jasonrumney.net

Our code signing certificates at work expired recently, and we got new ones from VeriSign. The IE cab file signing works fine, but jar file signing was failing. We sign our jar files with the old signtool.exe from Netscape, because the resulting jar works on the old version of Java shipped with Netscape 4.x, as well as the newer plugins.

I quickly diagnosed the problem to be an updated VeriSign CA certificate that the old signing tools did not recognize. Our new certificate was signed by VeriSign Class 3 Code Signing 2004 CA, which from the name, you'd guess has been in use for only the last 6 - 18 months.

Having diagnosed the problem, the solution seemed simple. Install the new CA certificate into signtool's certificate registry, and we're done. So I set about trying to find the CA certificate. This proved far more difficult than it should be, and is the reason why I decided to document this experience so others could benefit.

Clicking around VeriSign's website turned up nothing useful. Any parts of the site that looked like they might contain relevant information quickly took me to a form to enter all my details so a representative could contact me. I don't want to be annoyed by phone calls and emails from your sales droids, VeriSign, I already have a certificate, I just want it to work!

Next step was a google search. One article I found pointed me to the root certificate download on VeriSign's site, which sounded promising, but alas, the Root certificate zip file did not contain the Code Signing 2004 CA.

Eventually, I gave up searching, and started to look more closely at what I had received from VeriSign. I had a Microsoft Code Signing certificate that worked, and a Netscape Object signing certificate that didn't. I opened up IE, and had a look at the certificate that had been installed (Tools menu/Internet Options, Content, Certificates). On the Details panel, I found what I had been looking for. One of the details is labeled Authority Information Access. Under there, was a URL for downloading the CA certificate. After downloading that in Netscape, my code signing is now working again.

Not only Chiko's laptop is having major problems with XP SP2. It seems mine is now getting a bluescreen error in arp1394.sys (firewire driver) every time I suspend it. I've been doing a lot of overnight compiling and downloading (latest Debian DVD's which took about 3 days to download) lately, so it took me a while to notice this. Two out of two computers with major problems after installing SP2. Just how much testing did Microsoft put this through? I'm thinking of sending them an invoice for the time I've wasted so far getting Chiko's PC back into a usable state.

Update 3/10/2004: As noted in the comments, the cause of the problem turned out to be Kerio Personal Firewall 4.1.0, which I'd upgraded to shortly after installing SP2. If you've found this page through Google because you are having the same problem, and have Kerio installed, try upgrading to 4.1.1 (or later if a newer version has come out by the time you read this).

Chizuko's laptop finally picked up XP SP2 off the Windows Update site on Wednesday night. I'd updated mine about a month ago, using the manual download, but after the minor problems I'd had with it (mostly due to it not detecting Kerio Firewall, and installing its own) I decided to leave hers for the Windows Update version.

After the update (again, I had to manually disable Windows Firewall because it did not detect Kerio), her PC was unable to load any web sites. Actually, that's not quite true. It loaded Google, so I knew her wireless card was working, but nothing else. I started trying to search for problems on Google, and using the Google cache to read them, but eventually I wanted to follow further links, so I grabbed my laptop and worked with one on each knee. None of my searches turned up anything relevant so I decided to document my findings here.

Because I could reach Google, I knew that the basic hardware and driver level of the network was working. I also figured out that DNS resolution was working for all sites. Knowing a bit about networking (what is the average user to do in this situation?) I suspected MTU problems. After searching for the method of changing the MTU, I set hers to 1452 (a number I pulled out of a hat, actually it was the lowest of several values I saw being recommended for people having DSL problems). After a reboot, everything was working happily again.

So what is different between my laptop, which worked, and hers that didn't?

• Mine: XP Pro, Hers: XP Home
• Mine: TI ACX100 based wifi card, Hers: Prism GT based Dlink DWL-G650 wifi card

Other things that might be relevant:

• Access point is a Linux box with an Atheros based Dlink PCI card running the madwifi drivers in master mode.
• Access to the internet is via a DSL modem connected to the Linux box, using PPPoA, and an MTU of 1500 (default).
• Laptops are using a private address space (10.0.0.0/8) and the Linux box is NATing them to a static IP.

I don't know which of those is the key to the problem, but I'd say the wireless card is most likely. All I do know is that mine works with the default MTU (1500), as did hers before SP2 was installed. I guess I could try swapping the wireless cards, but I'll have to dig up the driver disks.