How do you sign an extension?

Talk about add-ons and extension development.
Posts: 244
Joined: September 13th, 2005, 9:56 pm

Post Posted August 18th, 2007, 12:07 pm

I've tried both of Kevin's apps - nicely done, and they fill a real need. Minor suggestions: for xpisigner, allow the user to specify the password interactively, echoed with ***, so that it's never visible on screen/command history; for both apps, it would be really nice to just point at an unsigned XPI (should be easy - just unzip into an empty temp. directory - that becomes your root - no need to worry about including and excluding files). I did get the “IllegalKeySize” exception - adding unlimited strength crypto fixed it.

I've managed to get a PKCS#12 with a signature from Thawte based on , which shows that you can sign WebStart applets (perhaps Kevin could do this?) (even though the free Thawte certs are designed for e-mail signing only) and ... rivate_key (which essentially turns the Thawte certificate + your private key into a PKCS12). Anyway, the PKCS file is 'good' but if I import it into Firefox I see that its purpose is 'E-mail Signer/Responder Certificate' - nothing about code signing. When I use it with Kevin's apps (either directly, with xpisigner, or after importing it into IE for Multisigner), the 'signed' XPI is created but shows as 'unsigned' when I try to install it into Firefox. I imagine that something is actually failing in the signing, but isn't flagged to the user - not surprising since what I'm doing (trying to sign with a cert apparently not designed for code-signing) is unusual.

Questions: has anyone been able to get Thawte to issue a cert that will sign XPI's? It _IS_ possible to sign WebStart apps with these...
Also, has anyone found a cheap source of real code-signing certs? I'd be happy to pay...


Posts: 3
Joined: April 11th, 2007, 1:27 pm
Location: Carlow, Ireland

Post Posted August 18th, 2007, 1:19 pm

Hi Andy,

Thanks for the feedback, I'll have to check if you can get java to hide the password, It used not be possible.

I'll also take a look at using a prebuilt xpi. It would probably make for easier integration into build processes.

Signing with the Thawte email cert doesn't work in Firefox because Firefox explicitly checks the Extended Key Usage extension to see if it has an "objectSigning" usage and also that the CA that issued it has "objectSigningCA" usage.

It may also display "Unsigned" when there is no Organisation name specified in the certificate.

WebStart may not be being as thorough. btw, my plans for Multisigner include signing java applets and webstart apps but also to be able to take keys from Firefox the same way as it does for IE.

From what I've seen with people who've used XPISigner, is that most "MS Object Signing" certificates also include the "objectSigning" extended key usage needed to sign XPI files.

There used to be technical differences between IE and Netscape ( 4.7 as it was then) in what constituted a proper codesigning certifciate. To the best of my knowledge they are all moot now but the likes of Verisign and Thawte would rather you bought more than one :)

I'm hoping to keep getting donations so that I may be able to afford to buy one from each major vendor for testing.


Kevin O'Regan

MultiSigner - Extension Signing for Firefox and Thunderbird

Posts: 244
Joined: September 13th, 2005, 9:56 pm

Post Posted August 18th, 2007, 1:39 pm

Agreed about the cert extensions, though it's strange that someone could use a Thawte e-mail cert to sign a WebStart app - perhaps Java isn't doing entirey thorough checking.

Empty 'Organisation': could be; my Thawte cert certainly has no Organisation field in the 'Subject'. That would be a minor Mozilla bug.


Posts: 15
Joined: March 24th, 2007, 10:31 pm

Post Posted March 19th, 2008, 7:26 pm


I've created an XPI and I'm about to purchase a code signing certificate in order to sign it and distribute it.

I've searched the net and can't find any reference that explains how FireFox treats signed XPIs after the certificate has expired. Microsoft seems to have solved this problem by allowing you to reference a secure timestamp service during code signing. If you do that your application will still work after the certificate has expired - you just can't use that cert to sign new stuff.

I have the latest signtool 3.11.5 and it doesn't have any options that let me provide a secure timestamp service URL. However, Sun's jarsigner does have this option (-tsa) and since it seems to do the same thing as signtool perhaps I could use that - IF FireFox even looks at the secure timestamp data.

I haven't code signed anything before so perhaps I'm just missing it. Any pointers would be appreciated.

Thank you.

Return to Extension Development

Who is online

Users browsing this forum: No registered users and 2 guests