Closed Bug 194425 Opened 22 years ago Closed 1 year ago

Signed xpi test showing success in error

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: agracebush, Assigned: samir_bugzilla)

References

(
URL
)

Details

Steps to reproduce: using build 2003022108 run test for signed-badca.xpi cert is not displayed but dialog returns 'success' -
-> dougt
Assignee: dveditz → dougt
dan, terry, mitch -- Consider the case when a user downloads a software install that is signed but the CA isn't present in that user's database. Should we just treat this install as "unsigned" or should we treat this install as "broken".
I say we warn, but allow. Maybe bring up a dialog mentioning the signer and the CA, and saying that this is not a CA that we trust, but allow the option to continue with the install.
I agree. In general we allow the user to proceed with an operation after warning them that the security checks have failed. For SSL they can accept an untrusted host certificate. For S/MIME they can read and act on an email message even though the signature is broken. We should warn the user that the signer's certificate can not be validated and allow them to continue with the installation.
currently, we say that the install "unsigned".
It's not quite the same as unsigned - can we add dialog text specifically for the "invalid CA" case?
i agree that the application should have a dialog and overall better UI in regards to signed installs. over to samir.
Assignee: dougt → sgehani
QA Contact: agracebush → xpi-engine
Product: Core → Core Graveyard
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.