[EMAIL PROTECTED] wrote:
> I created the certificate request using certutil (from what I
> remember) :
> certutil -R -s "CN=t, O=req, L=req, ST=req, C=RE" -p "555-555-5555" -o
> mycert.req -d ~/.xulapp
The problem with your end-entity cert (the one with the [EMAIL PROTECTED]
nickname) is that it doesn't have a (mandatory) extension which allows
its usage for code signing.
> I then signed the request using certutil as well :
> certutil -C -m 1234 -i mycert.req -o mycert.crt -c testcert -d ~/.ca
When you sign the request (and create the certificate) with certutil -C,
you should also specify the "-6" and "-5" options and select the "Code
Signing" and "Object Signing" usages like this:
> 0 - Server Auth
> 1 - Client Auth
> 2 - Code Signing
> 3 - Email Protection
> 4 - Timestamp
> 5 - OCSP Responder
> 6 - Step-up
> Other to finish
> 2
> 0 - Server Auth
> 1 - Client Auth
> 2 - Code Signing
> 3 - Email Protection
> 4 - Timestamp
> 5 - OCSP Responder
> 6 - Step-up
> Other to finish
> 9
> Is this a critical extension [y/N]?
> n
> 0 - SSL Client
> 1 - SSL Server
> 2 - S/MIME
> 3 - Object Signing
> 4 - Reserved for future use
> 5 - SSL CA
> 6 - S/MIME CA
> 7 - Object Signing CA
> Other to finish
> 3
> 0 - SSL Client
> 1 - SSL Server
> 2 - S/MIME
> 3 - Object Signing
> 4 - Reserved for future use
> 5 - SSL CA
> 6 - S/MIME CA
> 7 - Object Signing CA
> Other to finish
> 9
> Is this a critical extension [y/N]?
> n
["-6" and "Code Signing" for the extended key usage extension is usually
sufficient, but adding "-5" and selecting "Object Signing" shouldn't
hurt, either.]
This will create a certificate with the following two extensions:
Signed Extensions:
Name: Certificate Type
Data: <Object Signing>
Name: Extended Key Usage
Code Signing Certificate
> So this seems to be the certificate that I can give out to people.
The certificate you would provide to other users is the CA certificate,
not the code signing certificate (the latter will be added to your
signed code when you use signtool, to the META-INF/zigbert.rsa file).
> But then how do I go about signing
> something without have to use testcert in the ~/.ca database?
Just use signtool with "-d ~/.xulapp" (as before) - the only reason it
previously failed was the lack of (one of) the extensions required for
code signing.
However, if your goal is to sign code which will get distributed to a
broad audience (such as an XPI for Firefox), then you should follow
Nelson's recommendation to get a code signing certificate from an
existing CA, whose root cert is already included in Mozilla (see
Nelson's replies in this thread).
Kaspar
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
