[Freeipa-devel] Cannot create signed Firefox extension on a replica
Petr Vobornik
pvoborni at redhat.com
Tue Oct 9 11:52:57 UTC 2012
On 10/09/2012 01:25 PM, Petr Viktorin wrote:
> While working on https://fedorahosted.org/freeipa/ticket/3150, I came
> across this scenario:
>
> I have a 2.2 master I don't want to upgrade. I want to create a 3.0
> replica from it.
>
> I found that when creating the replica file, the Signing-Cert (used to
> sign the browser config .jar and, newly, .xpi) is not included. It never
> leaves the original master. And the original master can't sign the
> extension because it's 2.2, so it only knows how to sign the old .jar
> (and only on install).
>
> Similarly, 2.2 replicas that get upgraded to 3.0 can't sign the new
> extension. And they don't even know which server has the "original"
> Signing-Cert, so even a trick like SSHing to it to steal the cert won't
> work.
>
> Old 2.2 installations where the original master was destroyed won't have
> the Signing-Cert at all any more.
>
> Am I right? I must admit my grasp of the code could be better.
>
>
> Can I generate a new signing cert in replica-install to sign the
> extension? Would that clash with the old one (and with ones from other
> replicas)?
> Can we distribute an unsigned extension?
>
>
Just some additional info:
* The extension doesn't have to be signed to be installable. It just
shows that the source is not verified.
* The signing cert has a weird label (hostname?) "Object Signing Cert"
which is really confusing when used in Firefox dialog while installing
the extension
* The signing cert doesn't auto renew
https://fedorahosted.org/freeipa/ticket/3032
--
Petr Vobornik
More information about the Freeipa-devel
mailing list