How do you sign an extension?

[freakyfreak]

As long as you make sure the files are placed in the .xpi file the same way it should work.

[TheOneKEA]

http://www.mozdevgroup.com/docs/pete/Si ... n-XPI.html

In case this bookmark hasn't been posted yet - I found in in my bookmarks and wanted to share it with anyone wanting to learn more.

[Alexander Daneeloff]

thanks to pete's post on how he could sign the extension i could do it by myself.
the only difference was that i used valid certificate from thawte.
NNS 3.9 goes with PKCS#12 support, so i could import previously prepared by microsoft's pvkimprt.exe certificate (instructions how to use this are available at thawte).
then signtool made META-INF for me.
of course it has -Z switch to pack jar. but who said that it will work for xpi? it will not.
you have to pack it by hands. i don't know how but i could figure ot that META-INF\zigbert.rsa has to be the first file in xpi archive and xpi has not to contain zip entries for directories, only file entries are allowed.
at last i got the long waited message that extension is signed by certificate owner and it installed successfully.
many thanks to Jeff Klawiter, creator of Al Bhed translator for his explanations and extension as a premier.

[DerManoMann]

NNS 3.9 goes with PKCS#12 support, so i could import previously prepared by microsoft's pvkimprt.exe certificate (instructions how to use this are available at thawte).

Hehe, took mee a while to find that!

then signtool made META-INF for me.
of course it has -Z switch to pack jar. but who said that it will work for xpi? it will not.
you have to pack it by hands. i don't know how but i could figure ot that META-INF\zigbert.rsa has to be the first file in xpi archive and xpi has not to contain zip entries for directories, only file entries are allowed.
at last i got the long waited message that extension is signed by certificate owner and it installed successfully.
many thanks to Jeff Klawiter, creator of Al Bhed translator for his explanations and extension as a premier.

Similar here - I still think that the EM code is buggy. Sometimes it works, other times it doesn't. I found that it works more often when downloading the .xpi file and installing locally.

Would it be possible to publish Jeff's explanation somehwere (wiki?)

Cheers, mano

[freakyfreak]

I suppose I could finish the tutorial and publish it in the wiki.

If you hadn't figured out yet, I'm jeff ;)

I got a new job recently(well 6 months ago..) and have been working on a website for The Commodores , yes the R&B band. I've been working 70+ hour weeks and my involvment in Extension development has been nill other than a new idea I had last weekend for Thunderbird.

Most of my explanation came from posts on the XPInstall and crypto newsgroups on the mozilla.org server.

[DerManoMann]

Does anyone know a reason why a signed extension would show up as signed when installed from a local file, but being displayed as unsigned if loaded from a website?

Ta, mano

[Robert S.]

Possibly due to
#306354[Core]-xpi signature verification only looks in first chunk of data received [All]

Similar here - I still think that the EM code is buggy. Sometimes it works, other times it doesn't. I found that it works more often when downloading the .xpi file and installing locally.

It is actually the XPInstall code and not the EM code that reads the cert for extensions installed from the net, DnD, etc. though there is some EM code for reading the cert in 1.1+ when installing an extension as a dropped in file.

[DerManoMann]

Looks liek you are right. Works fine in 1.5beta1

Ta, mano

[azzer]

Quick thought: why doesn't UMO sign extensions to indicate that they are genuine UMO extensions? I can see a few issues, but it seems to make sense, and they're already sponsored by XRamp so there'd be no financial outlay.

[Edited typo.]

[BenBasson]

UMO signing would be essentially meaningless.

[azzer]

How so? Signing never guarantees that code is 'good' - merely its origin. You often see 'unofficial' versions of extensions; it would be helpful to distinguish these from the 'original'. Suppose such an extension causes problems or is even malicious (very unlikely, but we *are* discussing code signing here) - the code cannot then be attributed to code hosted on UMO. That's all.

[jedbro]

Can anyone recommend a good/cheap code signing cert I could buy?
Any suggestions, or what 'format' of the certificate I should get? (i.e. java, VB, MS object, etc.)

[wildman]

Non-Repudiation is the reason Authors should sign their work. If the author signed the extension with a PGP/GPG key, and some one validated that key from a public keyserver. A web of trust could be built, then if at a later date the code he submitted was found to be malicious... he would have a difficult time denying it. By signing the package, he has validated that it came from pristine sources -the original author. If a CheckSUM was published, that too can be validated. He could change his name & generate new keys, but he could be tracked down too (IPs) or banned from submitting code with the same key at least. Some folks do care about their reputations even on the net, it is a deterent and another layer of security.

For a nice GPG HOWTO on the web-of trust subject look here... GnuPG Keysigning Party HOWTO

Cert Authority - http://www.openca.org/
There are ways to generate free certs, the linux community does this often...
Revoking them is another issue. So I agree, Mozilla should generate the CERT and validate the packages.

Securing Debian Manual Chapter 7 - Package signing in Debian
http://www.linuxsecurity.com/docs/harde ... h7.en.html

[TJworld]

I've just finished writing a comprehensive article on how to obtain, install, and use a code-signing certificate for XPI files on Windows.

I needed to do it myself so I could publish my first Firefox Extension, Firefox Shared Bookmarks. I took Pete Collin's article as a starting point and developed it into a novel

Code-signing Mozilla Firefox XPI extensions.

[azzer]

Well TJ, that just worked flawlessly for me, up to and including step 13. Now I need a _real_ certificate: the one from Unizeto Certum seems to be perfect for anyone reading this thread (free for open source, and the root cert is installed in Firefox and Thunderbird, and presumably other Mozilla apps.)

Great work! Completely painless for Windows developers with Cygwin.

Andy