Personal tools
You are here: Home / cmgui / Wiki / Guide to signing applications
Navigation
Log in


Forgot your password?
 

Guide to signing applications

Signing zinc applications is important as a signed application which has its signing certificate accepted by the user is given elevated priveleges. Most zinc applications need these priveleges to run.

Rather than signing every file individually the usual practice is to produce a signed jar, which contains the application files. This can be done relatively easily using signtool. For instructions on how to install signtool see the Guide to signing XPIs.

If you want to create your own certificate authority then you can test these
procedures without having to buy an official certificate but it will only work with clients who explicitly install your authority certificate.

Once you have signtool installed and assuming you have a valid signing certificate installed on your browser you are ready to go.

Find out what certificate ids are installed by typing:

signtool -d /path/to/cert -L

The certificates available for object signing will have a star by them. The -d option is used to specify the path to your certificates. This is the directory containing key3.db, cert8.db and secmod.db.

If you have installed your certificate into firefox then this directory will be something like:

~/.mozilla/firefox/idr1qmb5.default/

Armed with a valid cert ID you can now create your signed jar:

signtool -k "My cert ID" -d /path/to/cert/dir -Z sample.jar /path/to/files/to/jar

The key to sign with is specified after the -k option. It must be the full nickname of your certificate.

The -Z option is used to specify the name of the jar that will be produced and the last argument is the path to the directory which will be jarred.

Once a jar has been produced the application can now be accessed using a URL of the form:

jar:http://www.hostnamehere.org/sample.jar!/sample.xul

Note that this protocol is a little unusual (I need to change the zinc to handle it).

IMPORTANT: When you are developing signed jars, each time you recreate the
jar you need to restart firefox before loading it. Firefox caches the jars and the only easy way to clear the jar cache is to restart firefox. If you don't clear the cache then it is likely the jar will not work, even if the code in it is fine.

subtopics: