David Tiertant wrote, On 2009-02-03 08:48 PST:
I'm working in InstallShield to create a web installer for one of our
software packages. The installer for IE builds fine, but Firefox
requires a Netscape certificate. InstallShield is supposed to build this
automatically, but something is wrong with my settings and I'm having
some difficulty getting the certificate created manually, using certutil
and signtool.
I'm using NSS 3.6 because the InstallShield setup will look for cert7.db
instead of cert8.db. Newer versions of NSS create a cert8.db. I don't
know which version of NSPR I should be using. I know that signtool.exe
is Mozilla's version, not Microsoft's.
David,
I find your message intriguing, because it seems to say that InstallShield
(a Microsoft product, yes?) wants to use NSS cert databases. In all of my
nearly 13 years of working on NSS, this is the first time (that I can
recall) that anyone has suggested that any Microsoft product wants to use
NSS cert databases. So, I have numerous questions about all this.
Is there any public documentation (e.g. on a web site) that explains
about InstallShield's use of NSS and/or NSS cert databases?
I can't tell what you're trying to do exactly with InstallShield and
Firefox. I can't tell if you're trying to
- create an InstallShield installer that installs Firefox itself, or
- create an InstallShield installer that Firefox will download and
process, for the purpose of installing some add-on for Firefox, or
- something else
You wrote "Firefox requires a Netscape certificate". I don't understand
what you meant by that. There's no such thing as "a Netscape certificate",
and Firefox does not require things that it downloads to be signed or to
contain any certificate (AFAIK). Firefox downloads extensions in a format
known as "XPI" which stands for "Cross Platform Installer". An XPI file
is a JAR file, which is a ZIP file, whose contents are organized in a
specific hierarchical directory structure. Like all JAR files, XPI files
may be signed, but Firefox does not require that they be signed before
downloading and installing them. I'm not aware that InstallShield is
capable of making XPI files, so I'm really not sure what you're trying to do.
I wonder if it is possible that InstallShield really does NOT want to
use NSS, but rather that it is trying to run some Microsoft program,
but has accidentally run some NSS program instead. As I recall, both
NSS and Microsoft's Platform SDK (PSDK) have programs named signtool.
Might InstallShield have run NSS's signtool when it intended to run
PSDK's signtool instead?
I suspect that the real solution you need will either
- not involve NSS 3.6, or
- not involve InstallShield
but below, I will ignore that suspicion to address some specific issues.
The first thing I tried to do in cmd prompt was change to my working
directory and run certutil -N -d .
This prompted me to enter a password 3 times.
3 times? Doesn't sound right.
Then the program finished. It created 3 .db files.
I ran...
certutil -S -x -k rsa -n mozillaCertificate -s "CN=mozillaCertificate,
O=My Company, C=US" -t "TCu" -d .
I think you're trying to create an object signing certificate. There's
a lot more to it than that. If you generate your own self-signed object
signing certificate, it may may signtool work, but the signed results will
almost certainly not be satisfactory.
In any case, to generate an object signing cert, you need different trust
flags. Instead of "TCu", try ",,P". If that doesn't work, try ",,C".
I then closed my Mozilla apps and ran
signtool -p"mypassword123" -k mozillaCertificate .
That command seems to lack the -d "directory" option, telling signtool
the name of the directory in which to find the cert DBs. That will
generally not be the same directory as the directory containing the
contents of the JAR file being created.
It generated a bunch of files and then at zigbert.sf
signtool: PROBLEM signing data (Certificate not approved for this
operation)
the tree "." was NOT SUCCESSFULLY SIGNED
That's probably because of the trust flag issue I described above, but
could also be due to the absence of a -d option.
More thoughts:
Signtool is a tool for creating signed JAR files.
The version of signtool in NSS 3.6 does not know how to create XPI files.
That capability was added to signtool in NSS 3.10. I suggest you use
NSS 3.11.x or 3.12.x for signing XPI files. FF2 uses NSS 3.11.x,
FF3 uses NSS 3.12.x.
Signtool has its own option for generating self-signed object signing certs.
That might be more satisfactory than using certutil for that purpose.
Self-signed object signing certs are intended for your own testing only,
not for actual distribution of signed code (perhaps you knew that).
If you have a code signing cert for signing Windows code, that should work
for signing XPI files too. You will need to copy the cert and its private
key into an NSS database by exporting them from Windows into a .p12 (.pfx)
file and then importing that into NSS using NSS's pk12util.
It's still not clear what signtool and XPI files have to do with
InstallShield. I'd be really surprised if InstallShield makes any direct
use of NSS.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
