54:For example, if you are a software developer, you should test your code to
make sure it is virus\-free before signing it\&. Similarly, if you are a
network administrator, you should make sure, before signing any code, that it
comes from a reliable source and will run correctly with the software installed
on the machines to which you are distributing it\&.
56:Before you can use Netscape Signing Tool to sign files, you must have an
object\-signing certificate, which is a special certificate whose associated
private key is used to create digital signatures\&. For testing purposes only,
you can create an object\-signing certificate with Netscape Signing Tool
1\&.3\&. When testing is finished and you are ready to disitribute your
software, you should obtain an object\-signing certificate from one of two
kinds of sources:
60:* CA server software running on your corporate intranet or extranet\&.
Netscape Certificate Management System provides a complete management solution
for creating, deploying, and managing certificates, including CAs that issue
object\-signing certificates\&.
62:You must also have a certificate for the CA that issues your signing
certificate before you can sign files\&. If the certificate authority\*(Aqs
certificate isn\*(Aqt already installed in your copy of Communicator, you
typically install it by clicking the appropriate link on the certificate
authority\*(Aqs web site, for example on the page from which you initiated
enrollment for your signing certificate\&. This is the case for some test
certificates, as well as certificates issued by Netscape Certificate Management
System: you must download the the CA certificate in addition to obtaining your
own signing certificate\&. CA certificates for several certificate authorities
are preinstalled in the Communicator certificate database\&.
64:When you receive an object\-signing certificate for your own use, it is
automatically installed in your copy of the Communicator client software\&.
Communicator supports the public\-key cryptography standard known as PKCS #12,
which governs key portability\&. You can, for example, move an object\-signing
certificate and its associated private key from one computer to another on a
credit\-card\-sized device called a smart card\&.
76:Specifies the compression level for the \-J or \-Z option\&. The symbol #
represents a number from 0 to 9, where 0 means no compression and 9 means
maximum compression\&. The higher the level of compression, the smaller the
output but the longer the operation takes\&. If the \-c# option is not used
with either the \-J or the \-Z option, the default compression value used by
both the \-J and \-Z options is 6\&.
81:Specifies your certificate database directory; that is, the directory in
which you placed your key3\&.db and cert7\&.db files\&. To specify the current
directory, use "\-d\&." (including the period)\&. The Unix version of signtool
assumes ~/\&.netscape unless told otherwise\&. The NT version of signtool
always requires the use of the \-d option to specify where the database files
are located\&.
86:Tells signtool to sign only files with the given extension; for example, use
\-e"\&.class" to sign only Java class files\&. Note that with Netscape Signing
Tool version 1\&.1 and later this option can appear multiple times on one
command line, making it possible to specify multiple file types or classes to
include\&.
91:Specifies a text file containing Netscape Signing Tool options and arguments
in keyword=value format\&. All options and arguments can be expressed through
this file\&. For more information about the syntax used with this file, see
"Tips and Techniques"\&.
96:Generates a new private\-public key pair and corresponding object\-signing
certificate with the given nickname\&. The newly generated keys and certificate
are installed into the key and certificate databases in the directory specified
by the \-d option\&. With the NT version of Netscape Signing Tool, you must use
the \-d option with the \-G option\&. With the Unix version of Netscape Signing
Tool, omitting the \-d option causes the tool to install the keys and
certificate in the Communicator key and certificate databases\&. If you are
installing the keys and certificate in the Communicator databases, you must
exit Communicator before using this option; otherwise, you risk corrupting the
databases\&. In all cases, the certificate is also output to a file named
x509\&.cacert, which has the MIME\-type application/x\-x509\-ca\-cert\&. Unlike
certificates normally used to sign finished code to be distributed over a
network, a test certificate created with \-G is not signed by a recognized
certificate authority\&. Instead, it is self\-signed\&. In addition, a single
test signing certificate functions as both an object\-signing certificate and a
CA\&. When you are using it to sign objects, it behaves like an object\-signing
certificate\&. When it is imported into browser software such as Communicator,
it behaves like an object\-signing CA and cannot be used to sign objects\&. The
\-G option is available in Netscape Signing Tool 1\&.0 and later versions
only\&. By default, it produces only RSA certificates with 1024\-byte keys in
the internal token\&. However, you can use the \-s option specify the required
key size and the \-t option to specify the token\&.
