A rant that points to *what* should be done is a good rant.
I wanted to see this signed XPI thing work by myself, but unfortunately the cert for the examples on http://www.mozilla.org/projects/xpinstall/signed/testcases/index.html has expired, so that they can not readily be used to test.
I had no idea until now signed xpi was in fact already implemented, and apparently working.
Why was white-listing used instead for FireBird ?
Actually I found my answer in the same post in netscape.public.mozilla.xpinstall that page was debuted in. It was posted by Doug Turner in December of 2002. Thanks to Thunderbird and it's great filtering I just did a search for anything that mentioned signed and I found this:
I have landed the ability to sign an XPInstall.
This quick email is meant as a sneak preview of signing support. In the next few weeks, I hope to work with the technical publications to produce a more descriptive document regarding how you can sign your xpinstall's. In the meantime, you can take a look at the testcases I created here:
http://www.mozilla.org/projects/xpinstall/signed/testcases/index.html
In a nutshell, if you want to create your own, first take a look a the signtool documentation here:
http://developer.netscape.com/docs/manuals/signedobj/signtool/
Assuming you have a directory named "test" containing your install files, the following commands will produce a signed xpi that will work with mozilla (this assumes that the signing cert's name is "dougt"):
signtool -d ./certs -kdougt test cd test zip test.xpi META-INF/zigbert.rsa zip -r -D test.xpi * -x META-INF/zigbert.rsa mv test.xpi ../ cd ..
What these commands do is ensure that the zigbert.rsa file is the first file in the xpi file. If this file, isn't the first file in the archive, the install will be treated as unsigned.
If this is all a mystery to you, I advise against attempting to create a signed install – again this email is meant as a sneak peek and not a developer doc.
Doug Turner [EMAIL PROTECTED]
I'm planning to have my tutorial online sometime this weekend. I just wrote up a very rough draft last night. Basically just spewed out all the steps I went through yesterday. It just needs a spellcheck and some real formatting. Basically I made 3 pages 1. Dealing with Microsoft Authenticode Certificates, getting one from Thawte and installing it. I'm so sad to say it was a very very easy process. Other then having to download the 391MB Core Platform SDK for the 67KB signtool.exe ;). 2. Dealing with converting the first certificate into PKCS #12 and importing it into a Mozilla/FireFox database. Not too difficult. Basically the easiest part of the process. 3. Dealing with getting the tools needed to create a signed XPI or just a regular signed JAR file. This is the real meat.
Right now it's more windows centric cause I did most of my work on windows. I did do the final signing on my webserver running Linux 9.0. I did tons of searching for a zip utility that supported rearranging files in a ZIP archive but came up empty handed. I did not do any discussing about creating your own CA, key's and Certificates. I did provide a link to the current draft of Chapter 12 from Creating Applications with Mozilla - http://certs.mozdev.org/cadraft.html. This page did help a bit.
A few things could render alot of my tutorial useless and I'd welcome it. 1. A installer or at least some good instructions for installing NSS and NSPR. Maybe even a site layout with download links for the latest releases would help. The main problem here is lack of documentation for anyone trying to learn how to sign files. There's alot of documentation out there for signtool 1.3 but most of the examples dont work cause of the syntax changes -option"value" has been changed to -option "value"
2. An option in signtool to make that file the first in the archive.
Well time to get to work. Got a search engine to redesign and 10 domains to transfer to a new Dedicated Server.
Jeff Klawiter _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
