<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi Robert,<div class=""><br class=""></div><div class="">Ah right I see! So a build that didn’t specify a certificate will have used Mozilla’s certificates? I’m assuming from toolkit/mozapps/update/updater.</div><div class="">Therefore I’m guessing you can’t sign a MAR with those certificates and therefore can’t update that build?</div><div class=""><br class=""></div><div class="">Thanks for all the help so far,</div><div class="">Alex</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 27 Mar 2015, at 20:27, Robert Strong <<a href="mailto:rstrong@mozilla.com" class="">rstrong@mozilla.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class=""><div class="">Hi Alex,<br class=""><br class=""></div>It most definitely expects a specific certificate(s) and which cerificate(s) it expects is set when the application is compiled. The applicable code:<br class=""><a href="http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/update/updater/archivereader.cpp" target="_blank" class="">http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/update/updater/archivereader.cpp</a><br class=""><br class=""></div>Robert<br class=""><br class=""></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Fri, Mar 27, 2015 at 1:03 PM, Alex Kontos <span dir="ltr" class=""><<a href="mailto:alexboy94@msn.com" target="_blank" class="">alexboy94@msn.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class=""><div class="">Good news, I managed to sign the MAR successfully with a cert I generated! Thanks for the advice, It looks like the NSS database was malformed which caused it to throw out an error saying it can’t initialise the directory.</div><div class=""><br class=""></div><div class="">Bad news is that a test Firefox build updater is throwing failed 19 code, which is CERT_VERIFY_ERROR right? Is the updater looking for specific certs?</div><div class=""><br class=""></div><br class=""><div class=""><blockquote type="cite" class=""><div class=""><div class="h5"><div class="">On 27 Mar 2015, at 00:41, Alex Kontos <<a href="mailto:alexboy94@msn.com" target="_blank" class="">alexboy94@msn.com</a>> wrote:</div><br class=""></div></div><div class=""><div dir="ltr" style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" class=""><div class=""><div class="h5"><br class="">@Robert Strong<br class=""><br class="">Yes that worked fine and I verified the MAR was signed correctly with that test cert as well! Could there be something wrong with the NSS build I made? I've tried with different versions of NSS but they all give the same error message. Are the binaries used to make the test certificates available anywhere?<br class=""><br class="">@Brian Bondy<br class=""><br class="">Yes thanks those are the instructions I followed :). I'll look at that test as well, thanks.<br class=""><br class=""></div></div><div class=""><div class=""><div class="h5"><hr class="">From: <a href="mailto:bbondy@gmail.com" target="_blank" class="">bbondy@gmail.com</a><br class="">Date: Thu, 26 Mar 2015 00:04:35 -0400<br class="">Subject: Re: Can't sign MAR files on Windows<br class="">To: <a href="mailto:rstrong@mozilla.com" target="_blank" class="">rstrong@mozilla.com</a><br class="">CC: <a href="mailto:alexboy94@msn.com" target="_blank" class="">alexboy94@msn.com</a>; <a href="mailto:firefox-dev@mozilla.org" target="_blank" class="">firefox-dev@mozilla.org</a><br class=""><br class=""><div dir="ltr" class="">I didn't spot off hand what's wrong, but there are tests that run on Windows which does signing, so you can get ideas on how to run it here:<div class=""><a href="https://dxr.mozilla.org/mozilla-central/source/modules/libmar/tests/unit/test_sign_verify.js#23" target="_blank" class="">https://dxr.mozilla.org/mozilla-central/source/modules/libmar/tests/unit/test_sign_verify.js#23</a><br class=""></div><div class=""><br class=""></div><div class="">You can also find example usage of certutil here:</div><div class=""><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=701087#c1" target="_blank" class="">https://bugzilla.mozilla.org/show_bug.cgi?id=701087#c1</a><br class=""></div></div><div class=""><br class=""><div class="">On Wed, Mar 25, 2015 at 6:05 PM, Robert Strong<span class=""> </span><span dir="ltr" class=""><<a href="mailto:rstrong@mozilla.com" target="_blank" class="">rstrong@mozilla.com</a>></span><span class=""> </span>wrote:<br class=""><blockquote style="border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex" class=""><div dir="ltr" class=""><div class=""><div class="">Hi Alex,<br class=""><br class=""></div>To narrow things down try signing with the test certificate in the tree as follows:<br class=""><path_to_obj_dir>\dist\bin\signmar.exe -d <path_to_source_dir>\modules\libmar\tests\unit\data -n mycert -s <path_to_original_mar>\mar_you_created.mar <path_to_output_mar>\output.mar<br class=""><br class=""></div><div class="">Also, signmar only supports SHA1 atm.