o-regan.org

A random sampling of the extensions available on addons.mozilla.org shows that the majority of extensions available for download are unsigned. The only signed extension found in the search was the Google Toolbar.

The use of unsigned extensions encourages the end user to ignore the Unsigned warning in the corner.

(I’m not picking on Adblock specifically, it was the featured extension when I last visited the mozilla addons site.)

So if you’ve developed a firefox extension and you decide you want to sign your extension so that your users can easily authenticate it. What next?

You’ll need a code-signing (or object signing) certificate from a Certificate Authority. For example a Netscape compatible codesigning certificate from Globalsign can be purchased for €175 for one year.

If you follow the registration process from your browser then your private key and certificate will be stored in your browsers certificate store.

To use them with XPISigner you’ll have to export them to a file.

Both Firefox and IE use the same secure format for storing keys outside the browser. The Personal Information Exchange (PFX) file is based on the PKCS#12 standard. It’s format ensures that the exported details are kept secure and provides evidence if the file was tampered with.

In Firefox to export your private key and signing certificate you need to:

Open the options dialog under Tools | Options. Click on the Advanced section and then on the Encryption tab.

Click on the “View Certificates” button and select your certificate.

Click on Backup, enter your master password and then enter a new password to protect the exported key and certificate.

Your p12 or pfx file can now be used with XPISigner.

Downloading & Installing XPISigner

XPISigner is a java application and requires a Java5 runtime installed.

Download the latest version from the XPISigner page.

It should be unpacked to a folder on your disk. e.g. c:\tools\xpisigner

Open a command prompt (Start | Run… | cmd.exe)

CD c:/tools/xpisigner
 C:/tools/xpisigner>dir /b
 bcmail-jdk15-136.jar
 bcprov-jdk15-136.jar
 readme.txt
 xpi.jar
 xpisigner.cmd

Check that java is available from the commandline:

C:/tools/xpisigner>java -version
 java version "1.5.0_06"
 Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05)
 Java HotSpot(TM) Client VM (build 1.5.0_06-b05, mixed mode)

For the purposes of this tutorial I downloaded the Adblock Plus extension and unpacked it in C:\tools\extn

My exported codesigning p12 is in c:\tools\xpisigner1.2\exported.p12 and it’s password is password.

So to sign the Adblock extension you switch to the extension directory and run:

C:/tools/extn>c:/tools/xpisigner/xpisigner.cmd c:/tools/xpisigner/exported.p12 password
c:/tools/extn c:/tools/adblock.xpi
XPISigner v1.3 (http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 - Kevin O'Regan      

Excluding: []
Generated XPI...
        Filename:    C:/tools/adblock.xpi
        Size:        228 kb
        Created at:  Mon Apr 23 23:09:46 BST 2007
        Signed by:   O=O'Regan dot org,E=xpisigner@o-regan.org,C=IE,CN=XPI Signer
        Num entries: 10
Done.

The output c:\tools\adblock.xpi can be dragged into Firefox to install it. This time you can see that it is signed.

I’ve uploaded the signed adblock extension but you’ll need to install my ‘fake’ CA certificate before the extension will verify.

XPISigner creates signed extensions or plug-ins for Firefox and Thunderbird.

It is a replacement for signtool.exe

Requirements:

• Java 5 or higher
• PKCS#12 (PFX) file containing your signing key and certificate
• Your unpacked xpi directory structure

To sign the xpi file you need to point XPISigner at the directory containing your unpacked xpi.

XPISigner processes each file in the directory calculating the MD5 and SHA-1 hash values required for the manifest.mf and zigbert.sf files.

Once the hashes are calculated a PKCS#7 detached signature blob is created using the signing key provided. The PKCS#7 signature is saved as zigbert.rsa.

Finally the xpi is created. The XPI is a regular zip file with one caveat; for a signed xpi the “META-INF/zigbert.rsa” file must be stored first in the archive.

You can now test your signed xpi in Firefox.

XPISigner can be downloaded from http://o-regan.org/xpisigner-secure-your-firefox-extensions

Let’s take a signed XPI apart and see what’re required to build a tool like XPISigner

We’ll use the Google Toolbar for Firefox as an example. It’s already signed and we can see it works when we download it.