101:Specifies the name of an installer script for SmartUpdate\&. This script
installs files from the JAR archive in the local system after SmartUpdate has
validated the digital signature\&. For more details, see the description of \-m
that follows\&. The \-i option provides a straightforward way to provide this
information if you don\*(Aqt need to specify any metadata other than an
installer script\&.
106:Signs a directory of HTML files containing JavaScript and creates as many
archive files as are specified in the HTML tags\&. Even if signtool creates
more than one archive file, you need to supply the key database password only
once\&. The \-J option is available only in Netscape Signing Tool 1\&.0 and
later versions\&. The \-J option cannot be used at the same time as the \-Z
option\&. If the \-c# option is not used with the \-J option, the default
compression value is 6\&. Note that versions 1\&.1 and later of Netscape
Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be
expressed for the CLASS and SRC attributes instead of filenames only, processes
LINK tags and parses HTML correctly, and offers clearer error messages\&.
111:Specifies a special JavaScript directory\&. This option causes the
specified directory to be signed and tags its entries as inline JavaScript\&.
This special type of entry does not have to appear in the JAR file itself\&.
Instead, it is located in the HTML page containing the inline scripts\&. When
you use signtool \-v, these entries are displayed with the string NOT PRESENT\&.
116:Specifies the nickname (key) of the certificate you want to sign with and
signs the files in the specified directory\&. The directory to sign is always
specified as the last command\-line argument\&. Thus, it is possible to write
signtool \-k MyCert \-d \&. signdir You may have trouble if the nickname
contains a single quotation mark\&. To avoid problems, escape the quotation
mark using the escape conventions for your platform\&. It\*(Aqs also possible
to use the \-k option without signing any files or specifying a directory\&.
For example, you can use it with the \-l option to get detailed information
about a particular signing certificate\&.
121:Lists signing certificates, including issuing CAs\&. If any of your
certificates are expired or invalid, the list will so specify\&. This option
can be used with the \-k option to list detailed information about a particular
signing certificate\&. The \-l option is available in Netscape Signing Tool
1\&.0 and later versions only\&.
136:Specifies the name of a metadata control file\&. Metadata is signed
information attached either to the JAR archive itself or to files within the
archive\&. This metadata can be any ASCII string, but is used mainly for
specifying an installer script\&. The metadata file contains one entry per
line, each with three fields: field #1: file specification, or + if you want to
specify global metadata (that is, metadata about the JAR archive itself or all
entries in the archive) field #2: the name of the data you are specifying; for
example: Install\-Script field #3: data corresponding to the name in field #2
For example, the \-i option uses the equivalent of this line: +
Install\-Script: script\&.js This example associates a MIME type with a file:
movie\&.qt MIME\-Type: video/quicktime For information about the way installer
script information appears in the manifest file for a JAR archive, see The JAR
Format on Netscape DevEdge\&.
141:Lists the PKCS #11 modules available to signtool, including smart cards\&.
The \-M option is available in Netscape Signing Tool 1\&.0 and later versions
only\&. For information on using Netscape Signing Tool with smart cards, see
"Using Netscape Signing Tool with Smart Cards"\&. For information on using the
\-M option to verify FIPS\-140\-1 validated mode, see "Netscape Signing Tool
and FIPS\-140\-1"\&.
151:Optimizes the archive for size\&. Use this only if you are signing very
large archives containing hundreds of files\&. This option makes the manifest
files (required by the JAR format) considerably smaller, but they contain
slightly less information\&.
176:Displays the contents of an archive and verifies the cryptographic
integrity of the digital signatures it contains and the files with which they
are associated\&. This includes checking that the certificate for the issuer of
the object\-signing certificate is listed in the certificate database, that the
CA\*(Aqs digital signature on the object\-signing certificate is valid, that
the relevant certificates have not expired, and so on\&.
