On 2009-09-26 12:52 PDT, Adriano Bonat wrote: > Hi Nelson, > > Did you see the message from Kaspar? I guess he is right and I'm > another victim of that "bug", so there is nothing I can do to fix it
Adriano, The ",,c" clue I gave you works around that bug in NSS 3.12.3+. But let's look at the bigger picture here. Why are you trying to sign your XPI? Does signing your XPI help you in any way? There was a time, years ago, when a signed XPI could get certain execution privileges that an unsigned XPI could not get. But I believe the Mozilla browser people put an end to that long ago. Today, as far as I know, signed XPIs get no special privileges. I honestly know of no particularly good incentive for XPI writers to sign their XPIs at this time. As far as I know, the only benefit that a signed XPI gets, over an unsigned XPI, is that in one particular dialogue, the word "unsigned" does not appear when the XPI is signed and does appear when it is not signed. But most users click through that dialog so fast that they never even notice it. And, as you've probably discovered, if you DO sign your XPI and the browser has trouble with the signature, then it will not load the XPI, which is a pain for both users and developers. So, users get no sense of added security value from signatures (because the browser does not bestow any value on them), and both users and developers see signatures as a cause of extra grief. Note that this is not inherent in the technology of signed code. It's just the result of an attitude towards certificates and CAs held by a certain segment of Mozilla's developers. Now, tell me again why you want to sign your XPI? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
