[Freeipa-devel] Cannot create signed Firefox extension on a replica
Alexander Bokovoy
abokovoy at redhat.com
Tue Oct 9 11:51:54 UTC 2012
On Tue, 09 Oct 2012, Petr Viktorin wrote:
>While working on https://fedorahosted.org/freeipa/ticket/3150, I came
>across this scenario:
>
>I have a 2.2 master I don't want to upgrade. I want to create a 3.0
>replica from it.
>
>I found that when creating the replica file, the Signing-Cert (used
>to sign the browser config .jar and, newly, .xpi) is not included. It
>never leaves the original master. And the original master can't sign
>the extension because it's 2.2, so it only knows how to sign the old
>.jar (and only on install).
>
>Similarly, 2.2 replicas that get upgraded to 3.0 can't sign the new
>extension. And they don't even know which server has the "original"
>Signing-Cert, so even a trick like SSHing to it to steal the cert
>won't work.
>
>Old 2.2 installations where the original master was destroyed won't
>have the Signing-Cert at all any more.
>
>Am I right? I must admit my grasp of the code could be better.
>
>
>Can I generate a new signing cert in replica-install to sign the
>extension? Would that clash with the old one (and with ones from
>other replicas)?
>Can we distribute an unsigned extension?
We can distribute it unsigned.
But your question sparkled another one: should we backport
firefox extension work to 2.2? Since it is client-side that gets
upgraded to Firefox 15, chances are high that soon existing 2.2 installs
would not be manageable via browser on newer clients unless manually
configured.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list