| | 57 | === Output of the Plugin === |
| | 58 | After a successful installation the plugin will print {{{INFO: SignatureCheck: Listener added to Loader.}}} to the console when Renew starts. |
| | 59 | |
| | 60 | Plugins where the file does not match the signature don't get loaded. |
| | 61 | These plugins could be manipulated. |
| | 62 | Please reinstall the plugin with its signature. |
| | 63 | |
| | 64 | [[Image(Corrupted.PNG)]] |
| | 65 | |
| | 66 | The number of trusted authors is very limited by default (only the key from the automatic Renew builds). |
| | 67 | Any unknown Key will raise an Error. |
| | 68 | This Error includes the file location and the [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] fingerprint. |
| | 69 | The fingerprint can be used to search the key on a key server. |
| | 70 | It is recommended to ask the author directly for their public key, so it is the key from the author and not from an imposter. |
| | 71 | |
| | 72 | [[Image(Untrusted.PNG)]] |
| | 73 | |
| | 74 | === Adding additional trusted keys === |
| | 75 | All trusted keys are stored in the {{{config/publickey.pgp}}} file. |
| | 76 | This file is a concatenation of all trusted public keys. |
| | 77 | So, adding a new trusted public key is simply appending it. |
| | 78 | |
| | 79 | The following commands add the key.pgp file to the publickey.pgp. |
| | 80 | All commands are meant to be executed inside the config folder. |
| | 81 | |
| | 82 | Windows has the cmd program named copy, which can copy binary data from multiple files into one. |
| | 83 | |
| | 84 | COPY /B .\publickey.pgp + .\key.pgp .\publickey.pgp |
| | 85 | |
| | 86 | Linux and MacOS have a program named cat, which works similar. |
| | 87 | |
| | 88 | cat publickey.pgp key.pgp > publickey.pgp |
| | 89 | |
| | 110 | === Getting a Certificate === |
| | 111 | First choose a [https://en.wikipedia.org/wiki/Certificate_authority Certificate Authority (CA)], which will verify the identity to other users. |
| | 112 | A list of trusted CAs is available in the file doc/trusted.txt of the release. |
| | 113 | This plugin needs a X.509 Code Signing Certificate or a X.509 personal E-Mail Certificate. |
| | 114 | Each CA has different requirements on how to request a certificate. |
| | 115 | |
| | 116 | One standardized way to get a certificate is a CSR which can be created with this plugin. |
| | 117 | This feature is in the menu under Plugins -> Net Signature ->; New CSR. |
| | 118 | |
| | 119 | [[Image(menu.PNG)]] |
| | 120 | |
| | 121 | Input here all information needed by the CA and click on the "Generate CSR" button. |
| | 122 | This will write a CSR to the chosen location and save the private key into the KeyStore. |
| | 123 | You will get asked for a Password, which will protect your private key. |
| | 124 | Send the CSR to the CA. |
| | 125 | The CA will generate a certificate chain for the private key which can be imported with the Plugins -> Net Signature -> Import certificate chain menu entry. |
| | 126 | The signing part of this plugin is ready once the certificate chain has been imported. |
| | 127 | |
| | 128 | Please make sure that the NetSigner Plugin is placed in the Renew plugin folder if the "Net Signature" sub menu is missing. |
| | 129 | If the "New CSR" or "Import certificate chain" menu entry does not exist, follow the steps under User Guide. |
| | 130 | |
| | 131 | If the CA has its own tools to request a Certificate, use those. |
| | 132 | These usually produce a PKCS#12 file, which holds a private key and its certificates. |
| | 133 | To import a PKCS#12 file use the Plugins -> Net Signature -> Import PKCS#12 file menu entry. |
| | 134 | This step will ask for three passwords. |
| | 135 | The first password is the password of the PKCS#12 file. |
| | 136 | The second password is the password for the KeyStore (will be set on first time entering a KeyStore password). |
| | 137 | The third password is the new password for the freshly imported key. |
| | 138 | |
| | 139 | === Signing a Net Drawing === |
| | 140 | [[Image(menuExport.PNG)]] |
| | 141 | |
| | 142 | The signing function is under File -> Export -> Export current drawing -> SignedNetDrawing current drawing. |
| | 143 | |
| | 144 | You will get asked for your passwords the first time you sign a Net Drawing with each Renew instance. |
| | 145 | These are the KeyStore and private key passwords from the import. |
| | 146 | |
| | 147 | === Getting Signature Information === |
| | 148 | Best practice is to check the identity of the signer before opening the net. |
| | 149 | This is possible with the menu option Plugins -> Net Signature -> Show signer of file. |
| | 150 | |
| | 151 | The net will not be interpreted in this mode, it only checks the signature of the file and displays the signer information. |
| | 152 | |
| | 153 | The important part is the Signer portion. |
| | 154 | Here is the name of the author of the net. |
| | 155 | Additionally, the first line under more information includes country code, city, E-Mail and any other information which are known about the author. |
| | 156 | The lines under that show the CAs. |
| | 157 | These can be important inside a corporation/institute where the right CA for the author might be known. |
| | 158 | |
| | 159 | === Loading a signed Net Drawing === |
| | 160 | |
| | 161 | The loading functionality is under File -> Import -> SignedNetDrawing. |
| | 162 | This will load the Net Drawing if the signature is correct and trusted. |
| | 163 | |
| | 164 | Information about the signer can be viewed under Plugins -> Net Signature -> Show current signature. |
| | 165 | |
![(please configure the [header_logo] section in trac.ini)](/paose/chrome/site/perspectives-logo-nb-text4-small.png){kind=logo}
