W3C home > Mailing lists > Public > public-appformats@w3.org > November 2006

Re: [Widgets] Signing

From: Ed Voas <voas@yahoo-inc.com>
Date: Fri, 10 Nov 2006 09:37:13 -0800
Message-ID: <4554B8C9.9030404@yahoo-inc.com>
To: public-appformats@w3.org
We sign our files by simply tacking signing information on the end of 
the file. We can technically sign both zip files and our proprietary 
flat-file format with this system (though we don't generally advertise 
that you can sign zip files).

Our signature format looks like this:

'sign' <sig length> <signature> <cert length> <certificate> <back 
pointer> 'sign'

The <signature> is generated by using an SHA1 digest of the file (minus 
the signature) and the certificate. The digest is then signed with the 
given cert and the appropriate private key and converted to base64.

The <certificate> is simply the cert in PEM format.

The <back pointer> allows us to find the beginning of the block.

So when we get a file in hand, we check the last four bytes to see if 
it's 'sign'. If so, we get the previous 4 bytes and walk back that 
amount. The data at that location should also be 'sign'. If so, we 
proceed to parse out the pieces based on the lengths specified. Once we 
have the cert and the signature, we can easily verify the signature.

We also do a limited root cert check to verify authenticity. We do all 
of this using openssl.

Michael(tm) Smith wrote:

>Ed Voas <voas@yahoo-inc.com>, 2006-11-10 08:44 -0800:
>
>  
>
>>Just a note that I just read the part about a future draft of the spec 
>>including things on signing. We are already signing our Widgets, so if 
>>people want me to lay out our signature method here, please let me know.
>>    
>>
>
>I'd defnitely like to hear the details.
>
>  --Mike
>
>  
>
Received on Friday, 10 November 2006 17:37:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:20 GMT