Brian, something else you might like to try... The "UTN-USERFirst-Object" Root CA happens to be cross-certified by the "AddTrust External CA Root" Root CA. Both Roots are owned by Comodo, and both are trusted by Firefox for the purpose of signing code.
You can download the cross-certificate from: http://crt.comodoca.com/UTNAddTrustObjectCA.crt If you include that cross-certificate when you sign your .jar, it just might work around the problem. (Note: I haven't tested this, so it might not work. Either way, some feedback would be appreciated :-) ). On Tuesday 12 August 2008 05:42:35 Nelson B Bolyard wrote: > bmo wrote, On 2008-08-11 20:22: > > Summary: I suspect that there's something wrong with the BUILT-IN Root > > CA cert UTN-USERFirst-Object in Firefox 3.0.1. > > Or perhaps something is wrong with the code that tells you about that > cert. > > > We were issued a code signing certificate which was signed by the UTN- > > USERFirst-Object cert built into Firefox (Comodo issues these). We > > have successfully signed our jar file with the certificate (verified > > with jarsigner -verify, etc.), however on Firefox 3.0.1 (on macosx), > > when our jar is loaded, we get a 'this applet was signed by <company > > name> however we cannot verify the signature' do you want to trust > > this applet? > > > > Showing the details lists our certificate, derived from the built-in > > UTN-USERFirst-Object certificate. > > Is your cert issued directly by the UTN-USERFirst-Object cert? Or is > there an intermediate CA certificate in between your cert and that one? > > > Looking at the built-in certificates (using Preferences->Advanced-> > > Encryption, View Certificates) and scrolling down to The USERTrust > > Network list of certs -- pick the last one in the list, Viewing the > > certificate shows the message "Can't verify signature of this > > certificate for unknown reasons". > > Yeah, I think that's a bug in the PSM UI code that displays that page. > I think it says the cert is not verifiable when it actually is. > > > I suspect that that is the problem; I do note that firefox 2.x on > > Windows does NOT display the scary dialog, and accepts the jar as > > signed. It also displays the 'Can't verify signature of this > > certificate for unknown reasons' message when viewing the built-in > > certificate (Which, in reading the archives of bugs from 2005, may > > mean something else entirely). > > Those facts alone should be pretty convincing that the cert is actually > OK, but the UI says it's not for some unknown reason. :) (It's unknown > why the UI says it can't be verified, and it's unknown why the UI says > the reason is unknown.) > > > Can someone tell me: > > 1) Why the built-in UTN-USERFirst-Object cert is not verifiable (why > > is it in Firefox, then?) > > Let's call it a bug in the UI code. I'm pretty sure there's a really OLD > bug filed about that UI code. Let's see... > https://bugzilla.mozilla.org/show_bug.cgi?id=289988 filed in 2005 for FF1 > https://bugzilla.mozilla.org/show_bug.cgi?id=293154 > https://bugzilla.mozilla.org/show_bug.cgi?id=300071 > > > 2) Why the behavior (if it's the same certificate in FF 2.x and > > 3.0.1) is different between FF versions? > > That's a good question. Here are some things to investigate. > > Look at your cert in FF2. Look at the cert chain. Do you see only two > certs? or three? or more? > > If you see a third cert in between yours and the "root" cert at the top, > look for that cert in the Authorities tab, and see if it is in the > "Builtin Object Token" or the "Software Security Device". > Also, look in the tab for "your certificates" and see if your code signing > cert is listed there. > Then repeat these steps with FF3 and see if anything is different. > Let us know. > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