Save off the xpi file from http://dl.google.com/firefox/google-toolbar.xpi

Using Java's jar command view the contents of the archive

C:demo>jar tvf google-toolbar-win.xpi
   3247 Tue Feb 20 12:33:50 GMT 2007 META-INF/zigbert.rsa
 573920 Sat Feb 17 15:01:32 GMT 2007 chrome/google-toolbar.jar
   2599 Sat Feb 17 15:01:32 GMT 2007 chrome.manifest
   7824 Sat Feb 17 15:01:32 GMT 2007 components/bootstrap.js
   4578 Sat Feb 17 15:01:32 GMT 2007 components/googletoolbar.xpt
   1126 Sat Feb 17 15:01:32 GMT 2007 components/metrics.xpt
 351232 Sat Feb 17 15:01:32 GMT 2007 components/googletoolbar.dll
 138752 Sat Feb 17 15:01:32 GMT 2007 components/metrics.dll
   4340 Sat Feb 17 15:01:32 GMT 2007 defaults/preferences/options.js
   2005 Sat Feb 17 15:01:32 GMT 2007 defaults/custombuttons/toolbar.google.com_CTK0Y7F4MTG6NKYH03WT.xml
   6697 Sat Feb 17 15:01:32 GMT 2007 defaults/custombuttons/toolbar.google.com_J66T77NJDBMW4FEUU7FA.xml
   7667 Sat Feb 17 15:01:32 GMT 2007 defaults/custombuttons/toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.xml
  22486 Sat Feb 17 15:01:32 GMT 2007 defaults/contenthandling/doc.ico
   2446 Sat Feb 17 15:01:32 GMT 2007 install.rdf
 544031 Sat Feb 17 15:01:32 GMT 2007 lib/toolbar.js
   7789 Sat Feb 17 15:01:32 GMT 2007 LICENSE.txt
   2303 Tue Feb 20 12:33:50 GMT 2007 META-INF/manifest.mf
   2411 Tue Feb 20 12:33:50 GMT 2007 META-INF/zigbert.sf

The jar command lists the files in the order they were found in the archive. This is important as it plays a role in how Firefox determines that the archive is signed. Tools like WinZIP will re-order the listing by path.

There are 3 files of intrest to this investigation:

1. META-INF/zigbert.rsa is a PKCS#7 detached
   signature.
2. META-INF/manifest.mf is a jar file manifest
3. META-INF/zigber.sf is a manifest of manifest.mf

The reason that zigbert.rsa must be at the start of the archive is so that Firefox can determine if the archive is signed and display the signer's Organization in the confirmation dialog.

Firefox downloads just enough of the archive to extract the first entry from it. If that entry is zigbert.rsa and it is a well-formed PKCS#7 signature then the signer's Distinguished Name is taken from the signer info and the organization is displayed.

e.g., the full Distinguished Name for the google signing certificate is

CN = Google Inc
OU = Digital ID Class 3 - Netscape Object Signing
O = Google Inc
L = Mountain View
S = California
C = US

The signer must be either in the Firefox certificate store or be signed by a CA in the certificate store

This way the user is told that the xpi is signed and who signed it, before the complete archive is downloaded. If the user cancels at this point then no more of the file is downloaded.

When the user accepts the xpi for installation it is downloaded. Once the download is completed Firefox finishes the verification steps.

Each file in the archive is extracted and the MD5 and SHA-1 hashes are calculated. The values are checked against the ones stored in manifest.mf. If there is a mismatch then verification fails. If there are more (or less) files files in the archive than listed in the manifest then verification fails.

If the manifest has been checked successfully then the signature manifest (zigbert.sf) is checked. The manifest.mf is split into sections based on blank lines. Each section has it's MD5 and SHA-1 hash calculated and compared to the corresponding values in zigbert.sf. If any of the entries do not match then verification fails.

The contents of zigbert.sf is used to verify the PKCS#7 signature in zigbert.rsa.

If that signature verifies and the certificate used to sign zigbert.rsa verifies against the Firefox certificate store then the xpi is staged for installation.