I had figured my code wouldn't be used. Thats why I said it was the wrong way of doing it and I had sent an email to one of the NSS maintainers telling him of what I did and also telling him I dont blame him if he doesn't use it. I'm still going to use it myself since it's the only way for the time being for Mozilla to actually see an XPI as signed. I agree that the code should be fixed so it doesn't matter where the files are placed as long as they are their and are good. From what I can tell it's only a problem in the XPInstall module. Fixing it is on the the future projects list here http://www.mozilla.org/projects/security/components/
I intend to have my patched version for current developers available through my tutorial. Once I can get a windows version to compile. Man it's a huge ass pain to get mozilla to compile on windows. I dont even know if I'm going to be able to since I dont have Visual C++. Last night I downloaded the Visual C++ 2003 toolkit which had the files I was getting errors on but now I'm getting errors on that. That's my next step tonight, to see what all the hubub is. I also plan on looking at the XPI install code to see where it actually looks for that file and see if I can make it not care where it is.
This all stems off of a post in the netscape.public.mozilla.xpinstall by Doug Turner. He's not listed on the XPInstall maintainers list but he had posted the signed examples and what the bug was. The subject in the newsgroup was "Signed XPInstalls" and posted back in 2002. He said he was working on full support. Dont know what ever happend to that.
Well I'll do more searching in the XPInstall code later on. Gotta do some work that's gonna make me money before I can get a chance to do that.
Jeff Klawiter
Nelson B wrote:
Jeff,
Thanks for all your research on this subject.
I've been tangentially involved with JAR files ever since they first came
around. I helped Tom Dell with the first implementation of Netscape's jar signing tool right after I started at Netscape in 1996. The specifications
for JAR files are found in various places on Netscape and Sun web sites,
and on third party sites. You can find one of the oldest specs here:
http://developer.netscape.com/docs/manuals/signedobj/jarfile/index.html
Notice the first diagram in that document. The order in which the manifest.mn file and other files are placed in the JAR has been unchanged since the early days. Officially, the order shouldn't matter, but ever since the beginning the manifest file was the first one placed.
Sun's spec is here: http://java.sun.com/j2se/1.3/docs/guide/jar/jar.html
Now, apparently, beginning a couple years ago, mozilla requires the .[rd]sa files to be first. As far as I'm concerned, that's a bug in mozilla. The versions of mozilla that require that are incompatible with nearly ALL the jar files made before that. Different JAR signing tools are free to put the files in the order they wish. mozilla should be compatible with all of them. I'll mention it to Doug T tomorrow.
The patch you wrote will do what you apparently want it to do, namely put the .[dr]sa file first in the META-INF directory. You're welcome to use that patch all you want. But I think the right thing for mozilla is to fix the jar parsing code, so that the file order doesn't matter.
/Nelson
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
