atom feed2 messages in org.mozilla.lists.dev-platformRe: signing an xpi file: certificate ...
FromSent OnAttachments
Larry BaerMar 16, 2006 8:28 am 
Dan VeditzMar 16, 2006 1:41 pm 
Subject:Re: signing an xpi file: certificate chains not supported?
From:Dan Veditz (dved@yahoo.com)
Date:Mar 16, 2006 1:41:55 pm
List:org.mozilla.lists.dev-platform

Larry Baer wrote:

I'm using a Verisign certificate purchased for my IE plugin and imported into Firefox (following directions from Verisign tech support). I thought I had finally succeeded in signing my xpi file but when

Was it a "Netscape code signing" cert? A MS Authenticode cert will not work.

It's quite possible I've mucked something up in the code signing process but I believe I've run into bug 321156, https://bugzilla.mozilla.org/show_bug.cgi?id=321156, which seems to be about Mozilla not recognizing certain kinds of certificates in a certificate chain, even though the intermediate certificates are in the .rsa file in the signed xpi file.

You can test whether this is the cause by manually installing the intermediate certs locally and see if the problem goes away (for you, only). If it doesn't go away you've got another problem. If it does then you've got to get your cert re-issued by an intermediate with the right bits.

The recommended workaround is:

All of those come down to "get another cert", they aren't things you can do yourself. Verisign should be able to reissue a working cert though. I've gotten working code-signing certs from them, and this 321156 bug is not describing a new bug despite the more recent number. Maybe it was filed recently because Verisign recently changed how they issue their certs?