o-regan.org

For those using XPISigner, and there appears to be a few of you according to the site stats, there will be an update released next month:

Features:

• Support for zip instead of jar on unix to preserve exec flag on files. This is useful for Firefox plugins.
• Support for Firefox cert and key stores. (Windows initially)
• Support for Windows Cert store (Java 6 only)

Now available from the download page.

• Updated the readme.txt in the zip to the latest version.
• Some VM’s displayed FileNotFound exceptions when the META-INF folder didn’t exist. Added explicit checks and create folders as required.
• Removed some debugging statements e.g., “bc” from the output.
• When running from a folder other than the baseDir the value of baseDir needed to fully qualified. Now you can use relative paths e.g., ..\..\src
• Some PFX files fail to load and cause an “IllegalKeySize” exception. This is still being investigated.

XPISigner creates signed extensions or plug-ins for Firefox and Thunderbird.

It is a replacement for signtool.exe

Requirements:

• Java 5 or higher
• PKCS#12 (PFX) file containing your signing key and certificate
• Your unpacked xpi directory structure

To sign the xpi file you need to point XPISigner at the directory containing your unpacked xpi.

XPISigner processes each file in the directory calculating the MD5 and SHA-1 hash values required for the manifest.mf and zigbert.sf files.

Once the hashes are calculated a PKCS#7 detached signature blob is created using the signing key provided. The PKCS#7 signature is saved as zigbert.rsa.

Finally the xpi is created. The XPI is a regular zip file with one caveat; for a signed xpi the “META-INF/zigbert.rsa” file must be stored first in the archive.

You can now test your signed xpi in Firefox.

XPISigner can be downloaded from http://o-regan.org/xpisigner-secure-your-firefox-extensions