Still not signing correctly. :(

InstallShield is its own separate thing. Newer versions use the
Microsoft Installer (MSI) capability, but it is still made by Acresso
(spun off from Macrovision).

http://kb.acresso.com/doc/DocumentRepository/Installation/InstallShield/InstallShield%202009%20Express/01_Public/Product%20Manual/InstallShieldExpressEditionUserGuide.pdf

page 478 (sequential page 502) refers to "signing for Netscape Communicator".

-Kyle H

Yes, this is a basic overview of the process for anyone interested in
the problem. Thanks!

Thanks to David and Kyle for supplying information about InstallShield
and its use of NSS for making Netscape Communicator compatible installers.
Does your software become part of the browser itself, and run in the browser
as a browser extension or plug-in? Or are you merely trying to use the
browser to download a file that will then be installed as a free-standing
Windows application?

This is important because the XPI download feature for which NSS's signtool
makes signed JAR/XPI files is intended only for installing files that become
part of the browser itself. It is not intended to be used as a
general purpose installer for Windows software that does not run as part
of the browser.

If you're trying to download a program that does not run as part of the
browser, but runs independently as a separate Windows program, then you
really don't want to use XPI files for that purpose, IMO. In that case,
you just want to download whatever kind of installer package is used by
windows to install the package into windows. You just want to use the
browser as a file downloader, which does not require that they be XPI
files.

As I recall, one of the really important features of InstallShield is its
ability to make packages that will uninstall cleanly after they've been
installed, and can be uninstalled using Windows' "add/remove software"
control panel. Things that are installed as XPIs are managed by Firefox's
addon manager.
So, apparently, InstallShield has a feature to make installers that are
compatible with Netscape Communicator (NC). Firefox (FF) is not built on
top of NC, although it does support many old features of NC. FF is
actively being developed, but AFAIK, Netscape browsers are no longer
being developed and have not been for years now. So, today, you should
be targeting FF, not NC.

FF has different requirements for installable downloads than NC had.
FF requires XPI files, which are special JAR files. NC required ordinary
JAR files. All XPI files are JAR files, but not all JAR files are XPI
files. NC required JAR files to be signed, IIRC, but FF does not require
XPI files to be signed.

Based on what I've read here, I gather that InstallShield is using a 6+
year old version of NSS to build JAR files for installation by a 6+ year
old NC browser that is no longer made. I was surprised to find that the
documentation to which Kyle pointed me is dated in 2009, yet it still
refers to Netscape and not to Mozilla or Firefox. I gather that
InstallShield is insisting on generating signed JARs because that is what
NC wanted, even though FF does not require them. Perhaps the customers
who are paying for that software should request that it be brought up to
date.
I'm pretty amazed that they didn't at least supply a set of those files
that they have tested and know to work with their own product.

There are (at least) 3 directories involved:
- the directory where the executables and DLLs should be placed,
- the directory where the .db files (e.g. cert and key DBs) should go, and
- the directory which is the "root" of the JAR/XPI file being built.
These should generally all be separate directories. The executables should
go in "Program files", probably in the same directory as InstallShield's
own executables and DLLs. The .DB files should probably go into a directory
somewhere under "My Documents", and the root of the JAR file
should probably go in some "temp" directory. In your case, it's probably
important that the files go wherever InstallShield expects to find them,
but do take care that the DB files don't end up in the root JAR directory
or any subdirectory thereof.
Once you have your code signing certificate and private key properly
installed in the DB files, then it might.
:( That's most unfortunate, IMO. If there was a problem with signtool,
you can be sure that any new "fixed" version would not work with cert7,
but would work with cert8 or cert9.
:(
:( IMO, it is reasonable that you would supply your own code signing cert
and private key, but beyond that...
-d specifies the directory where the DBs live, but after that you must
also supply the name of the directory that is the root of the files to
be placed into the generated JAR.

It's not part of the browser, and it's not an extension or a plug-in.
All it does is path to the MSI and CAB files stored on the server. These
are downloaded and the installer runs and installs our software. Again,
it's a standalone Windows application.
This is correct. XPIs are not involved in this process. The browser is
only used as a file downloader, as you said.
I wish it was that simple. The only options in the newest version of
InstallShield are "IE Only" and "IE and Netscape". It does not mention
Firefox explicitly. I could be completely wrong, as I'm not a developer,
but since Firefox was built on Netscape technology and this is the
latest version of InstallShield, this would be the correct option if
it's supported in Firefox at all. Or is that just wishful thinking?
This request is officially in!
Because of legal issues, InstallShield cannot redistribute third party
software. This is very common (it affects my company as well). However,
that should not stop them from providing solid documentation on the
process, as well as suggesting exactly which versions of the NSS and
NSPR packages to download from Mozilla. My company is very small and we
do this for our customers. I really expected better from a company that
is its industry's leader.

In related news, as of last month, Firefox has become the most common
web browser, beating out IE in market share, 45.5% to 44.8%, according
to http://www.w3schools.com/browsers/browsers_stats.asp

While this is cause for celebration, we all hope that software vendors
will catch up to reality and do their best to add full support for the
best products on the market.
The installer builds a Release Folder, where all of the files go after a
build, whether the process was successful or not. I'm not sure where
the JAR would actually go. It would be created by InstallShield, but it
stops at the point of failure and does not continue the build.
I've tried a temporary folder, something like -d c:\buildhereplease but
signtool gave me the same old usage directions.

Thanks again!
David

And now...

Loading Image...
This shows that I have to create the DBs using certutil -N -d . first or
I get the security authorization error when attempting to create the
certificate. So I delete the DBs, create new empty ones, then create a
certificate using trust flag ",,P" (also tried ",,C"), then it prompts
for the password for "NSS Certificate DB", which is presumably what I
typed in when doing certutil -N -d .

Loading Image...
This shows that the certificate was created inside the database. I then
closed Mozilla products and ran signtool. -d was still causing problems,
but when I left it out, it complained with the same error. I think it
doesn't understand the directory "." which I'm sort of forced to use
because it doesn't like "-d ."

Maybe a newer version of signtool won't be such a little bitch about it.

David

It's unfortunate that signtool doesn't do a better job of telling you
what's wrong with the command when it outputs the usage message.
In this case, the final argument is missing. The final argument is
the path name of the directory that will be the "root" directory of
the JAR file it creates. Note that, in general, this should not be
the same directory that contains the DB files.

This could be the release folder...I'll give it a try.