I was about to ask a similar question. I have a two certificates, from different commercial providers, both claim to be able to sign XPI's. However when I sign the XPI, all machines claim error -260 (don't trust root CA) on install.
If I install all the CA's required intermediaries, and export the PFX in question with the full chain attached (as per their instructions) and sign again, the signing machine trusts the XPI, but no other machine will. I assume this is because the signing machine now has the certs installed, and the chain can now be validated. This also implies that the chain is not being included in the signed XPI. Any ideas what I am doing wrong, and/or which signing tools will correctly embed the certificate chain into the XPI so end users without the new Intermediary CA certs can validate the chain appropriately? -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
