Signing Applications
The author uses the rsign and checksignature command-line programs to mark an application as trusted. These programs compute the digital signature of the .MA file and then stores the signature inside the file. OpenBuildings Speedikon .MA files have the capacity to store up to about 100 digital signatures internally. Adding a new digital signature to a signed .MA file does not invalidate existing signatures. This means that up to 100 different authors can independently sign the same .MA.
The syntax of the rsign command is:
rsign [-flags] <filename>
Flags to identify the signing certificate:
Flag | Description |
---|---|
<filename> | Identifies the file to signs |
-spc <file> | The file containing encoded software publishing certificate |
-sp <policy> | Add the certification path (chain) or add the certification path excluding the root certificate (spcstore): <chain|spcstore> default to spcstore |
-s <location> | Location of the cert store in the registry: <localMachine|currentUser> default to currentUser |
-k <KeyName> | Key container name (in current user’s default keystore) where private key can be found |
-cn <name> | The common name of the certificate |
-v <pvkFile | Pvk file name containing the private key (in case certificate does not specify container or pvk file) |
Flags to modify the result of signing:
Miscellaneous flags:
The syntax of the checksignature command is:
checksignature [-flags] <filename>
Flags to identify the signature being checked:
Flag | Description |
---|---|
<filename> | Identifies the file to check. If not specified, filename is read from stdin |
--l[l] | List (-ll for verbose) |
--x | Verify signatures |
--xb | Verify that file is signed by Bentley |
--n <filename> | List of Bentley applications that are known to be non-rights-compliant |
--e <filename> | Export certificates from signatures |
Any certificate that has a private key can be used to sign an MDL application. Certificates may be selected from the current user’s certificate store or from standard X.509 certificate (.cer) files and from PKCS#7 (.p7b) files. You can use the Windows Internet Options > Content > Certificates dialog to review your certificate store. The author must distribute the signed .MA to users. A signed .MA file can be used in earlier versions of OpenBuildings Speedikon and in non-protected files.
Identifying Signed Applications
Use the digital rights-compliant applications.
menu item to view, add, and remove certificates that identifyThe Compliant Applications Add command allows the author to choose a certificate that has was used by rsign to digitally sign applications that were digital rights-compliant. You can identify any number of certificates that OpenBuildings Speedikon should use to recognize rights-compliant certificates in a given protected file. If another party signed the application(s), you must obtain a copy of the signer’s certificate in order to enter it into the file.