o-regan.org

I’ve removed XPISigner from this site. It no longer appears to work correctly with FireFox 4 and 5 and I no longer have the time/resources to try keeping up with it.

The source code is available on Google Code : http://code.google.com/p/xpisigner/

Some xpi archives signed with xpisigner are failing to be verified in Firefox 4.

Signature Verification Error: the signature on this .jar archive is invalid because the digital signature (*.RSA) file is not a valid signature of the signature instruction file (*.SF).

The signatures appear to be correct and it appears to be the chaining via intermediate certificates that is causing the issue.

This is being investigated now and should have an update tomorrow.

Project on Google Code.

Just noticed that there’s an entry for signing xpi files with XPISigner in the Comodo knowledgebase.

Using XPISigner to sign XPI files

For those using XPISigner, and there appears to be a few of you according to the site stats, there will be an update released next month:

Features:

• Support for zip instead of jar on unix to preserve exec flag on files. This is useful for Firefox plugins.
• Support for Firefox cert and key stores. (Windows initially)
• Support for Windows Cert store (Java 6 only)

Laurent brought this up recently in the comments on the XPISigner download page. He ran into an issue signing his Firefox Linux plug-in with XPISigner. Some files were no longer executable when the XPI was deployed.

This is a ‘feature’ of java’s cross-platform underpinnings, since not all platforms use file-system metadata to flag files as executable.

You can work around this using a combination of XPISigner and the unix ZIP command.

Zip (on unix) will preserve the exec flag when creating the archive and Firefox will honour the setting when it extracts the contents of the xpi during installation.

Instructions

• Run xpisigner to create the file manifests and signature.
• Delete your output xpi file
• Zip your content directory and rename your output file to .xpi

Note

You may need to give ZIP an inclusion file list and make sure that META-INF/zigbert.rsa is the first file in the archive

e.g. zip outfile.xpi -i@include.lst

Where include.lst is a file listing all the files you want in the archive.

See http://o-regan.org/2007/04/11/firefox-xpi-internal-structure/ for the reasoning.
<

Available from the download page.

Version 1.6

• Fixed FileNotFound exception for xpi output file that doesn’t exist (yet). XPISigner now creates the file entry so the jar operation can use it.
• Updated the unix script
• Readme now correctly refers to the unix script as xpisigner.sh

Now available from the download page.

• Updated the readme.txt in the zip to the latest version.
• Some VM’s displayed FileNotFound exceptions when the META-INF folder didn’t exist. Added explicit checks and create folders as required.
• Removed some debugging statements e.g., “bc” from the output.
• When running from a folder other than the baseDir the value of baseDir needed to fully qualified. Now you can use relative paths e.g., ..\..\src
• Some PFX files fail to load and cause an “IllegalKeySize” exception. This is still being investigated.

Now available from the download page.

• Updated the readme.txt in the zip to the latest version.
• Some VM’s displayed FileNotFound exceptions when the META-INF folder didn’t exist. Added explicit checks and create folders as required.
• Removed some debugging statements e.g., “bc” from the output.
• When running from a folder other than the baseDir the value of baseDir needed to fully qualified. Now you can use relative paths e.g., ..\..\src
• Some PFX files fail to load and cause an “IllegalKeySize” exception. This is still being investigated.

When running XPISigner with a PFX generated from SPC & PVK files you may run into the following error…

“unwrapping private key – java.security.InvalidKeyException: Illegal key size”

This may have two causes:

• The unlimited strength policy files are not installed in your
  %JAVA_HOME%/jre/lib/security folder.
• The PFX that was generated is not well formed. See below for instructions on how to export a correctly formatted PFX from IE.

Exporting a PFX from Internet Explorer

Go to Tools | Internet Options | Content | Certificates

Select your cert/key and click Export…

Choose to export the private key.

On the next screen choose to “Include all certificates in the chain” and “Strong private key protection”

Give it a password and save to a different filename.