o-regan.org

Just noticed that there’s an entry for signing xpi files with XPISigner in the Comodo knowledgebase.

Using XPISigner to sign XPI files

Laurent brought this up recently in the comments on the XPISigner download page. He ran into an issue signing his Firefox Linux plug-in with XPISigner. Some files were no longer executable when the XPI was deployed.

This is a ‘feature’ of java’s cross-platform underpinnings, since not all platforms use file-system metadata to flag files as executable.

You can work around this using a combination of XPISigner and the unix ZIP command.

Zip (on unix) will preserve the exec flag when creating the archive and Firefox will honour the setting when it extracts the contents of the xpi during installation.

Instructions

• Run xpisigner to create the file manifests and signature.
• Delete your output xpi file
• Zip your content directory and rename your output file to .xpi

Note

You may need to give ZIP an inclusion file list and make sure that META-INF/zigbert.rsa is the first file in the archive

e.g. zip outfile.xpi -i@include.lst

Where include.lst is a file listing all the files you want in the archive.

See http://o-regan.org/2007/04/11/firefox-xpi-internal-structure/ for the reasoning.
<

When running XPISigner with a PFX generated from SPC & PVK files you may run into the following error…

“unwrapping private key – java.security.InvalidKeyException: Illegal key size”

This may have two causes:

• The unlimited strength policy files are not installed in your
  %JAVA_HOME%/jre/lib/security folder.
• The PFX that was generated is not well formed. See below for instructions on how to export a correctly formatted PFX from IE.

Exporting a PFX from Internet Explorer

Go to Tools | Internet Options | Content | Certificates

Select your cert/key and click Export…

Choose to export the private key.

On the next screen choose to “Include all certificates in the chain” and “Strong private key protection”

Give it a password and save to a different filename.