More extension signing adventures · 2009-12-21 11:22 by Wladimir Palant
Things got significantly better since the last time I tried to sign Adblock Plus. Firefox 3.5.6 will now show my name instead of “Author not verified” even if the organization field of the certificate is empty (thanks, Boris). And StartCom certificates are accepted by all main applications that Adblock Plus needs to support (meaning Firefox 3.0 starting with 3.0.12, Firefox 3.5/3.6/3.7, SeaMonkey 2.0 and Thunderbird 3.0). So I started signing development builds again and even released Adblock Plus 1.1.2 as a signed XPI a little more than a week ago.
And the catch? Well, some people still report seeing “Signing could not be verified” error when trying to install Adblock Plus. Wait, but this should not happen because all supported application versions come with an NSS version that has an up-to-date certificate store! But do they really? Ah, there are those Linux distributions that come with their own copy of NSS. The good news: official Firefox and SeaMonkey builds generally don’t depend on system’s NSS library. The bad news: the builds from distribution’s app store usually do depend on it. And that dependency typically requires only some version >= 3.12. For reference: NSS 3.12 was released in June 2008. The first NSS version to allow StartCom certificates for code signing was NSS 220.127.116.11 (July 2009). So as long as some Linux distribution ships with an outdated NSS version some people will always have trouble installing Adblock Plus.
Commenting is closed for this article.