[package-signature] in Package file format

Package signature
Optional

The package signature contains the digital signature for the package. The signature is calculated across the entire contents of the install package. The signature will be checked when the package is installed and details of the certificate will be available to the user at install time and when listing installed components. The package-signature item takes the form:

*privatekey-filename,certificates-filename[,KEY=privatekey-password]
The privatekey-filename refers to the name of a private key file used to create a digital signature. The private key is used only when creating the SIS file, the name of the file is not embedded within the resultant SIS file. If no package-signature item appears in the PKG file the package will be unsigned.

The optional KEY parameter specifies the password used to access the private key file if it has been encrypted. If the key is encrypted, but the KEY parameter has not been specified then makesis will prompt the user for the access password.

The certificates-filename refers to a single file containing either the corresponding public key certificate (.cer file) or a certificate chain file (.p7c) containing the corresponding public key certificate and its associated certificates (necessary to form a certificate chain to a trusted root certificate).

The following is an example of a package-signature item:

*"files\private.key","files\cert.cer"
Note that there is no support for the use of a time-stamping service when signing a SIS file. A time-stamping server is used so that a user knows that the file was signed within the valid period of a certificate. This is significant if CAs issue certificates which expire (e.g., yearly) and it needs to be established that the signer has used the certificate within its valid period using a public time-keeper. Support for a time-stamping service may be provided in a future version if a requirement develops.