I recommend downloading the 3.10 beta version of signtool and then using the -X argument to make sure the signature is always first in the archive.
Conrad Carlen wrote:
I've signed my XPI with signtool, using the new signtool from the NSS trunk. My extension now shows up as signed when installing it into Firefox. So far, so good.
Then, I did this test:
(1) Unzip my signed XPI
(2) Change some text in its install.rdf file
(3) Re-zip it
(4) Install the modified XPI into Firefox.
At this point, it shows up as unsigned in the install dialog.
But, Firefox allows me to install it anyway, and the extension installs and works. If the signed archive has been altered in any way, it should alert the user and refuse to install it, no?
I then ran some tests at http://www.mozilla.org/projects/xpinstall/signed/testcases/
The signed-modified test behaved very differently - it shows up in the install dialog as signed (Hi DougT ;-)) but, on installing it, failed because "Signing could not be verified."
What would explain the difference here? My cert is a real cert from verisign, not the test cert that can be made with signtool.
Thanks, Conrad
_______________________________________________ Mozilla-xpinstall mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-xpinstall
