A random sampling of the extensions available on addons.mozilla.org shows that the majority of extensions available for download are unsigned. The only signed extension found in the search was the Google Toolbar.
The use of unsigned extensions encourages the end user to ignore the Unsigned warning in the corner.
(I’m not picking on Adblock specifically, it was the featured extension when I last visited the mozilla addons site.)
So if you’ve developed a firefox extension and you decide you want to sign your extension so that your users can easily authenticate it. What next?
You’ll need a code-signing (or object signing) certificate from a Certificate Authority. For example a Netscape compatible codesigning certificate from Globalsign can be purchased for €175 for one year.
If you follow the registration process from your browser then your private key and certificate will be stored in your browsers certificate store.
To use them with XPISigner you’ll have to export them to a file.
Both Firefox and IE use the same secure format for storing keys outside the browser. The Personal Information Exchange (PFX) file is based on the PKCS#12 standard. It’s format ensures that the exported details are kept secure and provides evidence if the file was tampered with.
In Firefox to export your private key and signing certificate you need to:
Open the options dialog under Tools | Options. Click on the Advanced section and then on the Encryption tab.
Click on the “View Certificates” button and select your certificate.
Click on Backup, enter your master password and then enter a new password to protect the exported key and certificate.
Your p12 or pfx file can now be used with XPISigner.
Downloading & Installing XPISigner
XPISigner is a java application and requires a Java5 runtime installed.
Download the latest version from the XPISigner page.
It should be unpacked to a folder on your disk. e.g. c:\tools\xpisigner
Open a command prompt (Start | Run… | cmd.exe)
CD c:/tools/xpisigner
C:/tools/xpisigner>dir /b
bcmail-jdk15-136.jar
bcprov-jdk15-136.jar
readme.txt
xpi.jar
xpisigner.cmd
Check that java is available from the commandline:
C:/tools/xpisigner>java -version
java version "1.5.0_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05)
Java HotSpot(TM) Client VM (build 1.5.0_06-b05, mixed mode)
For the purposes of this tutorial I downloaded the Adblock Plus extension and unpacked it in C:\tools\extn
My exported codesigning p12 is in c:\tools\xpisigner1.2\exported.p12 and it’s password is password.
So to sign the Adblock extension you switch to the extension directory and run:
C:/tools/extn>c:/tools/xpisigner/xpisigner.cmd c:/tools/xpisigner/exported.p12 password
c:/tools/extn c:/tools/adblock.xpi
XPISigner v1.3 (http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 - Kevin O'Regan
Excluding: []
Generated XPI...
Filename: C:/tools/adblock.xpi
Size: 228 kb
Created at: Mon Apr 23 23:09:46 BST 2007
Signed by: O=O'Regan dot org,E=xpisigner@o-regan.org,C=IE,CN=XPI Signer
Num entries: 10
Done.
The output c:\tools\adblock.xpi can be dragged into Firefox to install it. This time you can see that it is signed.
I’ve uploaded the signed adblock extension but you’ll need to install my ‘fake’ CA certificate before the extension will verify.
Recent Comments