181:Sets the quantity of information Netscape Signing Tool generates in
operation\&. A value of 0 (zero) is the default and gives full information\&. A
value of \-1 suppresses most messages, but not error messages\&.
191:Excludes the specified directory from signing\&. Note that with Netscape
Signing Tool version 1\&.1 and later this option can appear multiple times on
one command line, making it possible to specify several particular directories
to exclude\&.
201:Creates a JAR file with the specified name\&. You must specify this option
if you want signtool to create the JAR file; it does not do so automatically\&.
If you don\*(Aqt specify \-Z, you must use an external ZIP tool to create the
JAR file\&. The \-Z option cannot be used at the same time as the \-J option\&.
If the \-c# option is not used with the \-Z option, the default compression
value is 6\&.
205:Entries in a Netscape Signing Tool command file have this general format:
keyword=value Everything before the = sign on a single line is a keyword, and
everything from the = sign to the end of line is a value\&. The value may
include = signs; only the first = sign on a line is interpreted\&. Blank lines
are ignored, but white space on a line with keywords and values is assumed to
be part of the keyword (if it comes before the equal sign) or part of the value
(if it comes after the first equal sign)\&. Keywords are case insensitive,
values are generally case sensitive\&. Since the = sign and newline delimit the
value, it should not be quoted\&.
251:Nickname of certificate, as with \-k and \-l \-k options\&.
256:The directory to be signed, as with \-k option\&.
261:Same as \-l option\&. Value is ignored, but = sign must be present\&.
266:Same as \-L option\&. Value is ignored, but = sign must be present\&.
276:Same as \-M option\&. Value is ignored, but = sign must be present\&.
281:Same as \-o option\&. Value is ignored, but = sign must be present\&.
316:Same as \-z option\&. value is ignored, but = sign must be present\&.
347: VeriSign Class 1 CA \- Individual Subscriber \- VeriSign, Inc\&.
367:You use the \-l option to get a list of signing certificates only,
including the signing CA for each\&.
380: Issued by: VeriSign, Inc\&. \- Verisign, Inc\&.
381: Expires: Tue May 19, 1998
385: Expires: Sun May 17, 1998
392:For a list including CAs, use the
468:To use Netscape Signing Tool with a ZIP utility, you must have the utility
in your path environment variable\&. You should use the zip\&.exe utility
rather than pkzip\&.exe, which cannot handle long filenames\&. You can use a
ZIP utility instead of the \-Z option to package a signed archive into a JAR
file after you have signed it:
489:The signtool option \-G generates a new public\-private key pair and
certificate\&. It takes the nickname of the new certificate as an argument\&.
The newly generated keys and certificate are installed into the key and
certificate databases in the directory specified by the \-d option\&. With the
NT version of Netscape Signing Tool, you must use the \-d option with the \-G
option\&. With the Unix version of Netscape Signing Tool, omitting the \-d
option causes the tool to install the keys and certificate in the Communicator
key and certificate databases\&. In all cases, the certificate is also output
to a file named x509\&.cacert, which has the MIME\-type
application/x\-x509\-ca\-cert\&.
491:Certificates contain standard information about the entity they identify,
such as the common name and organization name\&. Netscape Signing Tool prompts
you for this information when you run the command with the \-G option\&.
However, all of the requested fields are optional for test certificates\&. If
you do not enter a common name, the tool provides a default name\&. In the
following example, the user input is in boldface:
501:characters are numbers, letters, spaces, and apostrophes\&.
520:The certificate information is read from standard input\&. Therefore, the
information can be read from a file using the redirection operator (<) in some
operating systems\&. To create a file for this purpose, enter each of the seven
input fields, in order, on a separate line\&. Make sure there is a newline
character at the end of the last line\&. Then run signtool with standard input
redirected from your file as follows:
532:The prompts show up on the screen, but the responses will be automatically
read from the file\&. The password will still be read from the console unless
you use the \-p option to give the password on the command line\&.