<br class=""><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1105689" target="_blank" class="">https://bugzilla.mozilla.org/show_bug.cgi?id=1105689</a><br class=""><br class=""></div>Robert<br class=""></div><div class=""><br class=""><div class=""><div class=""><div class="">On Wed, Mar 25, 2015 at 1:17 PM, Alex Kontos<span class=""> </span><span dir="ltr" class=""><<a href="mailto:alexboy94@msn.com" target="_blank" class="">alexboy94@msn.com</a>></span>wrote:<br class=""></div></div><blockquote style="border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex" class=""><div class=""><div class=""><div style="word-wrap:break-word" class="">I can’t seem to sign MAR files on Windows (haven’t tested other OSs). I’m using signmar.exe generated by the build, and I get the following error:<br class=""><br class=""><div class="">ERROR: Could not initialize NSS</div><div class="">ERROR: Could not init config dir: C:\NSScert</div><div class=""><br class=""></div><div class="">I’ve generated my certificates using certutil as defined in this <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=701087#c1" target="_blank" class="">bug</a>. I’ve tried using different versions of NSS as well to no amends.</div><div class=""><br class=""></div><div class="">Steps I followed:</div><div class=""><br class=""></div><div class=""><ol class=""><li class="">Generate MAR file (have tested MAR is valid as a build made with -disable-verify-mar accepts it)</li><li class="">certutil -N -d /c/NSScert</li><li class="">certutil -A -n test_cert -t "u,u,u" -i testcert.der -d /c/NSScert</li><li class="">certutil -L -d /c/NSScert (just to check, there is a valid output)</li><li class="">Attempt to sign MAR:</li><li class="">signmar -d /c/NSScert -n test_cert -s update.mar output_update.mar</li></ol><div class="">Which brings us to the error defined above.</div><div class=""><br class=""></div></div><div class=""><br class=""></div><div class="">The build is Visual Studio 2013 64-Bit, no changes at all, just default Firefox build. Is there a specific way I’m supposed to sign MAR files?</div></div><br class=""></div></div>_______________________________________________<br class="">firefox-dev mailing list<br class=""><a href="mailto:firefox-dev@mozilla.org" target="_blank" class="">firefox-dev@mozilla.org</a><br class=""><a href="https://mail.mozilla.org/listinfo/firefox-dev" target="_blank" class="">https://mail.mozilla.org/listinfo/firefox-dev</a><br class=""><br class=""></blockquote></div><br class=""></div><br class="">_______________________________________________<br class="">firefox-dev mailing list<br class=""><a href="mailto:firefox-dev@mozilla.org" target="_blank" class="">firefox-dev@mozilla.org</a><br class=""><a href="https://mail.mozilla.org/listinfo/firefox-dev" target="_blank" class="">https://mail.mozilla.org/listinfo/firefox-dev</a><br class=""><br class=""></blockquote></div><br class=""><br clear="all" class=""><div class=""><br class=""></div>--<span class=""> </span><br class=""><div class="">Thanks,<br class="">Brian R. Bondy</div></div><br class=""></div></div>_______________________________________________ firefox-dev mailing list<a href="mailto:firefox-dev@mozilla.org" target="_blank" class="">firefox-dev@mozilla.org</a><span class=""> </span><a href="https://mail.mozilla.org/listinfo/firefox-dev" target="_blank" class="">https://mail.mozilla.org/listinfo/firefox-dev</a></div></div><span class=""><span style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important" class="">_______________________________________________</span><br style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" class=""><span style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important" class="">firefox-dev mailing list</span><br style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" class=""><a href="mailto:firefox-dev@mozilla.org" style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" class="">firefox-dev@mozilla.org</a><br style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" class=""><a href="https://mail.mozilla.org/listinfo/firefox-dev" style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" class="">https://mail.mozilla.org/listinfo/firefox-dev</a></span></div></blockquote></div><br class=""></div></blockquote></div><br class=""></div>
_______________________________________________<br class="">firefox-dev mailing list<br class=""><a href="mailto:firefox-dev@mozilla.org" class="">firefox-dev@mozilla.org</a><br class="">https://mail.mozilla.org/listinfo/firefox-dev<br class=""></div></blockquote></div><br class=""></div></body></html>