rvj wrote:
OK dumb question but is it potentially possible to have signed chrome which
could be authenticated when Mozilla starts up?
Instead of having to sign individual scripts, objects, etc, I would like to
sign a single chrome JAR file containing a collection of secure files .
i.e. the signed chrome would be verified on startup using Mozilla certficate
security methods.
Communicator 4.x had a single signed jar file containing ... secure files.
It was named "policy.jar", IIRC, and there were several different flavors,
one for the USA, one for France, one for other "export" countries.
It controlled Communicator's cryptographic capabilities.
Netscape even received a patent for this invention.
Defeating the protection of this jar file became a cottage industry.
A web site was setup from which anyone could download a program that
would patch Communicator to defeat the signature protections. That
program was second only to Communicator itself in number of downloads,
IIRC. The website, www.fortify.net, is still there. You might find
the FAQ enlightening.
> I asked this question a couple of years ago and there didnt seem to be too
> much concern for local security issues.
The problem isn't lack of concern. It's lack of countermeasures that
cannot be defeated trivially by anyone who can download a patcher
program. Who wants to invest in ineffective countermeasures?
--
Nelson B
