From my modifications to test_cert_overrides.js: // XXX(Bug XXXXXX): SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED // // The trust bits should be: // Ci.nsICertOverrideService.ERROR_UNTRUSTED | // Ci.nsICertOverrideService.ERROR_TIME // but both the NSS-based and insanity::pkix-based verification only set // ERROR_UNTRUSTED. add_cert_override_test("md5signature-expired.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, getXPCOMStatusFromNSS( SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)); Since this bug is not a regression caused by insanity::pkix, it isn't an insanity::pkix blocker.

In the review of the patch in bug 975122, David Keeler found that there was an error in the generation of the test certificate. This is actually working as intended.