Your Search Results

    Signing an extension

    This article describes how to digitally sign your extension for Firefox and Thunderbird, with a code signing certificate for Object Signing. The following instructions also apply to a theme and other XPI files.

    These instructions assume you're working on Mac and you've already got a valid certificate from CA.

    Get the signing tool

    We use NSS to sign an extension. This can be easily intalled with MacPorts.

    sudo port install nss

    Export your certificate

    If you have your certificate in Firefox, export it by following the steps below. The certificate which the author purchased from VeriSign was directly installed to Firefox.

    1. Click the Firefox button and select Options.
    2. In the Options window, open the Advanced panel, then select the Encryption tab.
    3. Click View Certificates.
    4. In the Certificate Manager, select the Your Certificates tab.
    5. Select your organization's certificate and click Backup.
    6. Enter the file name, e.g. codesign.p12.
    7. Enter the password to protect your certificate backup and click OK.
    8. A P12 file will be exported on your desktop.

    Create a certificate database

    First, create a certificate database that will be used for signing.

    mkdir keystore
    cd keystore
    nss-certutil -N -d .

    You will be asked for the password. Use a strong password to protect your database. Then cert8.db, key3.db and secmod.db will be generated. Next, import your certificate.

    nss-pk12util -i codesign.p12 -d .

    Show the certificate list in your database.

    nss-certutil -L -d .

    Set the trust for the root and intermediate certificates. Here's an example of VeriSign:

    nss-certutil -M -n "Verisign Class 3 Public Primary Certification Authority" -t "C,C,C" -d .
    nss-certutil -M -n "VeriSign Class 3 Public Primary Certification Authority - G5 - VeriSign, Inc." -t "C,C,C" -d .
    nss-certutil -M -n "VeriSign Class 3 Code Signing 2010 CA - VeriSign, Inc." -t "C,C,C" -d .

    It's all done.

    Sign

    The basic usage of the signing tool is as follows:

    nss-signtool \
     -d (path to the directory that contains your certificate database files) \
     -k (your certificate nickname) \
     -p (your certificate password) \
     -X -Z (output path/name of signed file) \
     (path to your extension working directory that contains
       chrome directory, chrome.manifest file, install.rdf file, etc.)
    

    Writing your password directly in the script is dangerous. For production, use such a code:

    echo "Enter password for Object Signing:"
    read MYPASSWORD
    nss-signtool \
     -d /Volumes/Codesign/keystore \
     -k "My Company's VeriSign, Inc. ID" \
     -p $MYPASSWORD \
     -X -Z ~/Desktop/MyExtension/dest/MyExtension-1.0.xpi \
     ~/Desktop/MyExtension/source
    unset MYPASSWORD

    Then a signed XPI file will be generated.

    Verify

    Drag and drop the XPI file into the content area of Firefox. On the installation dialog, you can see your organization name along with the file name.

    References

    Document Tags and Contributors

    Contributors to this page: Kohei, SubrataMazumdar
    Last updated by: Kohei,