David Tiertant wrote, On 2009-02-03 08:48 PST: > I'm working in InstallShield to create a web installer for one of our > software packages. The installer for IE builds fine, but Firefox > requires a Netscape certificate. InstallShield is supposed to build this > automatically, but something is wrong with my settings and I'm having > some difficulty getting the certificate created manually, using certutil > and signtool.
> I'm using NSS 3.6 because the InstallShield setup will look for cert7.db > instead of cert8.db. Newer versions of NSS create a cert8.db. I don't > know which version of NSPR I should be using. I know that signtool.exe > is Mozilla's version, not Microsoft's. David, I find your message intriguing, because it seems to say that InstallShield (a Microsoft product, yes?) wants to use NSS cert databases. In all of my nearly 13 years of working on NSS, this is the first time (that I can recall) that anyone has suggested that any Microsoft product wants to use NSS cert databases. So, I have numerous questions about all this. Is there any public documentation (e.g. on a web site) that explains about InstallShield's use of NSS and/or NSS cert databases? I can't tell what you're trying to do exactly with InstallShield and Firefox. I can't tell if you're trying to - create an InstallShield installer that installs Firefox itself, or - create an InstallShield installer that Firefox will download and process, for the purpose of installing some add-on for Firefox, or - something else You wrote "Firefox requires a Netscape certificate". I don't understand what you meant by that. There's no such thing as "a Netscape certificate", and Firefox does not require things that it downloads to be signed or to contain any certificate (AFAIK). Firefox downloads extensions in a format known as "XPI" which stands for "Cross Platform Installer". An XPI file is a JAR file, which is a ZIP file, whose contents are organized in a specific hierarchical directory structure. Like all JAR files, XPI files may be signed, but Firefox does not require that they be signed before downloading and installing them. I'm not aware that InstallShield is capable of making XPI files, so I'm really not sure what you're trying to do. I wonder if it is possible that InstallShield really does NOT want to use NSS, but rather that it is trying to run some Microsoft program, but has accidentally run some NSS program instead. As I recall, both NSS and Microsoft's Platform SDK (PSDK) have programs named signtool. Might InstallShield have run NSS's signtool when it intended to run PSDK's signtool instead? I suspect that the real solution you need will either - not involve NSS 3.6, or - not involve InstallShield but below, I will ignore that suspicion to address some specific issues. > The first thing I tried to do in cmd prompt was change to my working > directory and run certutil -N -d . > This prompted me to enter a password 3 times. 3 times? Doesn't sound right. > Then the program finished. It created 3 .db files. > > I ran... > > certutil -S -x -k rsa -n mozillaCertificate -s "CN=mozillaCertificate, > O=My Company, C=US" -t "TCu" -d . I think you're trying to create an object signing certificate. There's a lot more to it than that. If you generate your own self-signed object signing certificate, it may may signtool work, but the signed results will almost certainly not be satisfactory. In any case, to generate an object signing cert, you need different trust flags. Instead of "TCu", try ",,P". If that doesn't work, try ",,C". > I then closed my Mozilla apps and ran > signtool -p"mypassword123" -k mozillaCertificate . That command seems to lack the -d "directory" option, telling signtool the name of the directory in which to find the cert DBs. That will generally not be the same directory as the directory containing the contents of the JAR file being created. > It generated a bunch of files and then at zigbert.sf > signtool: PROBLEM signing data (Certificate not approved for this > operation) > the tree "." was NOT SUCCESSFULLY SIGNED That's probably because of the trust flag issue I described above, but could also be due to the absence of a -d option. More thoughts: Signtool is a tool for creating signed JAR files. The version of signtool in NSS 3.6 does not know how to create XPI files. That capability was added to signtool in NSS 3.10. I suggest you use NSS 3.11.x or 3.12.x for signing XPI files. FF2 uses NSS 3.11.x, FF3 uses NSS 3.12.x. Signtool has its own option for generating self-signed object signing certs. That might be more satisfactory than using certutil for that purpose. Self-signed object signing certs are intended for your own testing only, not for actual distribution of signed code (perhaps you knew that). If you have a code signing cert for signing Windows code, that should work for signing XPI files too. You will need to copy the cert and its private key into an NSS database by exporting them from Windows into a .p12 (.pfx) file and then importing that into NSS using NSS's pk12util. It's still not clear what signtool and XPI files have to do with InstallShield. I'd be really surprised if InstallShield makes any direct use of NSS. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
