Signing XPI

Adriano Bonat Thu, 24 Sep 2009 21:10:10 -0700

Hi guys,

I'm trying to sign a Firefox extension (XPI) using a code signing
certificate bought from GoDaddy, but Firefox is rejecting the XPI file
saying "signing could not be verified. -260".


I already tried to sign the XPI using a certificate issued by GoDaddy,
and with another issued by Starfield.

Here are the steps that I'm following to sign the file:
1. Tried to install the GoDaddy/Starfield intermediate certificate but
browser says that it is already installed;
2. I install the code signing certificate, it shows OK in the "Your
certificates" tab in Firefox' preferences;
3. I'm using Mac OS X 10.6.1, and installed package "nss" from
MacPorts, so using nss-certutil on my Firefox 3.5 profile dir:
$ nss-certutil -d . -L

Certificate Nickname                                         Trust
Attributes
                                                             SSL,S/
MIME,JAR/XPI

VeriSign Class 3 Extended Validation SSL CA                  ,,
Thawte SGC CA                                                ,,
UTN-USERFirst-Hardware                                       ,,
VeriSign Class 3 Secure Server CA - G2                       ,,
Akamai Subordinate CA 3                                      ,,
Entrust Certification Authority - L1B                        ,,
Google Internet Authority                                    ,,
VeriSign Class 3 Secure Server CA                            ,,
PositiveSSL CA                                               ,,
Go Daddy Secure Certification Authority                      ,,
DigiCert Global CA                                           ,,
COMPANYNAME LLC's Starfield Technologies, Inc. ID            u,u,u
GlobalSign Extended Validation CA                            ,,
VeriSign Class 3 Extended Validation SSL SGC CA              ,,
VeriSign, Inc.                                               ,,
Microsoft Internet Authority                                 ,,
Starfield Secure Certification Authority                     ,,
RSA Public Root CA v1                                        ,,
Sun Microsystems Inc SSL CA                                  ,,
DigiCert High Assurance EV CA-1                              ,,
GlobalSign                                                   ,,
UTN - DATACorp SGC                                           ,,
Microsoft Secure Server Authority                            ,,
UniCERT Certificadora                                        ,,

Why all certificates (except the one that I installed) don't have
trust attributes? This lead me to a problem when signing the file:

$ nss-signtool -d . -l

Object signing certificates
---------------------------------------
COMPANYNAME LLC's Starfield Technologies, Inc. ID
    Issued by: Starfield Secure Certification Authority
    Expires: Mon Sep 19, 2011
    ++ Error ++ THIS CERTIFICATE IS NOT VALID (Certificate Authority
certificate invalid)
---------------------------------------
For a list including CA's, use "signtool -L"


To get the file signed, I'm "cheating" and changing the trust
attributes of the GoDaddy/Starfield Secure Certification Authority to
",,C".

Anybody has an idea what is the problem here?

Thanks.
- Adriano Bonat
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Signing XPI

Reply via email to