Resurrecting --enable-online-update-mar

[Stephan Bergmann]

On 12/21/23 09:49, Stephan Bergmann wrote:
> On 12/20/23 22:52, Stephan Bergmann wrote:
>> On 12/15/23 13:53, Stephan Bergmann wrote:
>>> @Cloph:  We'll need to find a way to specify a certificate there for 
>>> TDF builds that enable that feature.
>>
>> ...but we'll still need to pass an appropriate 
>> --with-online-update-mar-certificateder=... into such builds, ideally 
>> for the upcoming LO 24.2.0 RC1 builds.
> 
> To make that more explicit:  We need an X509 rsa:2048 cert with which we 
> will sign the update.mar files that we will generate in the future, and 
> now we need a file containing the DER representation of that cert's 
> public key, and we need to pass the pathname for that DER file into the 
> --enable-online-upate-mar Windows build with 
> --with-online-update-mar-certificateder=...
> 
> (To generate my test cert and DER file, I did something like
> 
> $ openssl req -x509 -newkey rsa:2048 ...
> $ openssl x509 -outform DER -in cert.pem -out cert.der
> 
> and then configured 
> --with-online-update-mar-certificateder=C:/.../cert.der)

Sorry, I made a mistake in the above; with the new code from Mozilla we 
now need an rsa:4069 cert, not an rsa:2048 one.

For new builds, can you please use a fresh certificate generated with 
`rsa:4096`?