NuGet signing documentation

README.md

@@ -9,9 +9,9 @@ Jsign - Java implementation of Microsoft Authenticode
 Jsign is a Java implementation of Microsoft Authenticode that lets you sign
 and timestamp executable files for Windows, Microsoft Installers (MSI), Cabinet
 files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft
-Dynamics 365 extension packages and scripts. Jsign is platform independent and
-provides an alternative to native tools like signcode/signtool on Windows or
-the Mono development tools on Unix systems.
+Dynamics 365 extension packages, NuGet packages and scripts. Jsign is platform
+independent and provides an alternative to native tools like signcode/signtool
+on Windows or the Mono development tools on Unix systems.
 
 Jsign comes as an easy-to-use task/plugin for the main build systems (Maven,
 Gradle, Ant). It's especially suitable for signing executable wrappers and
@@ -21,7 +21,7 @@ Jsign can also be used programmatically or standalone as a command line tool.
 Jsign is free to use and licensed under the [Apache License version 2.0](https://www.apache.org/licenses/LICENSE-2.0).
 
 ## Features
-* Platform independent signing of Windows executables, DLLs, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages and scripts (PowerShell, VBScript, JScript, WSF)
+* Platform independent signing of Windows executables, DLLs, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages, NuGet packages and scripts (PowerShell, VBScript, JScript, WSF)
 * Timestamping with retries and fallback on alternative servers (RFC 3161 and Authenticode protocols supported)
 * Supports multiple signatures per file, for all file types
 * Extracts and embeds detached signatures to support [reproducible builds](https://reproducible-builds.org/docs/embedded-signatures/)
@@ -48,6 +48,10 @@ See https://ebourg.github.io/jsign for more information.
 
 ## Changes
 
+#### Version 6.1 (in development)
+
+* Signing of NuGet packages has been implemented (contributed by Sebastian Stamm)
+
 #### Version 6.0 (2024-01-17)
 
 * Signing of APPX/MSIX packages has been implemented (thanks to Maciej Panek for the help)

docs/index.html

@@ -4,7 +4,7 @@
   <head>
     <meta charset='utf-8' />
     <meta http-equiv="X-UA-Compatible" content="chrome=1" />
-    <meta name="description" content="Jsign : Pure Java implementation of Microsoft Authenticode for signing Windows executable files, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages and scripts (PowerShell, VBScript, JScript, WSF)" />
+    <meta name="description" content="Jsign : Pure Java implementation of Microsoft Authenticode for signing Windows executable files, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages, NuGet packages and scripts (PowerShell, VBScript, JScript, WSF)" />
     <meta name="google-site-verification" content="p912kgAnTBOzVbswrU43k3FXUbPnxLHdeW6xsVcq1uU" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
 
@@ -35,9 +35,9 @@ <h2 id="project_tagline">Java implementation of Microsoft Authenticode <br class
       <section id="main_content" class="inner">
 
 
-<p>Jsign is a Java implementation of Microsoft Authenticode that lets you sign
-and timestamp executable files for Windows, Microsoft Installers (MSI), Cabinet files (CAB),
-Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages
+<p>Jsign is a Java implementation of Microsoft Authenticode that lets you sign and timestamp
+executable files for Windows, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files
+(CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages, NuGet packages
 and scripts (PowerShell, VBScript, JScript, WSF). Jsign is platform independent and provides
 an alternative to native tools like <em>signcode/signtool</em> on Windows or the Mono
 development tools on Unix systems.</p>
@@ -57,7 +57,7 @@ <h2 id="project_tagline">Java implementation of Microsoft Authenticode <br class
 <h3 id="features">Features</h3>
 
