How do you sign an extension?
-
- Posts: 6
- Joined: June 28th, 2004, 12:39 pm
- Location: Bloomington, Minnesota
- Contact:
-
- Posts: 4864
- Joined: October 16th, 2003, 5:47 am
- Location: Somewhere in London, riding the Underground
http://www.mozdevgroup.com/docs/pete/Si ... n-XPI.html
In case this bookmark hasn't been posted yet - I found in in my bookmarks and wanted to share it with anyone wanting to learn more.
In case this bookmark hasn't been posted yet - I found in in my bookmarks and wanted to share it with anyone wanting to learn more.
Proud user of teh Fox of Fire
Registered Linux User #289618
Registered Linux User #289618
-
- Posts: 3
- Joined: May 21st, 2005, 7:02 am
- Location: Simferopol, Ukraine
thanks to pete's post on how he could sign the extension i could do it by myself.
the only difference was that i used valid certificate from thawte.
NNS 3.9 goes with PKCS#12 support, so i could import previously prepared by microsoft's pvkimprt.exe certificate (instructions how to use this are available at thawte).
then signtool made META-INF for me.
of course it has -Z switch to pack jar. but who said that it will work for xpi? it will not.
you have to pack it by hands. i don't know how but i could figure ot that META-INF\zigbert.rsa has to be the first file in xpi archive and xpi has not to contain zip entries for directories, only file entries are allowed.
at last i got the long waited message that extension is signed by certificate owner and it installed successfully.
many thanks to Jeff Klawiter, creator of Al Bhed translator for his explanations and extension as a premier.
the only difference was that i used valid certificate from thawte.
NNS 3.9 goes with PKCS#12 support, so i could import previously prepared by microsoft's pvkimprt.exe certificate (instructions how to use this are available at thawte).
then signtool made META-INF for me.
of course it has -Z switch to pack jar. but who said that it will work for xpi? it will not.
you have to pack it by hands. i don't know how but i could figure ot that META-INF\zigbert.rsa has to be the first file in xpi archive and xpi has not to contain zip entries for directories, only file entries are allowed.
at last i got the long waited message that extension is signed by certificate owner and it installed successfully.
many thanks to Jeff Klawiter, creator of Al Bhed translator for his explanations and extension as a premier.
-
- Posts: 101
- Joined: March 31st, 2004, 5:39 pm
- Location: New Zealand
- Contact:
Alexander Daneeloff wrote:NNS 3.9 goes with PKCS#12 support, so i could import previously prepared by microsoft's pvkimprt.exe certificate (instructions how to use this are available at thawte).
Hehe, took mee a while to find that!
Alexander Daneeloff wrote:then signtool made META-INF for me.
of course it has -Z switch to pack jar. but who said that it will work for xpi? it will not.
you have to pack it by hands. i don't know how but i could figure ot that META-INF\zigbert.rsa has to be the first file in xpi archive and xpi has not to contain zip entries for directories, only file entries are allowed.
at last i got the long waited message that extension is signed by certificate owner and it installed successfully.
many thanks to Jeff Klawiter, creator of Al Bhed translator for his explanations and extension as a premier.
Similar here - I still think that the EM code is buggy. Sometimes it works, other times it doesn't. I found that it works more often when downloading the .xpi file and installing locally.
Would it be possible to publish Jeff's explanation somehwere (wiki?)
Cheers, mano
-
- Posts: 6
- Joined: June 28th, 2004, 12:39 pm
- Location: Bloomington, Minnesota
- Contact:
I suppose I could finish the tutorial and publish it in the wiki.
If you hadn't figured out yet, I'm jeff ;)
I got a new job recently(well 6 months ago..) and have been working on a website for The Commodores , yes the R&B band. I've been working 70+ hour weeks and my involvment in Extension development has been nill other than a new idea I had last weekend for Thunderbird.
Most of my explanation came from posts on the XPInstall and crypto newsgroups on the mozilla.org server.
If you hadn't figured out yet, I'm jeff ;)
I got a new job recently(well 6 months ago..) and have been working on a website for The Commodores , yes the R&B band. I've been working 70+ hour weeks and my involvment in Extension development has been nill other than a new idea I had last weekend for Thunderbird.
Most of my explanation came from posts on the XPInstall and crypto newsgroups on the mozilla.org server.
-
- Posts: 101
- Joined: March 31st, 2004, 5:39 pm
- Location: New Zealand
- Contact:
- Robert S.
- Posts: 4399
- Joined: April 24th, 2004, 3:04 am
- Location: Bay Area, CA
Possibly due to
#306354[Core]-xpi signature verification only looks in first chunk of data received [All]
It is actually the XPInstall code and not the EM code that reads the cert for extensions installed from the net, DnD, etc. though there is some EM code for reading the cert in 1.1+ when installing an extension as a dropped in file.
#306354[Core]-xpi signature verification only looks in first chunk of data received [All]
DerManoMann wrote:Similar here - I still think that the EM code is buggy. Sometimes it works, other times it doesn't. I found that it works more often when downloading the .xpi file and installing locally.
It is actually the XPInstall code and not the EM code that reads the cert for extensions installed from the net, DnD, etc. though there is some EM code for reading the cert in 1.1+ when installing an extension as a dropped in file.
-
- Posts: 101
- Joined: March 31st, 2004, 5:39 pm
- Location: New Zealand
- Contact:
-
- Posts: 244
- Joined: September 13th, 2005, 9:56 pm
- Contact:
Quick thought: why doesn't UMO sign extensions to indicate that they are genuine UMO extensions? I can see a few issues, but it seems to make sense, and they're already sponsored by XRamp so there'd be no financial outlay.
[Edited typo.]
[Edited typo.]
Last edited by azzer on October 24th, 2005, 5:29 pm, edited 1 time in total.
-- FoxClocks
- BenBasson
- Moderator
- Posts: 13671
- Joined: February 13th, 2004, 5:49 am
- Location: London, UK
- Contact:
-
- Posts: 244
- Joined: September 13th, 2005, 9:56 pm
- Contact:
How so? Signing never guarantees that code is 'good' - merely its origin. You often see 'unofficial' versions of extensions; it would be helpful to distinguish these from the 'original'. Suppose such an extension causes problems or is even malicious (very unlikely, but we *are* discussing code signing here) - the code cannot then be attributed to code hosted on UMO. That's all.
-- FoxClocks
-
- Posts: 1899
- Joined: November 10th, 2002, 12:35 pm
- Location: Mexico / Boulder Co.
- Contact:
Best Cert to buy?
Can anyone recommend a good/cheap code signing cert I could buy?
Any suggestions, or what 'format' of the certificate I should get? (i.e. java, VB, MS object, etc.)
Any suggestions, or what 'format' of the certificate I should get? (i.e. java, VB, MS object, etc.)
- wildman
- Posts: 222
- Joined: June 20th, 2003, 12:20 pm
- Location: Florida
Layers: Non-Repudiation, CheckSUMs & Cert Authority
Non-Repudiation is the reason Authors should sign their work. If the author signed the extension with a PGP/GPG key, and some one validated that key from a public keyserver. A web of trust could be built, then if at a later date the code he submitted was found to be malicious... he would have a difficult time denying it. By signing the package, he has validated that it came from pristine sources -the original author. If a CheckSUM was published, that too can be validated. He could change his name & generate new keys, but he could be tracked down too (IPs) or banned from submitting code with the same key at least. Some folks do care about their reputations even on the net, it is a deterent and another layer of security.
For a nice GPG HOWTO on the web-of trust subject look here... GnuPG Keysigning Party HOWTO
Cert Authority - http://www.openca.org/
There are ways to generate free certs, the linux community does this often...
Revoking them is another issue. So I agree, Mozilla should generate the CERT and validate the packages.
Securing Debian Manual Chapter 7 - Package signing in Debian
http://www.linuxsecurity.com/docs/harde ... h7.en.html
For a nice GPG HOWTO on the web-of trust subject look here... GnuPG Keysigning Party HOWTO
Cert Authority - http://www.openca.org/
There are ways to generate free certs, the linux community does this often...
Revoking them is another issue. So I agree, Mozilla should generate the CERT and validate the packages.
Securing Debian Manual Chapter 7 - Package signing in Debian
http://www.linuxsecurity.com/docs/harde ... h7.en.html
-
- Posts: 36
- Joined: December 2nd, 2004, 2:47 pm
- Location: Nottinghamshire, UK
- Contact:
Code Signing XPIs on Windows
I've just finished writing a comprehensive article on how to obtain, install, and use a code-signing certificate for XPI files on Windows.
I needed to do it myself so I could publish my first Firefox Extension, Firefox Shared Bookmarks. I took Pete Collin's article as a starting point and developed it into a novel
Code-signing Mozilla Firefox XPI extensions.
I needed to do it myself so I could publish my first Firefox Extension, Firefox Shared Bookmarks. I took Pete Collin's article as a starting point and developed it into a novel
Code-signing Mozilla Firefox XPI extensions.
TJ.
-
- Posts: 244
- Joined: September 13th, 2005, 9:56 pm
- Contact:
Well TJ, that just worked flawlessly for me, up to and including step 13. Now I need a _real_ certificate: the one from Unizeto Certum seems to be perfect for anyone reading this thread (free for open source, and the root cert is installed in Firefox and Thunderbird, and presumably other Mozilla apps.)
Great work! Completely painless for Windows developers with Cygwin.
Andy
Great work! Completely painless for Windows developers with Cygwin.
Andy
-- FoxClocks