Signing the Widget

BONDI widget’s digital signature is based on W3C Widget: Digital Signature specification. Both author and distributor signatures are supported. The signatures are stored in distinct files, which are needed for publishing the widget package on the Widget Gallery.

The BONDI Web SDK enables the developers to automatically generate the signature files for their widget.

Configuring the widget signature settings

Widget signature settings can be configured using the signing preference page. In order to change preferences:

• Select Windows -> Preferences.
• Select ‘Signing’ from the ‘BONDI’ category.

The Signing preferences are stored in terms of signature profiles. Accordingly the signing preference page is divided in two groups

Profiles: In order to add new signing profile, select “Add” button(new profile) and give a profile name. Existing profiles can be removed using “Remove” button and the profile name can be edited using “Rename” button.

Profile Items: Each signature profile consists of a number of profile items, which are used to generate (upto one) author signatures and (any number of) distributor signatures. Generation of each signature file requires a public key certificate and a private key packaged in the PKCS 12 format. This key needs to be specified separately for each profile item.

The profile items group is further divided in two parts:

Author Signature One signing profile can be associated with at most one author profile item. The profile item specified in “Author signature” table will be used to generate author signature i.e author-signature.xml. Author profile item contents can be cleared using the “Clear” button.

Distributor Signature One signing profile can be associated with zero or more distributor profile items. In order to add distributor profile item select “Add” button. The distributor profile items can be removed using “Remove” button.

Every profile item is associated with an identifier which will be used in the generated signature files. The identifier is generated according to a format string specified by the user in the profile item.
The format string is expanded at the time the signature is generated to create the Identifier string. The format string should be a text string, with a number of specific format tags that expand based on parameters of the widget or signature profile. The format tags supported are:

• %t (time) expands to date-time string at the time the key is generated in YYYY-MM-DDThh:mm:ssZ format.
• %w (widget) expands to the id attribute of the element in the config.xml document.
• %a (author) expands to the body of the element in the config.xml document.
• %h (hash) expands to the digest of the canonicalized SignedInfo generated in the process of creating the signature.
• %f (fingerprint) expands to the fingerprint of the certificate used to generate the signature.

The default format string is: %a:%f:%w:%h:%t Only one signature profile can be marked as active at any point, and when the signing action is invoked, the signatures are created as per the profile items of the current active profile. A profile can be set active using “Set Active” button of Profiles group.

Signing a widget

In order to sign a widget perform the following steps:

1. Select the desired widget project in the Project Explorer View.
2. Right click on the project. This will bring the Context menu in view.
3. Select the option: Sign widget

   

Depending on the signing preferences, this will generate the appropriate signature files inside the widget project.

In order to validate a signed widget, you could try an experimental widget signature validator service online.