Thanks for you feedback. On Sep 25, 2:53 am, Nelson B Bolyard <[email protected]> wrote: > On 2009-09-24 21:07 PDT, Adriano Bonat wrote: > > > Hi guys, > > > I'm trying to sign a Firefox extension (XPI) using a code signing > > certificate bought from GoDaddy, but Firefox is rejecting the XPI file > > saying "signing could not be verified. -260". > > It said -260? That's not an NSS or NSPR error number.
Understand, here is a screenshot: http://img201.yfrog.com/i/screenshot20090923at115.png/ > > Here are the steps that I'm following to sign the file: > > 1. Tried to install the GoDaddy/Starfield intermediate certificate but > > browser says that it is already installed; > > 2. I install the code signing certificate, it shows OK in the "Your > > certificates" tab in Firefox' preferences; > > 3. I'm using Mac OS X 10.6.1, and installed package "nss" from > > MacPorts, so using nss-certutil on my Firefox 3.5 profile dir: > > What is the version of NSS that you got from MacPorts? > Is it 3.11.4? 3.12.0 ? 3.12.3 ? Other? $ port info nss nss @3.12.3 (net) > > $ nss-certutil -d . -L > > Try it again with an additional parameter, which is -h all > You'll get about 150 more lines of output, with a lot more trust flags, > I expect. > $ nss-certutil -d . -L -h all this gave me the same result as without it. BUT, I tried it on a Ubuntu machine with Signing Tool 3.12.3.1, and then it lists also the builtin modules... Later I was checking other things, and I found the following: $ nss-modutil -dbdir . -list Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB ----------------------------------------------------------- Isn't missing here the "Mozilla Root Certs" that points to "libnssckbi.so" ? I found this information here: http://article.gmane.org/gmane.comp.mozilla.crypto/11137 Testing on the Ubuntu machine confirmed this, there the "Root certs" are pointing to that library, so thats where the builtin certificates came from. > > > > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > VeriSign Class 3 Extended Validation SSL CA ,, > > Thawte SGC CA ,, > > UTN-USERFirst-Hardware ,, > > VeriSign Class 3 Secure Server CA - G2 ,, > > Akamai Subordinate CA 3 ,, > > Entrust Certification Authority - L1B ,, > > Google Internet Authority ,, > > VeriSign Class 3 Secure Server CA ,, > > PositiveSSL CA ,, > > Go Daddy Secure Certification Authority ,, > > DigiCert Global CA ,, > > COMPANYNAME LLC's Starfield Technologies, Inc. ID u,u,u > > GlobalSign Extended Validation CA ,, > > VeriSign Class 3 Extended Validation SSL SGC CA ,, > > VeriSign, Inc. ,, > > Microsoft Internet Authority ,, > > Starfield Secure Certification Authority ,, > > RSA Public Root CA v1 ,, > > Sun Microsystems Inc SSL CA ,, > > DigiCert High Assurance EV CA-1 ,, > > GlobalSign ,, > > UTN - DATACorp SGC ,, > > Microsoft Secure Server Authority ,, > > UniCERT Certificadora ,, > > > Why all certificates (except the one that I installed) don't have > > trust attributes? This lead me to a problem when signing the file: > > Because they're almost all intermediate CA certificates, not root CA > certificates, or they _should_ be. As a general rule, trust flags are > only put on roots, not on intermediates. however, there are some exceptions. I see, but I find it strange, on the manual page when they list the certificates they all have trust attributes: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html > > $ nss-signtool -d . -l > > > Object signing certificates > > --------------------------------------- > > COMPANYNAME LLC's Starfield Technologies, Inc. ID > > Issued by: Starfield Secure Certification Authority > > Expires: Mon Sep 19, 2011 > > ++ Error ++ THIS CERTIFICATE IS NOT VALID (Certificate Authority > > certificate invalid) > > --------------------------------------- > > For a list including CA's, use "signtool -L" > > This is why I asked what version of NSS you're using. There were some > gross bugs in signtool versions before 3.12.3 > Maybe they are still there? :) > > > To get the file signed, I'm "cheating" and changing the trust > > attributes of the GoDaddy/Starfield Secure Certification Authority to > > ",,C". > > Try ",,c", that's lower case c, instead. > And don't be so sure that's cheating. :) > > > Anybody has an idea what is the problem here? > > Finally, what command line options are you using in your signing attempt? > You will want both -X and -Z to make a signed XPI file. I'm using: $ nss-signtool -d . -k "COMPANYNAME LLC's Starfield Technologies, Inc. ID" -X -Z file.xpi XPI/ Thanks again. -Adriano Bonat -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
