While working on https://fedorahosted.org/freeipa/ticket/3150, I came across this scenario:

I have a 2.2 master I don't want to upgrade. I want to create a 3.0 replica from it.

I found that when creating the replica file, the Signing-Cert (used to sign the browser config .jar and, newly, .xpi) is not included. It never leaves the original master. And the original master can't sign the extension because it's 2.2, so it only knows how to sign the old .jar (and only on install).

Similarly, 2.2 replicas that get upgraded to 3.0 can't sign the new extension. And they don't even know which server has the "original" Signing-Cert, so even a trick like SSHing to it to steal the cert won't work.

Old 2.2 installations where the original master was destroyed won't have the Signing-Cert at all any more.

Am I right? I must admit my grasp of the code could be better.

Can I generate a new signing cert in replica-install to sign the extension? Would that clash with the old one (and with ones from other replicas)?
Can we distribute an unsigned extension?


Freeipa-devel mailing list

Reply via email to