 <ul>
-  <li>Platform independent signing of Windows executables, DLLs, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages and scripts (PowerShell, VBScript, JScript, WSF)</li>
+  <li>Platform independent signing of Windows executables, DLLs, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages, NuGet packages and scripts (PowerShell, VBScript, JScript, WSF)</li>
   <li>Timestamping with retries and fallback on alternative servers (RFC 3161 and Authenticode protocols supported)</li>
   <li>Supports multiple signatures per file, for all file types</li>
   <li>Extracts and embeds detached signatures to support <a href="https://reproducible-builds.org/docs/embedded-signatures/">reproducible builds</a></li>
@@ -144,7 +144,7 @@ <h4 id="attributes" class="mobile-only">Attributes</h4>
       <td class="description">
           The file to be signed. The supported files are Windows executables (EXE), DLLs, Microsoft Installers (MSI),
           Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension
-          packages and scripts (PowerShell, VBScript, JScript, WSF)</td>
+          packages, NuGet packages and scripts (PowerShell, VBScript, JScript, WSF)</td>
       <td class="required">Yes, unless a fileset is specified.</td>
     </tr>
     <tr>
@@ -447,7 +447,7 @@ <h3 id="cli">Command Line Tool</h3>
   usage: jsign [OPTIONS] [FILE]...
   Sign and timestamp Windows executable files, Microsoft Installers (MSI), Cabinet
   files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics
-  365 extension packages and scripts (PowerShell, VBScript, JScript, WSF).
+  365 extension packages, NuGet packages and scripts (PowerShell, VBScript, JScript, WSF).
 
   -s,--keystore &lt;FILE>       The keystore file, the SunPKCS11 configuration file,
                              the cloud keystore name, or the card/token name
@@ -785,7 +785,7 @@ <h3 id="credits">Credits</h3>
 PVK parsing is based on the <a href="https://web.archive.org/web/20170810033553/http://www.drh-consultancy.demon.co.uk/pvk.html">pvktool</a> by Stephen N Henson.<br>
 MSI signing was possible thanks to the work done by the <a href="https://github.com/mtrojnar/osslsigncode">osslsigncode</a> and <a href="https://poi.apache.org/">Apache POI</a> projects.</p>
 
-<p>Jsign includes contributions from Emmanuel Bourg, Florent Daigniere, Michael Szediwy, Michael Peterson, Markus Kilås, Erwin Tratar, Björn Kautler, Joseph Lee, Maria Merkel and Vincent Malmedy.</p>
+<p>Jsign includes contributions from Emmanuel Bourg, Florent Daigniere, Michael Szediwy, Michael Peterson, Markus Kilås, Erwin Tratar, Björn Kautler, Joseph Lee, Maria Merkel, Vincent Malmedy and Sebastian Stamm.</p>
 
 <h3 id="contacts">Contact</h3>
 

jsign-cli/src/main/java/net/jsign/JsignCLI.java

@@ -141,7 +141,7 @@ private void setOption(String key, SignerHelper helper, CommandLine cmd) {
     }
 
     private void printHelp() {
-        String header = "Sign and timestamp Windows executable files, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages and scripts (PowerShell, VBScript, JScript, WSF).\n\n";
+        String header = "Sign and timestamp Windows executable files, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages, NuGet packages and scripts (PowerShell, VBScript, JScript, WSF).\n\n";
         String footer ="\n" +
                 "Examples:\n\n" +
                 "   Signing with a PKCS#12 keystore and timestamping:\n\n" +

jsign-gradle-plugin/build.gradle

@@ -25,7 +25,7 @@ gradlePlugin {
         jsignPlugin {
             id = 'net.jsign'
             displayName = 'Jsign Gradle plugin'
-            description = 'Sign and timestamp Windows executable files, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages and scripts (PowerShell, VBScript, JScript, WSF)'
+            description = 'Sign and timestamp Windows executable files, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages, NuGet packages and scripts (PowerShell, VBScript, JScript, WSF)'
             tags.set(['signing', 'code-signing', 'authenticode', 'signtool'])
             implementationClass = 'net.jsign.JsignGradlePlugin'
         }

