signtool for JAR signing

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

signtool for JAR signing

Wolfgang Rosenauer-2
Hi,

I've tried to use signtool to sign xul and js files within a JAR.

What I did:

signtool -d something -k cert-id -p password content/
[some output}
Generating zigbert.sf file..
tree "content/" signed successfully

Modified a JS file within the content/ tree

zip -r testy.jar content/

signtool -d something -v testy.jar
archive "testy.jar" has passed crypto verification.

          status   path
    ------------   -------------------


This was done using signtool from NSS 3.11.5 on Linux.
So I wonder how it could pass the crypto verification?

Any idea?


Wolfgang
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: signtool for JAR signing

Kaspar Brand-2
> signtool -d something -v testy.jar
> archive "testy.jar" has passed crypto verification.
>
>           status   path
>     ------------   -------------------
>
>
> This was done using signtool from NSS 3.11.5 on Linux.
> So I wonder how it could pass the crypto verification?

What are the contents of testy.jar exactly? Does it include the META-INF
subdirectory with manifest.mf and zigbert.{sf,rsa}? Otherwise, the above
message is simply what you get when checking an unsigned jar:

  [me@myhost ~]$ unzip -l foo.zip
  Archive:  foo.zip
    Length     Date   Time    Name
   --------    ----   ----    ----
          0  02-09-07 06:46   foo.txt
   --------                   -------
          0                   1 file
  [me@myhost ~]$ signtool -d path/to/cert/db -v foo.zip
  using certificate directory: path/to/cert/db
  archive "foo.zip" has passed crypto verification.

            status   path
      ------------   -------------------
  [me@myhost ~]$

Maybe signtool's output is somewhat misleading in this case, but the
files it really verified would appear in a listing like this:

  archive "foo.zip" has passed crypto verification.

            status   path
      ------------   -------------------
          verified   foo.txt

Kaspar
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: signtool for JAR signing

Wolfgang Rosenauer-2
In reply to this post by Wolfgang Rosenauer-2
Hi,

Kaspar Brand wrote:

>> signtool -d something -v testy.jar
>> archive "testy.jar" has passed crypto verification.
>>
>>           status   path
>>     ------------   -------------------
>>
>>
>> This was done using signtool from NSS 3.11.5 on Linux.
>> So I wonder how it could pass the crypto verification?
>
> What are the contents of testy.jar exactly? Does it include the META-INF
> subdirectory with manifest.mf and zigbert.{sf,rsa}? Otherwise, the above
> message is simply what you get when checking an unsigned jar:

     5301  02-07-07 15:17   content/META-INF/zigbert.sf
     3469  02-07-07 15:17   content/META-INF/zigbert.rsa
     5193  02-07-07 15:17   content/META-INF/manifest.mf

are there. I can see all the filenames in that file with MD5 and SHA1
digests for them.

>   [me@myhost ~]$ unzip -l foo.zip
>   Archive:  foo.zip
>     Length     Date   Time    Name
>    --------    ----   ----    ----
>           0  02-09-07 06:46   foo.txt
>    --------                   -------
>           0                   1 file
>   [me@myhost ~]$ signtool -d path/to/cert/db -v foo.zip
>   using certificate directory: path/to/cert/db
>   archive "foo.zip" has passed crypto verification.
>
>             status   path
>       ------------   -------------------
>   [me@myhost ~]$
>
> Maybe signtool's output is somewhat misleading in this case, but the
> files it really verified would appear in a listing like this:

ok, then nothing is verified?
Not better in the end but maybe I'm doing something wrong therefore
asking on this list.

I did one more test and created the jar by signtool's -Z option instead
of signing the tree and "zip" it afterwards and that worked. But
according to the documentation it should also be possible to zip a
signed tree instead of using signtool's feature.

Wolfgang
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: signtool for JAR signing

Wolfgang Rosenauer-2
Wolfgang Rosenauer wrote:

>>> So I wonder how it could pass the crypto verification?
>> What are the contents of testy.jar exactly? Does it include the META-INF
>> subdirectory with manifest.mf and zigbert.{sf,rsa}? Otherwise, the above
>> message is simply what you get when checking an unsigned jar:
>
>      5301  02-07-07 15:17   content/META-INF/zigbert.sf
>      3469  02-07-07 15:17   content/META-INF/zigbert.rsa
>      5193  02-07-07 15:17   content/META-INF/manifest.mf
>
> I did one more test and created the jar by signtool's -Z option instead
> of signing the tree and "zip" it afterwards and that worked. But
> according to the documentation it should also be possible to zip a
> signed tree instead of using signtool's feature.

ok, META-INF stuff has to be in the top level directory structure which
wasn't the case if signtool was called with content/ as path and I want
content/ to be actually within the jar.

No problem, but only a pilot error then!

Wolfgang
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto