Sign

Signing JAR Files

In order to sign a JAR file, make the following steps:

  • select a Key Pair from the KeyStore tree table;

  • either choose the main menu Signatures > Sign > JAR file or the contextual menu Sign > Jar file;

  • unlock the Key Pair if requested by providing its password;

  • select the JAR file that will be signed;

  • complete the signature information:

    1. signature file name;

    2. digest algorithm:

      • MD2 (reference can be found in RFC 1319);

      • MD5 (reference can be found in RFC 1321);

      • SHA1(reference can be found in FIPS 180--3);

    3. signature algorithm - SHA1 with DSA;

    4. check the "Add full manifest digest attribute" option in case you want this attribute to be added at the signature;

The signed JAR file can be overwritten or can be saved in an other location, according to the options selected in the "File Saving Options" area.

Note

You can use JAR examples provided in the distribution kit in doc/samples/jar folder, to test the sign JAR features.

Signing XML Files

In order to sign an XML file, make the following steps:

  • select a Key Pair from the KeyStore tree table;

  • either choose the main menu Signatures > Sign > XML file or the contextual menu Sign > XML file;

  • unlock the Key Pair if requested by providing its password;

  • select the XML file that will be sign;

  • complete the signature options:

    1. signature type:

      • enveloped - the signature applied over the XML content that contains the signature as an element.

      • enveloping - the signature applied over the content found within an Object element of the signature itself.

      • detached - the signature applied over the content external to the Signature element, and it can be identified by way of a URI or a transform.

    2. digest algorithm:

      • SHA1;

      • SHA256;

      • SHA512;

    3. check "Attach key information to signature" and "Attach certificate information to signature" in case you want to attach those information to the signature.

The signed XML file can be overwritten or can be saved in an other location, according to the options selected in the "File Saving Options" area.

Note

You can use XML examples provided in the distribution kit in doc/samples/xml folder, to test the sign XML features.

An example of using the XML signature is for signing PAD files. PAD is the Portable Application Description file in which an author provides product descriptions and specifications for online sources in a standard way. PAD signing provides a mechanism by which PAD file consumers can ensure that PAD files are authentic.

The steps for signing a PAD file using CERTivity are:

  • create an XML PAD file according to the standards;

  • create a new PKCS12 keystore;

  • generate a key pair for which the organization name of the certificate to match exactly with the company name or the first and last name defined in your PAD file. Add Extended Key Usage extension (Code Signing) and Key usage extension (Digital Signature) to the certificate;

  • sign your XML PAD file using this keystore.

Signing PDF Files

CERTivity can digitally sign by public/private-key encrypted byte range digest a PDF document, supporting the standard SubFilter values adbe.x509.rsa_sha1, adbe.pkcs7.detached, and adbe.pkcs7.sha1. The signature supported by CERTivity is of document (or ordinary) type (according to the PDF Reference, version 1.7) and without a visual representation. The name of the signature handler (Filter) is Adobe.PPKLite. Multiple signatures can be applied incrementally. The signature process is currently not conditioned by the existence of other signature types or by any post-signing changes (DocMDP).

In order to sign a PDF file, make the following steps:

  • select a Key Pair from the KeyStore tree table;

  • either choose the main menu Signatures > Sign > PDF file or the contextual menu Sign > PDF file;

  • unlock the Key Pair if requested by providing its password;

  • select the PDF file that will be signed;

  • complete the signature information:

    1. Signer Name;

    2. Signer Location;

    3. Signer Reason;

    4. select signature SubFilter - standard value that represents the encoding to use when signing the PDF file:

      • adbe.pkcs7.sha1 - The adbe.pkcs7.sha1 digest of the byte range is encapsulated in the PKCS#7-signed data field;

      • adbe.pkcs7.detached - No data is encapsulated in the PKCS#7-signed data field;

      • adbe.x509.rsa_sha1 - The adbe.x509.rsa.sha1 digest uses the RSA encryption algorithm and SHA-1 digest method. This SubFilter is available only for RSA Key Pairs.

The signed PDF file can be overwritten or can be saved in another location, according to the options selected in the "File Saving Options" area.

Note

You can use PDF examples provided in the distribution kit in doc/samples/pdf folder, to test the sign PDF features.

Note

Signing a PDF which is encrypted is not currently supported. Signing a PDF containing xref-streams is not fully supported and for example the size of the generated signed PDF could become much too large and the time for processing is pretty expensive. A warning message is presented if xref-streams are detected, with the option to continue the signing procedure.

Signing CSR Files

In order to sign a CSR file, make the following steps:

  • select a Key Pair from the KeyStore tree table;

  • either choose the main menu Signatures > Sign > CSR file or the contextual menu Sign > CSR file;

  • unlock the Key Pair if requested by providing its password;

  • select the CSR file that will be signed;

  • select a file where to save the CA Reply.

The certificate details from the CSR will be shown in a new opened dialog requiring to provide a Serial Number and double checking the validity period. Additionally, when signing the CSR file, certificate extensions can be added to the certificate that will result in the CA Reply. Adding the extensions can be done in the same way as it is done when creating a self signed certificate when generating a new key pair (please see "Generate Key Pair" and "Add Extensions To Certificate" chapters for more details).

The dialog that allows adding extensions when signing a CSR can be seen in the screenshot below:

Using the information mentioned above (Serial Number, Extensions, and the information collected from the CSR), the CSR file will be signed generating a CA Reply.

Note

You can use CSR examples provided in the distribution kit in doc/samples/csr folder, to test the sign CSR features.