One more bit of followup info.
In a typical signed JAR file, the first 3 files are (in order)
META-INF/manifest.mf META-INF/zigbert.sf META-INF/zigbert.rsa
(names of the .sf and .rsa files may be other than "zigbert"). Order of the files in the jar is not supposed to matter.
A mozilla XPI file is a signed JAR file with one additional requirement: the first file MUST be the .rsa file.
The order produced by signtool 3.10 with the -X option is:
META-INF/zigbert.rsa META-INF/manifest.mf META-INF/zigbert.sf
Finally one caveat: there are bug reports stating that FF 1.0 fails to validate properly signed XPI files. E.g. https://bugzilla.mozilla.org/show_bug.cgi?id=273406 If this report is true, we may have to wait for FF 1.1 for signed XPIs to work right. <sigh>
-- Nelson B _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto
