InstallShield is its own separate thing. Newer versions use the Microsoft Installer (MSI) capability, but it is still made by Acresso (spun off from Macrovision).
http://kb.acresso.com/doc/DocumentRepository/Installation/InstallShield/InstallShield%202009%20Express/01_Public/Product%20Manual/InstallShieldExpressEditionUserGuide.pdf page 478 (sequential page 502) refers to "signing for Netscape Communicator". -Kyle H On Wed, Feb 4, 2009 at 5:13 PM, Nelson B Bolyard <nel...@bolyard.me> wrote: > David Tiertant wrote, On 2009-02-03 08:48 PST: > >> I'm working in InstallShield to create a web installer for one of our >> software packages. The installer for IE builds fine, but Firefox >> requires a Netscape certificate. InstallShield is supposed to build this >> automatically, but something is wrong with my settings and I'm having >> some difficulty getting the certificate created manually, using certutil >> and signtool. > >> I'm using NSS 3.6 because the InstallShield setup will look for cert7.db >> instead of cert8.db. Newer versions of NSS create a cert8.db. I don't >> know which version of NSPR I should be using. I know that signtool.exe >> is Mozilla's version, not Microsoft's. > > David, > > I find your message intriguing, because it seems to say that InstallShield > (a Microsoft product, yes?) wants to use NSS cert databases. In all of my > nearly 13 years of working on NSS, this is the first time (that I can > recall) that anyone has suggested that any Microsoft product wants to use > NSS cert databases. So, I have numerous questions about all this. > > Is there any public documentation (e.g. on a web site) that explains > about InstallShield's use of NSS and/or NSS cert databases? > > I can't tell what you're trying to do exactly with InstallShield and > Firefox. I can't tell if you're trying to > - create an InstallShield installer that installs Firefox itself, or > - create an InstallShield installer that Firefox will download and > process, for the purpose of installing some add-on for Firefox, or > - something else > > You wrote "Firefox requires a Netscape certificate". I don't understand > what you meant by that. There's no such thing as "a Netscape certificate", > and Firefox does not require things that it downloads to be signed or to > contain any certificate (AFAIK). Firefox downloads extensions in a format > known as "XPI" which stands for "Cross Platform Installer". An XPI file > is a JAR file, which is a ZIP file, whose contents are organized in a > specific hierarchical directory structure. Like all JAR files, XPI files > may be signed, but Firefox does not require that they be signed before > downloading and installing them. I'm not aware that InstallShield is > capable of making XPI files, so I'm really not sure what you're trying to do. > > I wonder if it is possible that InstallShield really does NOT want to > use NSS, but rather that it is trying to run some Microsoft program, > but has accidentally run some NSS program instead. As I recall, both > NSS and Microsoft's Platform SDK (PSDK) have programs named signtool. > Might InstallShield have run NSS's signtool when it intended to run > PSDK's signtool instead? > > I suspect that the real solution you need will either > - not involve NSS 3.6, or > - not involve InstallShield > but below, I will ignore that suspicion to address some specific issues. > >> The first thing I tried to do in cmd prompt was change to my working >> directory and run certutil -N -d . >> This prompted me to enter a password 3 times. > > 3 times? Doesn't sound right. > >> Then the program finished. It created 3 .db files. >> >> I ran... >> >> certutil -S -x -k rsa -n mozillaCertificate -s "CN=mozillaCertificate, >> O=My Company, C=US" -t "TCu" -d . > > I think you're trying to create an object signing certificate. There's > a lot more to it than that. If you generate your own self-signed object > signing certificate, it may may signtool work, but the signed results will > almost certainly not be satisfactory. > > In any case, to generate an object signing cert, you need different trust > flags. Instead of "TCu", try ",,P". If that doesn't work, try ",,C". > >> I then closed my Mozilla apps and ran >> signtool -p"mypassword123" -k mozillaCertificate . > > That command seems to lack the -d "directory" option, telling signtool > the name of the directory in which to find the cert DBs. That will > generally not be the same directory as the directory containing the > contents of the JAR file being created. > >> It generated a bunch of files and then at zigbert.sf >> signtool: PROBLEM signing data (Certificate not approved for this >> operation) >> the tree "." was NOT SUCCESSFULLY SIGNED > > That's probably because of the trust flag issue I described above, but > could also be due to the absence of a -d option. > > More thoughts: > Signtool is a tool for creating signed JAR files. > The version of signtool in NSS 3.6 does not know how to create XPI files. > That capability was added to signtool in NSS 3.10. I suggest you use > NSS 3.11.x or 3.12.x for signing XPI files. FF2 uses NSS 3.11.x, > FF3 uses NSS 3.12.x. > > Signtool has its own option for generating self-signed object signing certs. > That might be more satisfactory than using certutil for that purpose. > Self-signed object signing certs are intended for your own testing only, > not for actual distribution of signed code (perhaps you knew that). > > If you have a code signing cert for signing Windows code, that should work > for signing XPI files too. You will need to copy the cert and its private > key into an NSS database by exporting them from Windows into a .p12 (.pfx) > file and then importing that into NSS using NSS's pk12util. > > It's still not clear what signtool and XPI files have to do with > InstallShield. I'd be really surprised if InstallShield makes any direct > use of NSS. > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto