So you want to sign your XPI package?

Pete Collins, founder of the Mozdev Group writes:
After a couple of days of pain, I've decided to write up a doc on how I was able to successfully sign an xpi using a test cert. For no better reason than I know I will forget by next week and honestly I wouldn't want to wish the pain I endured doing this on others. These docs are focused on Unix'y type systems. This doc is intended as an exercise to show how to sign an XPI package, you will need to obtain a valid certificate from an established certificate authority (CA) such as Verisign if you want to distribute signed XPI packages.
Read more

February 24, 2005 05:37 PM | Posted in Mozilla


Back Next

3 Comments could also be interesting to get a free certificate to do this ? Found this through which was referenced yesterday by /.

Site icon Comment by Martijn (MozBrowser) at February 24, 2005 11:23 PM | Permalink

Speaking of CAcert, here's what you do if you want to obtain a code-signing cert, and then actually use it to sign an XPI package:

0. Follow Pete's advice to obtain the nss utilities executables. But don't use them to make your own certs...
1. First, get a CAcert personal (client) cert, which is easy.
2. Get your name on it, via their "web of trust", which means show ID to Assurers, or use the TTP (Trusted Third Party) forms, and use Lawyers, or Accountants. Whatever you do, however you do it, get at least 100 points (at least 3 max-point assurers, or go the TTP route for 150 points. The TTP route could take a few months, as forms (at least when I did it) had to be sent to Australia via post.
3. Send an email, attach an image of your ID's which you used for your assurance, and ask for code-signing privilege.
4. Wait up to 3 months for the reply. You may/may not get a letter from the person processing your request, but you will get a letter inviting you to pick up your code-signing cert, with a link to click on. ( As to processing time, It might take less time... sometimes, they get a backlog...)
5. You need to go to the CAcert org and log in, and then view your personal certs, and get a new email cert. With code-signing enabled, you'll see the check-box to include this privilege in the cert. Check it and import the new cert into your browser.
6. now, go to the command line and your home dir, and find . -name key3.db
If all goes well, you should find one or more in your .mozilla directory...
... maybe you'll find several.
7. Find the db that contains your code-signing cert via the command:

signtool -L -d /home/whatever/.mozilla/firefox/m27fe0ff.default
and look for entry marked with an asterisk:

CLASE B-1 ipsCA-IPS Seguridad - IPS Seguridad CA
* Joe Normal's Root CA ID
Joe Alfred Normal's Root CA ID
Builtin Object Token:Verisign/RSA Secure Server CA

8. Having found the code-signing cert, you can now use it to sign, following Pete's directions to explode your unsigned XPI, you then use signtool like this:

signtool -d /home/whatever/.mozilla/firefox/m27fe0ff.default -k "Joe Normal's Root CA ID" -p "your password"

And, if all goes well, you'll end up with no error messages, and the META-INF dir and files created. Then, pack up the signed XPI as directed by Pete.

Other Certificate Authorities will most likely follow similar flows, take less time, but cost more money. Maybe much, much more money.

And of course the CAcert root CA cert will have to be loaded into the browser to test the signing. Paying your money for Verisign, Thawte, etc, will also avoid users having to load any root certificates to get verification.

Site icon Comment by Steve Murphy at July 20, 2005 10:15 PM | Permalink

The read more link is dead, but it was archived:

Comment by Archimerged Submedes at January 15, 2007 10:21 PM | Permalink

Post a comment

Remember Me?

Please enter the security code you see here

You're here: Home - So you want to sign your XPI package?
Get the Mozilla Firefox browser