Re: (possible repost) signing issues with NSS

Sun, 17 Apr 2005 18:13:22 -0700

Kirill Bolshakov wrote: 
Dear Mozillers,

I'm looking for a description of a streamlined signing process for Firefox XPI, using a Microsoft Authenticode certificate converted to the PKCS#12 format.

The certificate is okay: bought at Verisign as MS Authenticode, imported using pvkimprt (however, we had to use Windows 2000 for this purpose, because it did not work on WinXP), exported to PFX. We checked that it can be successfully imported by Firefox. 

You experienced this issue.
http://support.microsoft.com/default.aspx?scid=kb;en-us;323689

Verisign's intermediate class 3 CA certificate was not imported into
your Windows' Key store, so the cert was not found to be valid.
signtool will also require the intermediate CA cert to be in NSS's
cert8.db file.

The issue is: when trying to use the "signtool" from the latest NSS tools with the "-L" command applied to the directory (-d) of Netscape Communicator 4.79 (4.7x is often mentioned in googled pages as the only version known to work with the "signtool" utility), we got an error saying that there are no certificate stores in that directory. 

I'd say you found some documentation that is either:
a) very old (written when 4.79 was the latest browser), or
b) simply wrong

Forget about Communicator 4.x.  The latest signtool is version 3.10.
It works with the cert and key DBs found in mozilla and Firefox/Thunderbird.
Just be sure that your mozilla browser/email programs aren't running
when you try to use signtool, and vice versa.

Mozilla's XPI format is not quite the same as the old JAR file format
that was signed by the older signtools.  Signtool 3.10 has a "-X"
option that tells it to sign mozilla XPIs in the required XPI format
rather than in the older standard JAR format.

Could someone please show me the correct steps to create a signed XPI when a PKCS#12 certificate is available? 

The directions you have are probably right, except that you
a) don't use Communicator 4.x, use mozilla, and
b) do use signtool 3.10 and the -X command line option.

HTH

--
Nelson B
12345678901234567890123456789012345678901234567890123456789012345678901234567890
00000000011111111112222222222333333333344444444445555555555666666666677777777778
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto

Reply via email to