I found this write up that might explain some issues I have seen. I'm about to try this on a certificate provided to me that should be trusted. In think this might be inlne with what Eddy is saying about intermediates, and explain further why when using intermediates it does not work as expected. My original question was mean to be simply what providers are recomended by other developers that require nothing to be dobe by the end user to trust the signed XPI regardless of intermediate use or not; although Eddy did clarify that intermediates will always be involved.
I'm thinking this should be simoler than it appears to be. Anyway, here is a writeup to consider / try. http://www.ivan-site.com/2010/11/signing-an-xpi-using-a-verisign-code-signing-certificate/ On Mar 29, 2:03 am, Brian Bailey <[email protected]/> wrote: > I was about to ask a similar question. I have a two certificates, from > different commercial providers, both claim to be able to sign XPI's. However > when I sign the XPI, all machines claim error -260 (don't trust root CA) on > install. > > If I install all the CA's required intermediaries, and export the PFX in > question with the full chain attached (as per their instructions) and sign > again, the signing machine trusts the XPI, but no other machine will. > > I assume this is because the signing machine now has the certs installed, and > the chain can now be validated. This also implies that the chain is not being > included in the signed XPI. > > Any ideas what I am doing wrong, and/or which signing tools will correctly > embed the certificate chain into the XPI so end users without the new > Intermediary CA certs can validate the chain appropriately? -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
