Firefox: Signed script shows scary certificate dialog

Question

The context: I'm writing JavaScript to run an executable and tweak some registry entries on the client machine. I've signed the .JAR using SignTool and my company's Authenticode certificate, but running the script produces a dialog saying:

There is no mention of the root certificate authority (in this case Comodo, I believe), so I could just as well have generated a self-signed certificate to put the company name string in the dialog.

My question is: is this all the user is meant to see? This example page at jar:http://www.mozilla.org/projects/security/components/signed-script-demo.jar!/signed-script-demo.html shows the same dialog, but there's still a lack of any "examine this certificate" link or mention of a root CA.

Are there any recent resources for writing signed scripts? The mozilla pages are mostly several years old and many reference now-defunct documentation at developer.netscape.com.

-- Martin

Answer 1

The code that runs those signed jars and elevates privileges hasn't changed in years either, so that documentation should be correct. The code hasn't really been touched because nobody on the web uses that stuff. Yes, I'm aware of the chicken-egg problem here with the crappy UI.

You could try filing a bug with Mozilla about this, but I'm not sure it'd get worked on (but patches would likely be welcomed).