Re: Signed Script has no privileges

[Chris Waterson]

I had a problem with similar symptoms, but eventually managed to get things to work. (I had to do a debug build of Mozilla to figure out what was wrong, though! My specific problem was not putting the META-INF directory in the right place.)

Here's what I did.

1. Created a script that asks for elevated privileges using netscape.security.PrivilegeManager.enablePrivilege. Specifically, it's an inline script in the <head> of the HTML document, and it asks for the UniversalXPConnect privilege. I called it "test.html", and put it in a directory called "test".

~$ mkdir test
~$ cd test
~/test$ emacs test.html
(etc.)


2. Created a dummy certificate database in /tmp:

~/test$ cd
~$ certutil -d /tmp -N


3. Created an object signing certificate called "mycert":

~$ signtool -d /tmp -G mycert

This creates a file called "x509.cacert".


4. Uploaded x509.cacert to my webserver, and made sure that it would deliver it as "application/x-x509-ca-cert":

~$ scp x509.cacert mywebserver:/var/www/html


5. Installed the resulting x509.cacert into my browser by loading x509.cacert from my web server; i.e., visiting http://mywebserver/x509.cacert. This asked me if I wanted to trust the cert, etc.


6. Signed the test directory using signtool:

~$ cd test
~/test$ signtool -d /tmp -k mycert .


7. Created a .jar file from the test directory using zip:

~/test$ zip -r ../test.jar .


8. Put the JAR file on the webserver (in the root document directory):

~/test$ scp ~/test.jar mywebserver:/var/www/html


9. Loaded the file using

jar:http://mywebserver/test.jar!/test.html


At this point, I was able to run the script, grant it privileges, and exercise some XPConnect code. I used the NSS tools from nss-3.6 with nspr-4.1.2, and the latest version of Mozilla 1.2. Seems to work fine in NSCP7, as well.

Hope that helps!

chris



Christian Biesinger wrote:

Pref TestHello!
I tried out signed scripts today, and have some problems. Firstly, I
have created a HTML file (see below) which does
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect").
Then I put it in the directory "pref" and called this command:
./signtool -k"biesi" -Z"pref.jar" pref
(my cert is nicknamed biesi)

There were apparently no errors, and "unzip -l pref.jar" shows these files:
730 06-07-02 15:35 test.html
241 06-07-02 15:35 META-INF/manifest.mf
349 06-07-02 15:35 META-INF/zigbert.sf
3375 06-07-02 15:35 META-INF/zigbert.rsa

However, if I put pref.jar on my server and connect to it like:
jar:http://server/~chb/pref.jar!/test.html
I get undefined in the textfield, and an error message in JS Console
("Error: uncaught exception: enablePrivilege not granted"). I did not
get a dialog asking for the requested privileges.


Did I do something wrong?