bmo wrote, On 2008-08-11 20:22: > Summary: I suspect that there's something wrong with the BUILT-IN Root > CA cert UTN-USERFirst-Object in Firefox 3.0.1.
Or perhaps something is wrong with the code that tells you about that cert. > We were issued a code signing certificate which was signed by the UTN- > USERFirst-Object cert built into Firefox (Comodo issues these). We > have successfully signed our jar file with the certificate (verified > with jarsigner -verify, etc.), however on Firefox 3.0.1 (on macosx), > when our jar is loaded, we get a 'this applet was signed by <company > name> however we cannot verify the signature' do you want to trust > this applet? > > Showing the details lists our certificate, derived from the built-in > UTN-USERFirst-Object certificate. Is your cert issued directly by the UTN-USERFirst-Object cert? Or is there an intermediate CA certificate in between your cert and that one? > Looking at the built-in certificates (using Preferences->Advanced-> > Encryption, View Certificates) and scrolling down to The USERTrust > Network list of certs -- pick the last one in the list, Viewing the > certificate shows the message "Can't verify signature of this > certificate for unknown reasons". Yeah, I think that's a bug in the PSM UI code that displays that page. I think it says the cert is not verifiable when it actually is. > I suspect that that is the problem; I do note that firefox 2.x on > Windows does NOT display the scary dialog, and accepts the jar as > signed. It also displays the 'Can't verify signature of this > certificate for unknown reasons' message when viewing the built-in > certificate (Which, in reading the archives of bugs from 2005, may > mean something else entirely). Those facts alone should be pretty convincing that the cert is actually OK, but the UI says it's not for some unknown reason. :) (It's unknown why the UI says it can't be verified, and it's unknown why the UI says the reason is unknown.) > Can someone tell me: > 1) Why the built-in UTN-USERFirst-Object cert is not verifiable (why > is it in Firefox, then?) Let's call it a bug in the UI code. I'm pretty sure there's a really OLD bug filed about that UI code. Let's see... https://bugzilla.mozilla.org/show_bug.cgi?id=289988 filed in 2005 for FF1 https://bugzilla.mozilla.org/show_bug.cgi?id=293154 https://bugzilla.mozilla.org/show_bug.cgi?id=300071 > 2) Why the behavior (if it's the same certificate in FF 2.x and > 3.0.1) is different between FF versions? That's a good question. Here are some things to investigate. Look at your cert in FF2. Look at the cert chain. Do you see only two certs? or three? or more? If you see a third cert in between yours and the "root" cert at the top, look for that cert in the Authorities tab, and see if it is in the "Builtin Object Token" or the "Software Security Device". Also, look in the tab for "your certificates" and see if your code signing cert is listed there. Then repeat these steps with FF3 and see if anything is different. Let us know. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
