2,391 bytes added,
03:14, 15 April 2015 = Overview =
MAR files can be signed and verified using the signmar binary. The binary should be built by default as of Firefox 40 but you can also set the configure.in option `--enable-signmar`.
==Common operations==
In the examples below, I'll use the NSS config directory which is included in mozilla-central's source code for running xpcshell tests.
All commands take an input MAR file, do some operation on the data, and outputs a new MAR file. Operations are non destructive to the input MAR. That is to say, none of the commands modifies the data of the input MAR in place.
Print detailed information on a MAR file including signatures:
signmar -T archive.mar
Strip a MAR signature and output an un-signed mar file:
signmar -r in.mar out.mar
Sign a MAR file which isn't already signed:
signmar -d ./modules/libmar/tests/unit/data/ -n mycert -s in.mar out.mar
Verify a MAR file on Windows:
signmar -D ../modules/libmar/tests/unit/data/mycert.der -v out.marr
Refresh the product information block of a MAR file:
signmar -H some-channel-id -V 40.0a1 -i unsigned_archive_to_refresh.mar
To refresh a MAR file that is already signed, first strip its signature, refresh, then re-sign.
==Multiple Signatures and signing from multiple parties==
A MAR file can be signed by at most 8 different parties. The actual limit is defined in `modules/libmar/src/mar.h` with MAX_SIGNATURES.
To support multiple parties signing a MAR file, one party can export their MAR file's signature and send it to the 2nd party to import it into that party's already signed MAR file.
Sign a MAR file:
signmar -d ./modules/libmar/tests/unit/data/ -n mycert -s in.mar out.mar
Extract that MAR's signature:
signmar -n0 -X out.mar base64_encoded_sig
Note that you can pass -n1 for the 2nd signature in a file if one exists, -n2 for the 3rd, etc.
Now let's say you signed a different mar file with mycert2. You can import the mycert signature into your mar:
signmar -n1 -I signed_input_archive.mar base64_encoded_sig changed_signed_output.mar
Verify a MAR file signed with 2 signatures:
signmar -D0 ../modules/libmar/tests/unit/data/mycert.der -D1 ../modules/libmar/tests/unit/data/mycert2.der -v out.mar
A MAR file is only verified if all signatures are verified. That is to say if only 1 signature is verified and a MAR has 3 signatures on it, then it will not verify.