[EMAIL PROTECTED] wrote: > When I created the cert, I got a x509.cacert which I read ( > http://web.archive.org/web/20060425194511/www.mozdevgroup.com/docs/pete/Signing-an-XPI.html
> ) was used to sign objects. I think this is incorrect, and is the > public key, not a private key. Several people have written and published documents that attempted to instruct readers on how to setup their own Certificate Authority for the purpose of issuing Code signing certs. That file name: x509.cacert has appeared in several of those documents. In addition to the one you cited, another (the first, AFAIK) was published at this URL: http://books.mozdev.org/chapters/ch12.html#77079 The author of that work later repudiated it. See http://certs.mozdev.org/ Unfortunately, None of those documents that I've see has been correct. One important piece of information that they all seem to omit, or give insufficient emphasis, is that all these schemes exist only to provide test (play, pretend) certs that work for the XPI author in his own testbed environment. They do NOT provide real code signing certs that real browser users (other than XPI developers themselves) would ever be expected to use. A certificate that you make for yourself, with your own play/pretend CA, may look (superficially) like a real code signing cert from a real CA, but it won't work like one for most browser users. You may be able to get a few of your closest friends to download and trust your own CA cert, but you wouldn't get the world at large to do so. I believe that mozilla would not publish an addon signed with a self-issued cert on addons.mozilla.org (but that is supposition on my part). IMO, you should plan to get a real code signing cert, and to sign your XPI with that cert, before publishing your XPI. -- Nelson B _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
