Personal tools
You are here: Home cmgui Wiki Guide to signing applications
Navigation
Log in


Forgot your password?
New user?
 
Views
Actions
FrontPage >> Peters notes >> Code Signing >>

Guide to signing applications

last edited 4 years ago by blackett

Signing zinc applications is important as a signed application which has its signing certificate accepted by the user is given elevated priveleges. Most zinc applications need these priveleges to run.

Rather than signing every file individually the usual practice is to produce a signed jar, which contains the application files. This can be done relatively easily using signtool. For instructions on how to install signtool see the Guide to signing XPIs.

If you want to create your own certificate authority then you can test these procedures without having to buy an official certificate but it will only work with clients who explicitly install your authority certificate.

Once you have signtool installed and assuming you have a valid signing certificate installed on your browser you are ready to go.

Find out what certificate ids are installed by typing: 

  signtool -d /path/to/cert -L

The certificates available for object signing will have a star by them. The -d option is used to specify the path to your certificates. This is the directory containing key3.db, cert8.db and secmod.db.

If you have installed your certificate into firefox then this directory will be something like: 

  ~/.mozilla/firefox/idr1qmb5.default/

Armed with a valid cert ID you can now create your signed jar: 

  signtool -k "My cert ID" -d /path/to/cert/dir -Z sample.jar /path/to/files/to/jar

The key to sign with is specified after the -k option. It must be the full nickname of your certificate.

The -Z option is used to specify the name of the jar that will be produced and the last argument is the path to the directory which will be jarred.

Once a jar has been produced the application can now be accessed using a URL of the form: 

  jar:http://www.hostnamehere.org/sample.jar!/sample.xul

Note that this protocol is a little unusual (I need to change the zinc to handle it).

IMPORTANT: When you are developing signed jars, each time you recreate the jar you need to restart firefox before loading it. Firefox caches the jars and the only easy way to clear the jar cache is to restart firefox. If you don't clear the cache then it is likely the jar will not work, even if the code in it is fine.

Contributing to this site

Please add to the wiki any relevant information that you think might be useful to other users of this website. For example, you might like to contribute your experiences, questions and answers.

You are encouraged to contribute to this site regardless of your level of experience. Contributions are welcomed from new and regular visitors.

If you ask a question and receive an answer from a developer you should record it in the wiki. This information is extremely useful and can help other users overcome the same problem.

See how to add and edit pages for more information.