Ideas for a signing tool
Daniel Nashed – 2 October 2024 09:51:27
Template signing is an important part of your Notes/Domino security.
The only fully automated signing is leveraging the AdminP process.
But this would only allow you to sign with the current server.id.
Using the server.id isn't a great choice because anyone who can run unrestricted code can sign code with the server.id.
A best practice is to create a Template Signing ID, like HCL has a template signer which is used to sign all templates.
But how to you sign with a signing ID?
Currently out of the box you can only switch to the ID and sign the database manually.
There are business partner tools out that to fill this gap. But there is no out of the box solution.
If we want more developers to sign their template right, we should help them to sign.
I am working on a signing tool and I am still looking for hte right functionality.
The basic command-line tool is done. But I also want to support delegated signing using a request database.
But I already have command-line tool I am using and refining for my own needs.
Today I added a check to only sign design elements which have not been signed by the signer yet.
I can open a signing ID from local disk, a profile or from IDVault. But I can't get it's name using public APIs.
But maybe this is the more flexible way. You can specify a string to check when validating the signature.
Not updating the existing signature has a performance gain during signing. But even more important, it would skip design elements not modified and does not re-sign them.
So the template design element would not be modified.
I am planning to make the basic command line tool free.
And my intent is also to offer a complete solution including a request based model to OpenNTF and other none profit organizations for free.
What do you think? Is this helpful if I only provide the command-line for free as a first step?
It would be likely not be open source. But free.
-- Daniel
Nash!Com Database Design & Signing Tool 0.9.0
Copyright 2024, Nash!Com, Daniel Nashed
Usage: nshsign [Options]
-sign Sign database
-refresh Refresh database design
-changereplicaid Change replica ID
-ntfserver
-id
-password
-pwdcmd
-user
-idfiledb
-profile
-SkipSigner
-title
-template
-ntfversion
-noteclass
-publish
Examples with skipping existing signatures and without
nnshsign.exe mail12_signtest.nsf -SkipSigner Templatex -sign -id D:\notes\id\nashcom\nashcom_template_development.id -password xyz
[17C20:0002-1AA10] 02.10.2024 11:48:29 nshsign: WARNING: Database is locally encrypted: [mail12_signtest.nsf]
[17C20:0002-1AA10] 02.10.2024 11:48:29 nshsign: Processing 1167 design elements
[17C20:0002-1AA10] 02.10.2024 11:49:24 nshsign: Design elements: 1167 [Singed]
[17C20:0002-1AA10] 02.10.2024 11:49:24 nshsign: Runtime - 00:54.969
[17C20:0002-1AA10] 02.10.2024 11:49:24 nshsign: Signing - 00:28.934
[17C20:0002-1AA10] 02.10.2024 11:49:24 nshsign: Done
nnshsign.exe mail12_signtest.nsf -SkipSigner Template -sign -id D:\notes\id\nashcom\nashcom_template_development.id -password xyz
[12624:0002-7E38] 02.10.2024 11:49:57 nshsign: WARNING: Database is locally encrypted: [mail12_signtest.nsf]
[12624:0002-7E38] 02.10.2024 11:49:57 nshsign: Processing 1167 design elements
[12624:0002-7E38] 02.10.2024 11:50:20 nshsign: Design elements: 1167 [already signed]
[12624:0002-7E38] 02.10.2024 11:50:20 nshsign: Design elements: 0 [Singed]
[12624:0002-7E38] 02.10.2024 11:50:20 nshsign: Runtime - 00:23.891
[12624:0002-7E38] 02.10.2024 11:50:20 nshsign: Done
- Comments [4]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}