On 2009-09-24 21:07 PDT, Adriano Bonat wrote: > Hi guys, > > I'm trying to sign a Firefox extension (XPI) using a code signing > certificate bought from GoDaddy, but Firefox is rejecting the XPI file > saying "signing could not be verified. -260".
It said -260? That's not an NSS or NSPR error number. > Here are the steps that I'm following to sign the file: > 1. Tried to install the GoDaddy/Starfield intermediate certificate but > browser says that it is already installed; > 2. I install the code signing certificate, it shows OK in the "Your > certificates" tab in Firefox' preferences; > 3. I'm using Mac OS X 10.6.1, and installed package "nss" from > MacPorts, so using nss-certutil on my Firefox 3.5 profile dir: What is the version of NSS that you got from MacPorts? Is it 3.11.4? 3.12.0 ? 3.12.3 ? Other? > $ nss-certutil -d . -L Try it again with an additional parameter, which is -h all You'll get about 150 more lines of output, with a lot more trust flags, I expect. > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > VeriSign Class 3 Extended Validation SSL CA ,, > Thawte SGC CA ,, > UTN-USERFirst-Hardware ,, > VeriSign Class 3 Secure Server CA - G2 ,, > Akamai Subordinate CA 3 ,, > Entrust Certification Authority - L1B ,, > Google Internet Authority ,, > VeriSign Class 3 Secure Server CA ,, > PositiveSSL CA ,, > Go Daddy Secure Certification Authority ,, > DigiCert Global CA ,, > COMPANYNAME LLC's Starfield Technologies, Inc. ID u,u,u > GlobalSign Extended Validation CA ,, > VeriSign Class 3 Extended Validation SSL SGC CA ,, > VeriSign, Inc. ,, > Microsoft Internet Authority ,, > Starfield Secure Certification Authority ,, > RSA Public Root CA v1 ,, > Sun Microsystems Inc SSL CA ,, > DigiCert High Assurance EV CA-1 ,, > GlobalSign ,, > UTN - DATACorp SGC ,, > Microsoft Secure Server Authority ,, > UniCERT Certificadora ,, > > Why all certificates (except the one that I installed) don't have > trust attributes? This lead me to a problem when signing the file: Because they're almost all intermediate CA certificates, not root CA certificates, or they _should_ be. As a general rule, trust flags are only put on roots, not on intermediates. however, there are some exceptions. > $ nss-signtool -d . -l > > Object signing certificates > --------------------------------------- > COMPANYNAME LLC's Starfield Technologies, Inc. ID > Issued by: Starfield Secure Certification Authority > Expires: Mon Sep 19, 2011 > ++ Error ++ THIS CERTIFICATE IS NOT VALID (Certificate Authority > certificate invalid) > --------------------------------------- > For a list including CA's, use "signtool -L" This is why I asked what version of NSS you're using. There were some gross bugs in signtool versions before 3.12.3 > > To get the file signed, I'm "cheating" and changing the trust > attributes of the GoDaddy/Starfield Secure Certification Authority to > ",,C". Try ",,c", that's lower case c, instead. And don't be so sure that's cheating. :) > Anybody has an idea what is the problem here? Finally, what command line options are you using in your signing attempt? You will want both -X and -Z to make a signed XPI file. > Thanks. > - Adriano Bonat /Nelson -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto