Well as I said before my C skills suck. I have found a temporary measure that will make signtool return a signed archive that is seen as signed by mozilla. First off let me say that I know this way is one of the Totally WRONG Ways of doing it but it works... I'm trying to understand all the code and figure out a better way of doing it. In the SignArchive function found in mozilla/security/nss/cmd/signtool/sign.c . It runs the manifesto function to create and sign a list of files. Also while it's doing that if the zipfile is opened it will add the files to the zip file. So my fix is to run the manifesto before the zip file is opened, open the zip file, add the META-INF files to the zip file (with the zigbert.rsa being added first) and finally run the manifesto again which adds them to the zip file. I know running the manifesto twice is a stupid way to do it but it's a fast hack that gets signtool to do what I want it to do. On a Pentium 4 HT 3.06GHZ the performance doesn't matter to me.
I've included a patch file (my first ever I have made.... ).
I made the patch file in the directory itself so cd mozilla/security/nss/cmd/signtool/ patch -i make_signed_jar.patch
Let me know what you all think. I made the patch file against the current sign.c as of today at noon. I ran a full CVS update against the mozilla 1.7 source tarball I downloaded. (first time I've ever used CVS also).
Jeff Klawiter
Jeff Klawiter wrote:
Well I solved the problem. I guess the META-INF/zigbert.rsa neds to be the first file in the .xpi file. I found my answer on the netscape.public.mozilla.xpinstall newsgroup. It was posted back in 2002. I cant believe things aren't easier two years later.
Is their any plans on expanding the signtool to have some XPI options that would put that file first or maybe a cross platform app that would include the code signing capability that would be as easy to use as microsofts signtool.exe signwizard? This morning at 8:30am when I updated our toolbar to the new certificate it took me 5 minutes total from downloading the new cert to uploading the newly signed application. It then took me until 11pm to finally find the information I needed to get the Mozilla version of the toolbar signed. I scoured google and mozilla.org for hours trying to find the information. I am currently writing a tutorial to help out others.
Just the lack of documentation on installing things like the NSS and NSPR got annoying. What is very much needed is a good Code Signing and Certification Suite for Mozilla. For all it's technical goodness it seems the Mozilla based world is lacking some good development tools. There are many fledgling XUL building apps out there but none near the power of something like Visual Basic, DreamWeaver, or heck even Word. Personally I'd love to see Macromedia create a XUL building program based off of Mozilla. It's got all the basic tools there, just needs the rendering engine to be run with the GRE.
Ok, done with my tirade. It's passed midnight, need sleep. Dont mind me. I still love Mozilla, Linux and anything open source. There's just still lots to be done.
Jeff Klawiter
Jeff Klawiter wrote:
Ok, I've spent all day doing all this. We have a code signing certificate that we use for our internet explorer toolbar. It was issued through Thawte and renewed today.
After hours of reading and scouring the web for information I was able to get the certificate converted and imported into my firefox cert database. I then downloaded NSS 3.9 and NSPR 4.4.1. I have spent the last few hours signing my files over and over again just for mozilla and firefox to say they are not signed.
Ok, the XPI file is as follows
psitoolbar.jar (which contains a contents folder with the xul and js files in it).
install.js
I have created it many ways. First I tried creating the psitoolbar.jar by
signtool.exe -d "c:\path\to\my\firefox\profile" -k "PSI" -i "psitoolbar/install.js" -p "mypassword" -Z psitoolbar.jar contents
then I moved the psitoolbar.jar into the psitoolbar folder that also contains install.js. I then run something along the lines of this:
signtool.exe -d "c:\path\to\my\firefox\profile" -k "PSI" -i "psitoolbar/install.js" -p "mypassword" -Z psitoolbar.xpi psitoolbar
->
using certificate directory: c:\path\to\my\firefox\profile
Generating psitoolbar/META-INF/manifest.mf file..
--> install.js
adding psitoolbar/install.js to psitoolbar.xpi...(deflated 53%)
--> psitoolbar.jar
adding psitoolbar/psitoolbar.jar to psitoolbar.xpi...(deflated 6%)
Generating zigbert.sf file..
adding psitoolbar/META-INF/manifest.mf to psitoolbar.xpi...(deflated 28%)
adding psitoolbar/META-INF/zigbert.sf to psitoolbar.xpi...(deflated 35%)
adding psitoolbar/META-INF/zigbert.rsa to psitoolbar.xpi...(deflated 24%)
tree "psitoolbar" signed successfully
Then to verify I run
signtool.exe -d "c:\path\to\my\firefox\profile" -k "PSI" -i "psitoolbar/install.js" -p "mypassword" -w psitoolbar.xpi
->
using certificate directory: c:\path\to\my\firefox\profile
Signer information:
nickname: PSI
subject name: L=Osceola,ST=Wisconsin,C=US,OU=Web Dept,O=PhotoSource International,CN=PhotoSource International
issuer name: CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA
after that I run the verify and get back
using certificate directory: c:\path\to\my\firefox\profile archive "psitoolbar.xpi" has passed crypto verification.
status path ------------ ------------------- verified install.js verified psitoolbar.jar
When I try to install it in firefox or mozilla they both say it's unsigned. I've tried many ways of doing this. I've not signed the psitoolbar.jar and just had it signed when I created the psitoolbar.xpi. I've tried tons of naming conventions, even designating the install script with the -i option and always end up at the same point. Signtool tells me it's all signed but Mozilla and Firefox say it's not signed.
Can anyone help me?
Jeff Klawiter Webmaster PhotoSource International
--- sign.c 2003-01-30 18:11:13.000000000 -0500
+++ new_sign.c 2004-06-23 15:38:27.000000000 -0400
@@ -73,22 +73,18 @@
metafile = meta_file;
optimize = _optimize;
+
if(zip_file) {
zipfile = JzipOpen(zip_file, NULL /*no comment*/);
}
-
manifesto (tree, install_script, recurse);
- if (keyName)
- {
- status = create_pk7 (tree, keyName, &keyType);
- if (status < 0)
- {
- PR_fprintf(errorFD, "the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n", tree);
- errorCount++;
- exit (ERRX);
- }
- }
+ /* rsa/dsa to zip */
+
+ sprintf (tempfn, "META-INF/%s.%s", base, (keyType==dsaKey ? "dsa" : "rsa"));
+ sprintf (fullfn, "%s/%s", tree, tempfn);
+ JzipAdd(fullfn, tempfn, zipfile, compression_level);
+
/* mf to zip */
@@ -102,11 +98,18 @@
sprintf (fullfn, "%s/%s", tree, tempfn);
JzipAdd(fullfn, tempfn, zipfile, compression_level);
- /* rsa/dsa to zip */
- sprintf (tempfn, "META-INF/%s.%s", base, (keyType==dsaKey ? "dsa" : "rsa"));
- sprintf (fullfn, "%s/%s", tree, tempfn);
- JzipAdd(fullfn, tempfn, zipfile, compression_level);
+ if (keyName)
+ {
+ status = create_pk7 (tree, keyName, &keyType);
+ if (status < 0)
+ {
+ PR_fprintf(errorFD, "the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n", tree);
+ errorCount++;
+ exit (ERRX);
+ }
+ }
+
JzipClose(zipfile);
