|SIGNVER(1)||NSS Security Tools||SIGNVER(1)|
signtool -A | -V -d directory [-a] [-i input_file] [-o output_file] [-s signature_file] [-v]
signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in the SQLite format.
signver -V -s signature_file -i signed_file -d /home/my/sharednssdb signatureValid=yes
signver -A -s signature_file -o output_file
BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS requires more flexibility to provide a truly shared security database.
In 2009, NSS introduced a new set of databases that are SQLite databases rather than BerkleyDB. These new databases provide more accessibility and performance:
Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.
By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example:
# signver -A -s signature -d dbm:/home/my/sharednssdb
To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm:
This line can be added to the ~/.bashrc file to make the change permanent for the user.
For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:
The NSS wiki has information on the new database design and how to configure applications to use it.
Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
IRC: Freenode at #dogtag-pki
Authors: Elio Maldonado <firstname.lastname@example.org>, Deon Lackey <email@example.com>.
- Mozilla NSS bug 836477
|19 May 2021||nss-tools|