A digital signature is a fingerprint of the original programmer, and it allows the security model of the browser to detect where (or from whom) it originated. A script signer can be a person or an organization. By signing a script, you acknowledge yourself as the author and accept responsibility for the program's actions. A signed script contains a cryptographic checksum, which is just a special value that ensures the signed script has not been changed. When a digital signature is detected, you are assured that the code has not been tampered with since the programmer signed it.
Once you finish writing a script, you can use the Netscape Signing Tool to digitally sign it. Signing a script does the following:
Unambiguously assigns ownership of the script to a person or organization.
Allows an HTML page to use multiple signed scripts.
Places the signed script into a Java Archive (JAR) file.
Places the source of the script in the JAR file.
Once a user confirms the origin of the script and is assured that it has not been tampered with since its signing, he or she can then decide whether to grant the privileges requested by the script based on the validated identity of the certificate owner and validated integrity of the script.
The latest version of the Netscape Signing Tool can be downloaded for free from http://developer.netscape.com/software/signedobj/jarpack.html. In order to use the signing tool, you first need to acquire an object-signing certificate. There are two ways to do obtain this certificate—you can use the tool itself to create one for you, or you can purchase a certificate from a third-party company that specializes in object signing such as VeriSign (http://www.verisign.com). A certificate created by using the tool itself is only to be used for testing purposes, according
to the Netscape Web site. In order to use signed scripts in a production environment, you will need to get a certificate from either an independent certificate authority that can authenticate your identity (and will charge you a fee) or from certificate-authority server software running on your corporate intranet or extranet.
Once you've downloaded the Netscape Signing Tool, you'll be ready to create an object-signing certificate for testing purposes. In order to create a certificate, you will need to locate the files key3.db and cert7.db in your Netscape directory. Once you have found these two files, you'll need to back them up somewhere safe, in case you accidentally damage the databases.
To generate a certificate, use the Netscape Signing Tool command, which is as follows:
signtool -G <certificate name>-d <path to key3.db and cert7.db>
The −G option lets you specify the name of the certificate you are creating. The −d must be used to specify the directory in which the key and certificate databases are located. If the databases are located in the same directory as the signing tool, you can use the option −d. An actual example of a command that would sign a script could be as follows:
signtool -G MyCert -d C:\Program Files\NETSCAPE\USERS\jdow\
This command will create a certificate named MyCert in the certificate database of user jdow on a Windows NT machine. After running the command, the program will ask you for your identification data, which will then be digitally included in the signed scripts you create with the certificate.
Once you have acquired an object-signing certificate, either through a third party or by using the signing tool, you are ready to start signing files.
Follow these simple steps to create a signed script:
Specify the name of your object-signing certificate and sign the directory. Use the following command (as one line):
signtool -d <path to certificate database> -k <certificate name> -Z <jar file name> <directory with script files>
Type the password to your private-key database.
Test the archive you just created using the following command:
signtool -v <jar file name>
REM Expand the jar file into a new directory unzip -qq myjar.jar -d signjar del myjar.jar rem Sign everything in the new directory and recompress signtool -k MySignCert -Z myjar.jar signdir
This script unpacks a JAR file containing script files, signs them, and then repacks them into the JAR file.
The aspects of the Netscape Signing Tool covered here are only a fraction of what the Signing Tool can do. I encourage you to visit Netscape's documentation of their Signing Tool at http://developer.netscape.com/docs/manuals/cms/41/adm_gide/app_sign.htm.