On 2010-04-02 11:07 PST, G. Richard Bellamy wrote: > I have some questions about signtool. Once again, these are probably > n00b questions, so I apologize if they’ve been covered elsewhere… any > guidance on relevant links would be much appreciated (e.g. a link to a > clearinghouse for doco on NSS and FIPS – I’ve found the FC_* doco on > mozilla.org, as well I’ve found > http://books.mozdev.org/html/mozilla-chp-12.html for some guidance on > how certutil and signtool interact).
Be aware that numerous problems were found with that chapter 12, and its author eventually repudiated it. See his statement at http://certs.mozdev.org/ > About signtool: > > · It seems to rely heavily on the signature verification used by JAR. It was created specifically for the purpose of signing JAR files. Later, Mozilla evolved JAR files into XPI files, and signtool was extended to sign XPI files also. > If I set my secmod database to FIPS mode, am I guaranteed that > signatures are verified in FIPS mode? The signatures that YOU verify with that DB will be in FIPS mode, yes. > · Are there plans to support external timestamps, a la the M$ > signtool.exe /t switch? There are no plans to enhance signtool any further. The Firefox browser developers have no further interest in it. > · Are there plans to support other formats than JAR and XPI? Among NSS's many command line tools there are tools to generate CMS signatures on arbitrary files. CMS signatures are the kinds of signatures used in S/MIME email. It is possible to create a crude SMIME email program with cmsutil. > Namely, my interest is whether or not this tool is expected to support > other code-signing use cases (e.g. signing Windows dll/lib files, etc)? Each OS vendor supplies tools for producing file signatures that will be recognized and accepted by their own OS. Since Red Hat is making NSS be its standard core crypto library, it's possible that they will devise a signing tool for use with their Linux offerings. but it's doubtful that the NSS team will devise tools to sign programs for windows. > Is there somewhere I can find information (aside from reviewing the > source tree) for the nss/cmd utilities? Have you read the pages found at http://www.mozilla.org/projects/security/pki/nss/tools/ ?? -- 12345678901234567890123456789012345678901234567890123456789012345678901234567890 00000000011111111112222222222333333333344444444445555555555666666666677777777778 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
