Signing an extension
From MDC
This article describes how to digitally sign your extension for Firefox and Thunderbird, with a code signing certificate for Object Signing. The following instructions also apply to a theme and other XPI files.
Contents |
[edit] Get the signing tool
You need to get your copy of NSPR and NSS for the code signing. The required tools are available from Mozilla's FTP server.
On Windows, download and extract these ZIP files:
On Mac OS X and Linux, download the source and build yourself!
Then, bring all files in nspr/lib, nspr/bin and nspr/lib directory into a directory, e.g. /usr/lib/nss/.
[edit] Set the path
Add path to the directory above to your environment variable.
On Mac OS X:
$ export PATH=${PATH}:/usr/lib/nss
[edit] Create the certificate database
$ cd /Volumes/CertDB/ObjectSigning $ certutil -N -d .
[edit] Tip: Import an Object Signing certificate issued by VeriSign
If you purchase and pick up a code signing certificate for Object Signing from VeriSign, your certificate will be directly installed to the certificate database in your Netscape 4.x user profile. This database uses a legacy format and cannot be used for code signing. You can upgrade the database by creating a new profile and import your Netscape profile to Firefox:
$ firefox-bin -CreateProfile FromNS4 $ firefox-bin -p FromNS4 -migration
After closing Firefox, following files will be generated in your profile. These are your certificate database files. Take them out from your profile and keep under lock and key.
- cert8.db
- key3.db
- secmod.db
[edit] Sign
The basic usage of the signing tool is as follows:
$ signtool \ -d (path to the directory that contains your certificate database files) \ -k (your certificate nickname) \ -p (your certificate password) \ -X -Z (output path/name of signed file) \ (path to your extension working directory that contains chrome directory, chrome.manifest file, install.rdf file, etc.)
Writing your password directly in the script is dangerous. For production, use such a code:
$ echo "Enter password for Object Signing:" $ read MYPASSWORD $ signtool \ -d /Volumes/CertDB/ObjectSigning \ -k "My Company's VeriSign, Inc. ID" \ -p $MYPASSWORD \ -X -Z ~/Desktop/MyExtension/dest/MyExtension-1.0.xpi \ ~/Desktop/MyExtension/source $ unset MYPASSWORD
[edit] Verify
Drag and drop the generated XPI file into the content area of Firefox. On the installation dialog, you can see your company name along with the file name.
[edit] References
- Signing a XPI - more detailed instructions including test procedures.
- Signing an executable with Authenticode - for signing executable file (exe)
- Firefox Add-on for for signing Firefox extension (XPI files) - XUL based tool that uses certs in Firefox Certificate DB for signing.
- Signing a Firefox extension with a Windows Authenticode SSL certificate / key - Note that some CAs do not allow (or support) to divert an Authenticode certificate to Object Signing. Please check the terms of service.