[EMAIL PROTECTED] wrote, On 2008-08-22 05:51: > Hi, > > I have a Verisign Digital ID Class 3 - Microsoft Software Validation > v2 certificate, which I would like to use to sign my xpi. > > I have followed the steps described on this page > http://oyoy.eu/huh/firefox-extension-code-signed-with-spc-pvk/ > > Briefly > 1., I use pvkimport to convert spc and pvk to pfx file > 2., I use pk12util to create a new database and import the cert > > Verification > certutil - L -d . lists my one and only cert
Does the line for your cert end in "u,u,u" ? > signtool -L -d . lists all of the certs, but only mine has a * before > the name What version of NSS are you using? If you run the signtool program without any command line options, it outputs a page of "usage" information. The first non-blank line of that output looks like this: Signing Tool <VERSION> - a signing tool for jar files where <VERSION> is a "string" of characters (letters, numbers, periods, and words) that say what version of signtool you're using. Please tell us that info. > When I try to use it with signtool, I get this > ... > Generating zigbert.sf file.. > warning - can't find private key for this cert > signtool: PROBLEM signing data (Unknown issuer) There are two separate issues there. They are: a) signtool thinks it cannot find the private key with which to sign the jar, and b) signtool reports that it cannot verify the signature on your cert, because it cannot find the cert for the issuer of your cert. That means that the signature it generates (if it can find the private key) will not be verifiable by clients (browsers) because the certificate chain will be incomplete. You need to get the certificate for the issuer of your code signing cert, and that needs to go into your cert DB too. If that cert had been present in Microsoft's cert store when you created the pfx file, it would have been put into the pfx file. So, I gather that you don't have that cert in either your NSS cert DB, nor in Microsoft's cert store. I suggest you do these things: 1) download the Verisign CA cert for the CA that issued your code signing cert, and get it into your Windows cert store. Verisign should have a web page of instructions on how to do that somewhere. 2) using Windows cert manager, edit your code signing cert and give it a "friendly name". I suggest using this friendly name: "Giorgio's Verisign code signing cert" Then create your pfx file again. Then list the pfx file with pk12util -l, as you did before (thanks). You should then see that there are two certs it in, and that your cert now has that "nickname" (friendly name), instead of its present "friendly name", which IINM is "2bee11b8-ca7d-4f71-b580-f72a581f84fa". (Not very friendly, is it?) Then create a new cert and key DB pair, and use pk12util to import your new pfx into it, and then try all this again. That should cure the "unknown issuer" problem. It may or may not have any effect on the "can't find private key" problem. But let's try that first. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