536:You can use the \-M option to list the PKCS #11 modules, including smart
cards, that are available to signtool:
570:The signtool command normally takes an argument of the \-k option to
specify a signing certificate\&. To sign with a smart card, you supply only the
fully qualified name of the certificate\&.
572:To see fully qualified certificate names when you run Communicator, click
the Security button in Navigator, then click Yours under Certificates in the
left frame\&. Fully qualified names are of the format smart card:certificate,
for example "MyCard:My Signing Cert"\&. You use this name with the \-k argument
as follows:
662:For information about NSS and other tools related to NSS (like JSS), check
out the NSS project wiki at
670:The NSS tools were written and maintained by developers with Netscape, Red
Hat, Sun, Oracle, Mozilla, and Google\&.
672:Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey
<dlackey@redhat\&.com>\&.
675:Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the
MPL was not distributed with this file, You can obtain one at
http://mozilla\&.org/MPL/2\&.0/\&;.
-.-.
Remove quotes when there is a printable
but no space character between them
and the quotes are not for emphasis (markup),
for example as an argument to a macro.
10:.TH "SIGNTOOL" "1" "19 May 2021" "nss-tools" "NSS Security Tools"
30:.SH "NAME"
32:.SH "SYNOPSIS"
35:.SH "STATUS"
39:.SH "DESCRIPTION"
65:.SH "OPTIONS"
668:.SH "AUTHORS"
673:.SH "LICENSE"
676:.SH "NOTES"
-.-.
Output from "test-groff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=10 -ww -z
":
troff:<stdin>:340: warning: trailing space in the line
troff:<stdin>:342: warning: trailing space in the line
troff:<stdin>:343: warning: trailing space in the line
troff:<stdin>:344: warning: trailing space in the line
troff:<stdin>:345: warning: trailing space in the line
troff:<stdin>:346: warning: trailing space in the line
troff:<stdin>:347: warning: trailing space in the line
troff:<stdin>:348: warning: trailing space in the line
troff:<stdin>:349: warning: trailing space in the line
troff:<stdin>:350: warning: trailing space in the line
troff:<stdin>:351: warning: trailing space in the line
troff:<stdin>:352: warning: trailing space in the line
troff:<stdin>:353: warning: trailing space in the line
troff:<stdin>:354: warning: trailing space in the line
troff:<stdin>:355: warning: trailing space in the line
troff:<stdin>:356: warning: trailing space in the line
troff:<stdin>:359: warning: trailing space in the line
troff:<stdin>:383: warning: trailing space in the line
troff:<stdin>:474: warning: trailing space in the line
troff:<stdin>:476: warning: trailing space in the line
troff:<stdin>:477: warning: trailing space in the line
troff:<stdin>:478: warning: trailing space in the line
troff:<stdin>:479: warning: trailing space in the line
troff:<stdin>:480: warning: trailing space in the line
troff:<stdin>:545: warning: trailing space in the line
troff:<stdin>:546: warning: trailing space in the line
troff:<stdin>:547: warning: trailing space in the line
troff:<stdin>:548: warning: trailing space in the line
troff:<stdin>:549: warning: trailing space in the line
troff:<stdin>:550: warning: trailing space in the line
troff:<stdin>:551: warning: trailing space in the line
troff:<stdin>:552: warning: trailing space in the line
troff:<stdin>:553: warning: trailing space in the line
troff:<stdin>:554: warning: trailing space in the line
troff:<stdin>:555: warning: trailing space in the line
troff:<stdin>:556: warning: trailing space in the line
troff:<stdin>:557: warning: trailing space in the line
troff:<stdin>:558: warning: trailing space in the line
troff:<stdin>:559: warning: trailing space in the line
troff:<stdin>:560: warning: trailing space in the line
troff:<stdin>:561: warning: trailing space in the line
troff:<stdin>:562: warning: trailing space in the line
-.-
Additionally (general):
Abbreviations get a '\&' added after their final full stop (.) to mark them
as such and not as an end of a sentence.
There is no need to add a '\&' before a full stop (.) if it has a character
before it!
'\&' is only needed at the beginning of a line, if it otherwise starts with
a control character "." or "'".
