Hi,
Kaspar Brand wrote:
>> signtool -d something -v testy.jar
>> archive "testy.jar" has passed crypto verification.
>>
>> status path
>> ------------ -------------------
>>
>>
>> This was done using signtool from NSS 3.11.5 on Linux.
>> So I wonder how it could pass the crypto verification?
>
> What are the contents of testy.jar exactly? Does it include the META-INF
> subdirectory with manifest.mf and zigbert.{sf,rsa}? Otherwise, the above
> message is simply what you get when checking an unsigned jar:
5301 02-07-07 15:17 content/META-INF/zigbert.sf
3469 02-07-07 15:17 content/META-INF/zigbert.rsa
5193 02-07-07 15:17 content/META-INF/manifest.mf
are there. I can see all the filenames in that file with MD5 and SHA1
digests for them.
> [EMAIL PROTECTED] ~]$ unzip -l foo.zip
> Archive: foo.zip
> Length Date Time Name
> -------- ---- ---- ----
> 0 02-09-07 06:46 foo.txt
> -------- -------
> 0 1 file
> [EMAIL PROTECTED] ~]$ signtool -d path/to/cert/db -v foo.zip
> using certificate directory: path/to/cert/db
> archive "foo.zip" has passed crypto verification.
>
> status path
> ------------ -------------------
> [EMAIL PROTECTED] ~]$
>
> Maybe signtool's output is somewhat misleading in this case, but the
> files it really verified would appear in a listing like this:
ok, then nothing is verified?
Not better in the end but maybe I'm doing something wrong therefore
asking on this list.
I did one more test and created the jar by signtool's -Z option instead
of signing the tree and "zip" it afterwards and that worked. But
according to the documentation it should also be possible to zip a
signed tree instead of using signtool's feature.
Wolfgang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
