[Project_owners] Code Signing - strange things afoot

Andy McDonald andy_mozdev at stemhaus.com
Thu Dec 29 16:53:05 EST 2005


I've been trying to sign my extension, and have run into a strange 
problem with the code-signing certificate I've been issued by Unizeto 
Certum (root CA _is_ installed in Firefox/Thunderbird). Relevant links:

A rather good how-to here: http://forums.tjworld.net/viewtopic.php?t=130

And the resulting issues I've been having in detail here: 
(I'm 'azzer'. But I'm not suggesting you follow this - I'm going to try 
to summarise in this e-mail)

I can successfully sign the xpi, and when I get the initial install 
dialog 'A website is requesting permission to install...', the extension 
appears as signed (which it is of course). When I hit install the chain 
of trust is checked, and I get an error indicating that that trust 
couldn't be established [aside: that trust should be checked by the time 
I see the initial install window, not after I confirm I want to install].

Now I think the issue is with either the certificate I was issued, or 
the properties of the Certum CA certificates, or (my suspicion) the 
application's handling of code-signing certificates: it's very difficult 
for me to summarise what I've learned (see the mozillazine link for gory 
details), but I think I have an equivalent question: in the Certificate 
Manager, 'View' the built-in certificate authority 
'UTN-USERFirst-Object': why does Firefox/Thunderbird report "Could not 
verify this certificate for unknown reasons."? This is essentially what 
I see when I install my own code-signing certificate in 
Firefox/Thunderbird and inspect it.

I'd love to get to the bottom of this, so thanks in advance,

More information about the Project_owners mailing list