o-regan.org

Some xpi archives signed with xpisigner are failing to be verified in Firefox 4.

Signature Verification Error: the signature on this .jar archive is invalid because the digital signature (*.RSA) file is not a valid signature of the signature instruction file (*.SF).

The signatures appear to be correct and it appears to be the chaining via intermediate certificates that is causing the issue.

This is being investigated now and should have an update tomorrow.

Project on Google Code.

For those using XPISigner, and there appears to be a few of you according to the site stats, there will be an update released next month:

Features:

• Support for zip instead of jar on unix to preserve exec flag on files. This is useful for Firefox plugins.
• Support for Firefox cert and key stores. (Windows initially)
• Support for Windows Cert store (Java 6 only)

Laurent brought this up recently in the comments on the XPISigner download page. He ran into an issue signing his Firefox Linux plug-in with XPISigner. Some files were no longer executable when the XPI was deployed.

This is a ‘feature’ of java’s cross-platform underpinnings, since not all platforms use file-system metadata to flag files as executable.

You can work around this using a combination of XPISigner and the unix ZIP command.

Zip (on unix) will preserve the exec flag when creating the archive and Firefox will honour the setting when it extracts the contents of the xpi during installation.

Instructions

• Run xpisigner to create the file manifests and signature.
• Delete your output xpi file
• Zip your content directory and rename your output file to .xpi

Note

You may need to give ZIP an inclusion file list and make sure that META-INF/zigbert.rsa is the first file in the archive

e.g. zip outfile.xpi -i@include.lst

Where include.lst is a file listing all the files you want in the archive.

See http://o-regan.org/2007/04/11/firefox-xpi-internal-structure/ for the reasoning.
<

Available from the download page.

Version 1.6

• Fixed FileNotFound exception for xpi output file that doesn’t exist (yet). XPISigner now creates the file entry so the jar operation can use it.
• Updated the unix script
• Readme now correctly refers to the unix script as xpisigner.sh

Multisigner launched yesterday on it’s own domain (multisigner.com). The first drop of the product supports signing Firefox Extensions/Toolbars direct from the MS Windows ‘Personal’ certificate store.

How easy is it? Check out the link below which will take you to the launch page.

Over the next few weeks the other combinations will be made available. Multisigner will be a commercial product but people who contributed feedback and donations to XPISigner will receive Multisigner for free.

Now available from the download page.

• Updated the readme.txt in the zip to the latest version.
• Some VM’s displayed FileNotFound exceptions when the META-INF folder didn’t exist. Added explicit checks and create folders as required.
• Removed some debugging statements e.g., “bc” from the output.
• When running from a folder other than the baseDir the value of baseDir needed to fully qualified. Now you can use relative paths e.g., ..\..\src
• Some PFX files fail to load and cause an “IllegalKeySize” exception. This is still being investigated.

When running XPISigner with a PFX generated from SPC & PVK files you may run into the following error…

“unwrapping private key – java.security.InvalidKeyException: Illegal key size”

This may have two causes:

• The unlimited strength policy files are not installed in your
  %JAVA_HOME%/jre/lib/security folder.
• The PFX that was generated is not well formed. See below for instructions on how to export a correctly formatted PFX from IE.

Exporting a PFX from Internet Explorer

Go to Tools | Internet Options | Content | Certificates

Select your cert/key and click Export…

Choose to export the private key.

On the next screen choose to “Include all certificates in the chain” and “Strong private key protection”

Give it a password and save to a different filename.

A random sampling of the extensions available on addons.mozilla.org shows that the majority of extensions available for download are unsigned. The only signed extension found in the search was the Google Toolbar.

The use of unsigned extensions encourages the end user to ignore the Unsigned warning in the corner.

(I’m not picking on Adblock specifically, it was the featured extension when I last visited the mozilla addons site.)

So if you’ve developed a firefox extension and you decide you want to sign your extension so that your users can easily authenticate it. What next?

You’ll need a code-signing (or object signing) certificate from a Certificate Authority. For example a Netscape compatible codesigning certificate from Globalsign can be purchased for €175 for one year.

If you follow the registration process from your browser then your private key and certificate will be stored in your browsers certificate store.

To use them with XPISigner you’ll have to export them to a file.

Both Firefox and IE use the same secure format for storing keys outside the browser. The Personal Information Exchange (PFX) file is based on the PKCS#12 standard. It’s format ensures that the exported details are kept secure and provides evidence if the file was tampered with.

In Firefox to export your private key and signing certificate you need to:

Open the options dialog under Tools | Options. Click on the Advanced section and then on the Encryption tab.

Click on the “View Certificates” button and select your certificate.

Click on Backup, enter your master password and then enter a new password to protect the exported key and certificate.

Your p12 or pfx file can now be used with XPISigner.

Downloading & Installing XPISigner

XPISigner is a java application and requires a Java5 runtime installed.

Download the latest version from the XPISigner page.

It should be unpacked to a folder on your disk. e.g. c:\tools\xpisigner

Open a command prompt (Start | Run… | cmd.exe)

CD c:/tools/xpisigner
 C:/tools/xpisigner>dir /b
 bcmail-jdk15-136.jar
 bcprov-jdk15-136.jar
 readme.txt
 xpi.jar
 xpisigner.cmd

Check that java is available from the commandline:

C:/tools/xpisigner>java -version
 java version "1.5.0_06"
 Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05)
 Java HotSpot(TM) Client VM (build 1.5.0_06-b05, mixed mode)

For the purposes of this tutorial I downloaded the Adblock Plus extension and unpacked it in C:\tools\extn

My exported codesigning p12 is in c:\tools\xpisigner1.2\exported.p12 and it’s password is password.

So to sign the Adblock extension you switch to the extension directory and run:

C:/tools/extn>c:/tools/xpisigner/xpisigner.cmd c:/tools/xpisigner/exported.p12 password
c:/tools/extn c:/tools/adblock.xpi
XPISigner v1.3 (http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 - Kevin O'Regan      

Excluding: []
Generated XPI...
        Filename:    C:/tools/adblock.xpi
        Size:        228 kb
        Created at:  Mon Apr 23 23:09:46 BST 2007
        Signed by:   O=O'Regan dot org,E=xpisigner@o-regan.org,C=IE,CN=XPI Signer
        Num entries: 10
Done.

The output c:\tools\adblock.xpi can be dragged into Firefox to install it. This time you can see that it is signed.

I’ve uploaded the signed adblock extension but you’ll need to install my ‘fake’ CA certificate before the extension will verify.

XPISigner creates signed extensions or plug-ins for Firefox and Thunderbird.

It is a replacement for signtool.exe

Requirements:

• Java 5 or higher
• PKCS#12 (PFX) file containing your signing key and certificate
• Your unpacked xpi directory structure

To sign the xpi file you need to point XPISigner at the directory containing your unpacked xpi.

XPISigner processes each file in the directory calculating the MD5 and SHA-1 hash values required for the manifest.mf and zigbert.sf files.

Once the hashes are calculated a PKCS#7 detached signature blob is created using the signing key provided. The PKCS#7 signature is saved as zigbert.rsa.

Finally the xpi is created. The XPI is a regular zip file with one caveat; for a signed xpi the “META-INF/zigbert.rsa” file must be stored first in the archive.

You can now test your signed xpi in Firefox.

XPISigner can be downloaded from http://o-regan.org/xpisigner-secure-your-firefox-extensions