Signing Applications

The author uses the rsign and checksignature command-line programs to mark an application as trusted. These programs compute the digital signature of the .MA file and then stores the signature inside the file. MicroStation PowerDraft .MA files have the capacity to store up to about 100 digital signatures internally. Adding a new digital signature to a signed .MA file does not invalidate existing signatures. This means that up to 100 different authors can independently sign the same .MA.

The syntax of the rsign command is:

rsign [-flags] <filename>

Flags to identify the signing certificate:

Flag	Description
<filename>	Identifies the file to signs
`-spc <file>`	The file containing encoded software publishing certificate
`-sp <policy>`	Add the certification path (chain) or add the certification path excluding the root certificate (spcstore): <chain\|spcstore> default to spcstore
`-s <location>`	Location of the cert store in the registry: <localMachine\|currentUser> default to currentUser
`-k <KeyName>`	Key container name (in current user’s default keystore) where private key can be found
`-cn <name>`	The common name of the certificate
`-v <pvkFile`	Pvk file name containing the private key (in case certificate does not specify container or pvk file)

Note: The – sp argument allows the signer of an application to store more information in the digital signature about their identity making it easier for other users to verify their signature. Storing this information takes up more space in the signature section of the application. This section is 50,000 bytes in size. Each signature in the signature chain takes up space so you may be limited in the number of these signatures you can store.

Flags to modify the result of signing:

Flag	Description
`--iN`	Include the signer’s name in the signature for display purposes.
`--iKNDLC`	Information to include in the digital signature: K – public key N – certificate common name D – today's date L – name of this computer C – a copy of the certificate
`-a <algorithm>`	Hashing algorithm for signing: `<md5\|sha1>` Default to sha1
`-sha1 <thumbPrint>`	The sha1 hash of the certificate (to be used instead of –cn, in case name is not unique)

Miscellaneous flags:

Flag	Description
`--r`	remove existing signature

The syntax of the checksignature command is:

checksignature [-flags] <filename>

Flags to identify the signature being checked:

Flag	Description
<filename>	Identifies the file to check. If not specified, filename is read from stdin
`--l[l]`	List (-ll for verbose)
`--x`	Verify signatures
`--xb`	Verify that file is signed by Bentley
`--n <filename>`	List of Bentley applications that are known to be non-rights-compliant
`--e <filename>`	Export certificates from signatures

Note: The – e argument allows a user to extract the signer's certificate or certification chain from the digital signatures in an application. Standard tools, such as the Microsoft certmgr.exe program can be used to examine and check the certificates for trustworthiness.

Any certificate that has a private key can be used to sign an MDL application. Certificates may be selected from the current user’s certificate store or from standard X.509 certificate (.cer) files and from PKCS#7 (.p7b) files. You can use the Windows Internet Options > Content > Certificates dialog to review your certificate store. The author must distribute the signed .MA to users. A signed .MA file can be used in earlier versions of MicroStation PowerDraft and in non-protected files.

Note: .PFX and .P12 files are not supported.

Identifying Signed Applications

Use the File > Tools > Protection > Applications menu item to view, add, and remove certificates that identify digital rights-compliant applications.

The Compliant Applications Add command allows the author to choose a certificate that has was used by rsign to digitally sign applications that were digital rights-compliant. You can identify any number of certificates that MicroStation PowerDraft should use to recognize rights-compliant certificates in a given protected file. If another party signed the application(s), you must obtain a copy of the signer’s certificate in order to enter it into the file.