jsign/src/choco/jsign.nuspec

@@ -13,13 +13,13 @@
     <packageSourceUrl>https://github.com/ebourg/jsign/tree/master/jsign/src/choco</packageSourceUrl>
     <docsUrl>https://ebourg.github.io/jsign/</docsUrl>
     <bugTrackerUrl>https://github.com/ebourg/jsign/issues</bugTrackerUrl>
-    <tags>signing code-signing authenticode signtool PE EXE SYS DLL CAB MSI VBS WSF APPX MSIX NAVX</tags>
+    <tags>signing code-signing authenticode signtool PE EXE SYS DLL CAB MSI VBS WSF APPX MSIX NAVX NUGET</tags>
     <summary>Command line tool for signing Windows executable files, installers and scripts</summary>
     <description>
       Jsign is a Java implementation of Microsoft Authenticode that lets you sign and timestamp executable files
       for Windows, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX),
-      Microsoft Dynamics 365 extension packages and scripts. Jsign is platform independent and provides an alternative
-      to native tools like signcode/signtool on Windows or the Mono development tools on Unix systems.
+      Microsoft Dynamics 365 extension packages, NuGet packages and scripts. Jsign is platform independent and provides
+      an alternative to native tools like signcode/signtool on Windows or the Mono development tools on Unix systems.
     </description>
     <releaseNotes>https://github.com/ebourg/jsign/blob/master/README.md</releaseNotes>
     <dependencies>

jsign/src/deb/control/control

@@ -12,6 +12,6 @@ Description: Code signing for Windows executables, Microsoft Installers and scri
  Jsign is a Java implementation of Microsoft Authenticode that lets you sign
  and timestamp executable files for Windows, Microsoft Installers (MSI),
  Cabinet files, Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension
- packages and scripts (PowerShell, VBScript, JScript, WSF). Jsign is platform
- independent and provides an alternative to native tools like signcode/signtool
- on Windows or the Mono development tools on Unix systems.
+ packages, NuGet packages and scripts (PowerShell, VBScript, JScript, WSF). Jsign
+ is platform independent and provides an alternative to native tools like
+ signcode/signtool on Windows or the Mono development tools on Unix systems.

jsign/src/deb/data/usr/share/bash-completion/completions/jsign

@@ -14,7 +14,7 @@ _jsign()
         return 0
     fi
 
-    local pattern="!*.@(exe|dll|cpl|ocx|sys|scr|drv|ps1|psm1|psd1|msi|msp|cab|cat|appx|appxbundle|msix|msixbundle|navx|app)"
+    local pattern="!*.@(exe|dll|cpl|ocx|sys|scr|drv|ps1|psm1|psd1|msi|msp|cab|cat|appx|appxbundle|msix|msixbundle|navx|app|nupkg)"
 
     case $prev in
         -s|--keystore|--keyfile|-c|--certfile)

jsign/src/deb/data/usr/share/man/man1/jsign.1

@@ -2,7 +2,7 @@
 .TH man 1 "25 Mar 2021" "@VERSION@" "jsign man page"
 
 .SH NAME
-jsign \- sign and timestamp executable files for Windows, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages and scripts (PowerShell, VBScript, JScript, WSF)
+jsign \- sign and timestamp executable files for Windows, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages, NuGet packages and scripts (PowerShell, VBScript, JScript, WSF)
 
 .SH SYNOPSIS
 .B jsign
@@ -12,9 +12,9 @@ jsign \- sign and timestamp executable files for Windows, Microsoft Installers (
 Jsign is a Java implementation of Microsoft Authenticode that lets you sign
 and timestamp executable files for Windows, Microsoft Installers (MSI), Cabinet
 files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft
-Dynamics 365 extension packages and scripts. Jsign is platform independent and
-provides an alternative to native tools like signcode/signtool on Windows or
-the Mono development tools on Unix systems.
+Dynamics 365 extension packages, NuGet packages and scripts. Jsign is platform
+independent and provides an alternative to native tools like signcode/signtool
+on Windows or the Mono development tools on Unix systems.
 
 Jsign can use private keys and certificates in various formats, either Java keystores,
 PKCS#12 keystores, PKCS#11 hardware tokens, SPC/PVK files or from cloud key management

pom.xml

@@ -11,7 +11,8 @@
 
   <description>
     Pure Java implementation of Microsoft Authenticode for signing Windows executable files, Microsoft Installers (MSI),
-    Cabinet files (CAB), Catalog files (CAT) and scripts (PowerShell, VBScript, JScript, WSF).
+    Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft Dynamics 365 extension packages,
+    NuGet packages and scripts (PowerShell, VBScript, JScript, WSF).
   </description>
   <url>https://ebourg.github.io/jsign</url>