Home > codesigning, firefox, security, signtool, xpi > Possible issue with XPISigner and Firefox 4

Possible issue with XPISigner and Firefox 4

March 29th, 2011 kevin Leave a comment Go to comments

Some xpi archives signed with xpisigner are failing to be verified in Firefox 4.

Signature Verification Error: the signature on this .jar archive is invalid because the digital signature (*.RSA) file is not a valid signature of the signature instruction file (*.SF).

The signatures appear to be correct and it appears to be the chaining via intermediate certificates that is causing the issue.

This is being investigated now and should have an update tomorrow.

Categories: codesigning, firefox, security, signtool, xpi Tags: ,
  1. Paul Kennedy
    May 4th, 2011 at 23:02 | #1
    Reply | Quote

    Kevin, is there any update on this ? I’m seeing similar behaviour installing a signed XPI in some, but not all, FF3.6 instances with an XPI signed with a newly signed code-signer cert from Verisign. I generated my Authenticode PFX after reading this https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO16958, so that the PFX has all elements in the cert path, verified using ‘openssl pkcs7 -print_certs -inform der -in zigbert.rsa’. I don’t have any visibility into why the install is failing on some machines but not others. But I can make the install problem go way if I check the ‘This certificate can identify software makes’ checkbox on the ”VeriSign Class 3 Public Primary Certification Authority – G5′ cert with SHA-1 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5

  2. Paul Kennedy
    May 5th, 2011 at 02:09 | #2
    Reply | Quote

    And I see this in the JavaScript console: “Signature Verification Error: the signature on this .jar archive is invalid because the certificate used to sign this file has an unrecognized issuer.”

  3. Manish
    May 10th, 2011 at 19:40 | #3
    Reply | Quote

    I am getting same issue

    Signature Verification Error: the signature on this .jar archive is invalid because the digital signature (*.RSA) file is not a valid signature of the signature instruction file (*.SF).

    Any way to get over this ? Thanks.

  4. kevin
    May 10th, 2011 at 20:32 | #4
    Reply | Quote

    Can you send me a link to your signed xpi? or email it to support @ quinagh(dot)com

  5. kevin
    May 10th, 2011 at 20:46 | #5
    Reply | Quote

    @Paul, it may be worth rebuilding you certificate chain. It looks like it might be missing an intermediate cert or be mis-identifying a similar non code signing cert.

    Download any intermediate certs from your CA then import and re-export your private key (to a new p12/pfx).

    From another user who ran into this issue:
    “I think you might be interested how we solved the problem. Thawte sent to us the public part of the Code Signing CA – G2 cerificate. It was issued by Premium Server CA. I processed (import/export) our key and now it works.”

  6. Greg
    June 17th, 2011 at 13:59 | #6
    Reply | Quote

    I am currently having an issue where my extensions toolbar button icon (and in customize etc), does not display in Firefox 4 if my extension is signed with the XPISigner. Any ideas on that? Works fine in 3.5 or in 4.0 if not signed with XPISigner. Thank you.

  7. kevin
    June 17th, 2011 at 17:04 | #7
    Reply | Quote

    I no longer have the time to maintain this or investigate the differences in Firefox 4

    The source for the tool is available at http://code.google.com/p/xpisigner/

    regards

    kevin

  1. No trackbacks yet.