Confirm
394
edits
Changes
Added an implementation section
A MAR file is only verified if all signatures are verified. That is to say if only 1 signature is verified and a MAR has 3 signatures on it, then it will not verify.
==Creating an NSS db==
Create an NSS db:
mkdir foo && cd foo
certutil -d . -N
Enter a password for your NSS db, or if you're just testing things out, then leave it blank.
Next create a certificate called mycert:
certutil -S -d . -s "CN=My Cert" -n mycert -x -t ",,u" -g 2048
Continue typing characters until the bar is full.
Extract a DER file with your cert:
certutil -L -d . -n mycert -r > mycert.der
==Implementation==
MAR signing is always done with the signmar tool using NSS.
Verification happens in different ways depending on which platform you're on.
For Windows it uses the Windows Crypto API library.
For OS X it uses the Security Transforms API.
Everywhere else it uses NSS.
This model of not using NSS everywhere was decided early on because it wasn't wanted for an NSS bug to stop updates from working.
Technically there's also a problem with us not building NSS as a static library as well making updates using NSS harder.
