Closed Bug 591870 Opened 14 years ago Closed 14 years ago

New Thawte Intermediate Code Signing Certificate Authority is not installed

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 321156

People

(Reporter: michael, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows NT 5.1; rv:2.0b4) Gecko/20100818 Firefox/4.0b4
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0b4) Gecko/20100818 Firefox/4.0b4

As of July 15, 2010, Thawte uses a new Intermediate Code Signing Certificate Authority in the .xpi signing chain.  Firefox 4.0beta4 and earlier does not have this CA installed, and therefore signing .xpi extensions with a Thawte Code Signing certificate does not work.

Reproducible: Always

Steps to Reproduce:
Browse to https://www.eazypaper.com/binary/EazyPaperZoteroIntegrationSigned.xpi
 - This .xpi file has been signed with a Thawte Code Signing Certificate issued after July 15, 2010 (ie: it depends on the new Thawte Code Signing Certificate Authority)
Actual Results:  
Firefox 4.0beta4: Author is not verified (ie: .xpi file appears to be unsigned)

Firefox 3.6.8 and earlier: EazyPaper Inc. is verified as the signer, but installation fails with error -260 "because: Signing could not be verified."

Expected Results:  
EazyPaper Inc. is verified as the signer and the extension installs

To prove that the problem is with the lack of the Thawte Intermediate Code Signing Certificate Authority, install it by:

1) Following the instructions of https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AR1382
2) Firefox->Tools->Options->Advanced->Encryption->View Certificates->Import->(The certificate you just downloaded in 2.1, default is intca.cer)
3) Check "Trust this CA to identify software developers" and click Ok
4) Browse to https://www.eazypaper.com/binary/EazyPaperZoteroIntegrationSigned.xpi and note that bug is fixed for all versions of Firefox from 3.0 to 4.0beta4 inclusive
Intermediate certificates are not in the Mozilla root. Websites have to include the whole certificate chain including the intermediate certificate but I don't know if this is possible if you sign XPIs.
Component: Extension Compatibility → Security: PSM
Product: Firefox → Core
QA Contact: extension.compatibility → psm
Seems like a known problem.

See https://developer.mozilla.org/en/Signing_a_XPI
and search for "intermediate".
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.