Hi and thanks very much for the reply. Just to back things up a little
bit, I'll try to illustrate what I would like to accomplish. I work for
a software company and we typically distribute our software on CD media.
The software is fairly specialized and only works when connected to a
server, either on the customer site or hosted by a team of our
consultants. To cut down on distribution costs and eliminate the waiting
period for our users between placing an order and receiving the
software, we're going to try to install the software over the web. So
InstallShield will build a bunch of files and we'll load them onto the
server and the customer will have a private URL to download and update
their software. A test example is shown in the first link.
http://david.tiertant.com/installshield/001.jpg
As we can see, this process works as expected in Internet Explorer. But...
http://david.tiertant.com/installshield/002.jpg
When we test in Firefox, the installer hangs, with the error at the
bottom left: Applet ISSetupApplet notinited. Oops.
http://david.tiertant.com/installshield/003.jpg
So in InstallShield, I set "Browsers to Support" to include Netscape, on
which Firefox was built. As noted, "If you want the installation to
support Netscape Communicator, you must supply certificate information."
So I've done this.
Unfortunately, the process is hardly automatic. InstallShield Support
tells me to download NSS, NSPR and extract the packages to the working
directory (Netscape Certificate Path in the last screenshot) and
certutil and signtool will build the certificate in the same directory.
All I should have to do is specify basic info in these 3 Netscape fields
in InstallShield. InstallShield should take care of the rest. It should
automatically create a signed install.jar, but it doesn't. See the nasty
error below.
http://david.tiertant.com/installshield/004.jpg
So InstallShield Support wants me to verify that certutil and signtool
are functioning manually. The error code and KB article referenced, if
anyone is curious, is here:
http://kb.acresso.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=Q108219&sliceId=1&docTypeID=DT_ERRDOC_1_1&dialogID=44705413&stateId=0%200%2044701989
A lot of troubleshooting went into this before ending up with this build
error. One thing I remember distinctly is that InstallShield was looking
for cert7.db instead of the cert8.db that I had created with a newer
version of NSS, thus prompting the downgrade. InstallShield came
packaged with a Microsoft version of signtool, so I made sure to get the
Netscape version, shown here:
http://david.tiertant.com/installshield/005.jpg
InstallShield Support doesn't feel like working with me again until I've
verified that the process is working manually. Hehe...A couple of days
ago, I got to the point where I successfully created a test certificate
using the syntax previously mentioned, but signtool failed to sign it. I
specified the working directory using -d .
I think you may be on to something with the trust flags being off. I'll
try to rebuild the certificate and databases using different flags,
import them into Firefox, and we'll see what happens...
Thanks again,
David
Nelson B Bolyard wrote:
David Tiertant wrote, On 2009-02-03 08:48 PST:
I'm working in InstallShield to create a web installer for one of our
software packages. The installer for IE builds fine, but Firefox
requires a Netscape certificate. InstallShield is supposed to build this
automatically, but something is wrong with my settings and I'm having
some difficulty getting the certificate created manually, using certutil
and signtool.
I'm using NSS 3.6 because the InstallShield setup will look for cert7.db
instead of cert8.db. Newer versions of NSS create a cert8.db. I don't
know which version of NSPR I should be using. I know that signtool.exe
is Mozilla's version, not Microsoft's.
David,
I find your message intriguing, because it seems to say that InstallShield
(a Microsoft product, yes?) wants to use NSS cert databases. In all of my
nearly 13 years of working on NSS, this is the first time (that I can
recall) that anyone has suggested that any Microsoft product wants to use
NSS cert databases. So, I have numerous questions about all this.
Is there any public documentation (e.g. on a web site) that explains
about InstallShield's use of NSS and/or NSS cert databases?
I can't tell what you're trying to do exactly with InstallShield and
Firefox. I can't tell if you're trying to
- create an InstallShield installer that installs Firefox itself, or
- create an InstallShield installer that Firefox will download and
process, for the purpose of installing some add-on for Firefox, or
- something else
You wrote "Firefox requires a Netscape certificate". I don't understand
what you meant by that. There's no such thing as "a Netscape certificate",
and Firefox does not require things that it downloads to be signed or to
contain any certificate (AFAIK). Firefox downloads extensions in a format
known as "XPI" which stands for "Cross Platform Installer". An XPI file
is a JAR file, which is a ZIP file, whose contents are organized in a
specific hierarchical directory structure. Like all JAR files, XPI files
may be signed, but Firefox does not require that they be signed before
downloading and installing them. I'm not aware that InstallShield is
capable of making XPI files, so I'm really not sure what you're trying to do.
I wonder if it is possible that InstallShield really does NOT want to
use NSS, but rather that it is trying to run some Microsoft program,
but has accidentally run some NSS program instead. As I recall, both
NSS and Microsoft's Platform SDK (PSDK) have programs named signtool.
Might InstallShield have run NSS's signtool when it intended to run
PSDK's signtool instead?
I suspect that the real solution you need will either
- not involve NSS 3.6, or
- not involve InstallShield
but below, I will ignore that suspicion to address some specific issues.
The first thing I tried to do in cmd prompt was change to my working
directory and run certutil -N -d .
This prompted me to enter a password 3 times.
3 times? Doesn't sound right.
Then the program finished. It created 3 .db files.
I ran...
certutil -S -x -k rsa -n mozillaCertificate -s "CN=mozillaCertificate,
O=My Company, C=US" -t "TCu" -d .
I think you're trying to create an object signing certificate. There's
a lot more to it than that. If you generate your own self-signed object
signing certificate, it may may signtool work, but the signed results will
almost certainly not be satisfactory.
In any case, to generate an object signing cert, you need different trust
flags. Instead of "TCu", try ",,P". If that doesn't work, try ",,C".
I then closed my Mozilla apps and ran
signtool -p"mypassword123" -k mozillaCertificate .
That command seems to lack the -d "directory" option, telling signtool
the name of the directory in which to find the cert DBs. That will
generally not be the same directory as the directory containing the
contents of the JAR file being created.
It generated a bunch of files and then at zigbert.sf
signtool: PROBLEM signing data (Certificate not approved for this
operation)
the tree "." was NOT SUCCESSFULLY SIGNED
That's probably because of the trust flag issue I described above, but
could also be due to the absence of a -d option.
More thoughts:
Signtool is a tool for creating signed JAR files.
The version of signtool in NSS 3.6 does not know how to create XPI files.
That capability was added to signtool in NSS 3.10. I suggest you use
NSS 3.11.x or 3.12.x for signing XPI files. FF2 uses NSS 3.11.x,
FF3 uses NSS 3.12.x.
Signtool has its own option for generating self-signed object signing certs.
That might be more satisfactory than using certutil for that purpose.
Self-signed object signing certs are intended for your own testing only,
not for actual distribution of signed code (perhaps you knew that).
If you have a code signing cert for signing Windows code, that should work
for signing XPI files too. You will need to copy the cert and its private
key into an NSS database by exporting them from Windows into a .p12 (.pfx)
file and then importing that into NSS using NSS's pk12util.
It's still not clear what signtool and XPI files have to do with
InstallShield. I'd be really surprised if InstallShield makes any direct
use of NSS.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
