Skip to content

Latest commit

 

History

History
61 lines (43 loc) · 3.43 KB

File metadata and controls

61 lines (43 loc) · 3.43 KB

Zoiper5 plugin signing documentation

Platform: Zoiper5 Desktop - Windows, macOS, Linux

Version: 1.0.0

Contents

Overview

This document describes how to sign a plugin for use with Zoiper5's third-party plugin system.

Installing OpenSSL

The examples here will use OpenSSL, but this is not a strong requirement. macOS and linux usually ship with OpenSSL installed, or can easily be installed with a package manager. As for Windows, using (chocolatey)[https://chocolatey.org/] is generally recommended.

Signing a plugin

To sign a plugin, a certificate that is signed by a certificate that's been signed by Zoiper5's root plugin certificate is required.

Zoiper5's root plugin certificate

This is a root certificate that is managed internally by Zoiper's administration. Being a root certificate, it is not signed by any other certificate authority, which means that any certificates signed by it will not be useful for much more than signing Zoiper5 plugins.

Signing overview

Digital signatures use what is known as (public key cryptography)[https://en.wikipedia.org/wiki/Public-key_cryptography]. A plugin is signed with a private key and the signature is verified with its corresponding public key. The public key is what is at the core of certificates and is what Zoiper5 uses to verify whether a plugin has been signed by a trusted party. In order to verify that a plugin has been signed by a Zoiper-authorized developer, the (web of trust)[https://en.wikipedia.org/wiki/Web_of_trust] concept is used. Essentially, this means that the certificate that holds the public key that can be used to verify a plugin is verified against a chain of certificates, ending with Zoiper5's root plugin certificate.

Certificate Signing Request

In order to sign a plugin, a .key file is required. This can be generated using the following command:

openssl req -out CSRtest.csr -new -newkey rsa:2048 -keyout sign.key

Important: Be very careful with the .key file that's generated by this command. This is the private key that's used to sign plugins and should be kept secret.

This command also generates a .csr file, this file is used to create a (Certificate Signing Request)[https://en.wikipedia.org/wiki/Certificate_signing_request] to Zoiper. Send this file to Zoiper's support team in order to get a certificate. The .csr file is public information and can be shared publicly, without need for any extra security.

Once the certificate signing request is completed, you will be sent a .pem file which contains a signed certificate. This certificate is used by Zoiper5 when verifying the a plugin signature, and this should be included in the plugin configuration file.

Signing

A plugin is signed using the following command, assuming the public key is named sign.key:

openssl dgst -sha256 -hex -sign sign.key -out sign.sign /path/to/plugin.dylib

This will output a signed hex-encoded SHA-256 digest of the plugin file. This is the plugin's signature, this is what Zoiper5 will use to verify the plugin and should be included in the plugin configuration file under the "signature" tag.