536377 - configure should enforce a minimal ckbi version

Status: RESOLVED WONTFIX

(Firefox Build System :: General, defect)

Description

[Wladimir Palant]

I am currently getting reports about Adblock Plus 1.1.2 (signed with a StartCom certificate) not being installable in Firefox/SeaMonkey on some Linux distributions ("signing could not be verified"). This is despite requiring at least Firefox 3.0.12 (first Firefox version to come with ckbi 1.75 meaning that the certificate store allows StartCom Certification Authority for code signing). The problem is apparently that the Firefox builds for these distributions use system's NSS library which features an outdated ckbi version. This has been confirmed for at least Gentoo and PCLinuxOS. The minVersion setting in extension's install.rdf is effectively worthless because even current Firefox versions might be using an outdated certificate store.

Shawn Wilsher suggested that the configure script enforces a particular version of ckbi - e.g. 1.75 for Firefox 3.0/3.5 and 1.77 for Firefox 3.6. From what I can tell, right now only NSS version is checked (>= 3.12.0) - that is certainly not enough to ensure consistency across platforms, the first version to "officially" come out with ckbi 1.75 is 3.12.3.1. But ckbi is more or less independent from NSS version anyway so it makes sense to check for it directly.

Comment 1

[Wladimir Palant]

Given that Mozilla is the only one to sign extensions at this point, this issue should no longer be relevant.