While working on https://fedorahosted.org/freeipa/ticket/3150, I came
across this scenario:
I have a 2.2 master I don't want to upgrade. I want to create a 3.0
replica from it.
I found that when creating the replica file, the Signing-Cert (used to
sign the browser config .jar and, newly, .xpi) is not included. It never
leaves the original master. And the original master can't sign the
extension because it's 2.2, so it only knows how to sign the old .jar
(and only on install).
Similarly, 2.2 replicas that get upgraded to 3.0 can't sign the new
extension. And they don't even know which server has the "original"
Signing-Cert, so even a trick like SSHing to it to steal the cert won't
Old 2.2 installations where the original master was destroyed won't have
the Signing-Cert at all any more.
Am I right? I must admit my grasp of the code could be better.
Can I generate a new signing cert in replica-install to sign the
extension? Would that clash with the old one (and with ones from other
Can we distribute an unsigned extension?
Freeipa-devel mailing list