o-regan.org

[...] Let’s take a signed XPI apart and see what’re required to build a tool like XPISigner [...]

[...] XPISigner - Secure your Firefox Extensions [...]

test

Sorry about the basic question (not a Java guy), but how to install this addon, I have 3 jars in the zip file, what to do next (I have Java Run time installed) ?

Thanks

Dror,
Thanks, looks like I messed up the upload of the 1.1 version.
I’ve uploaded a version that contains a cmd shell script for windows. Once you have that you should be able to just do:

xpisigner.cmd <options>

thanks

kevin

Hi Kevin,
Thanks, this package worked much better

I tried to use the command line but have few questions

The command I’m using
xpisigner.cmd MyKey.pfx “” MyKey xpi\ .

(I have no password to the pfx, maybe that’s the problem ?)

1. Although I have directory with all files the command line looked for it in the current directory.

2. After copied the files to current directory I got an excepion

Excluding: []
java.lang.NullPointerException
at org.oregan.xpi.XPISigner.sign(Unknown Source)
at org.oregan.xpi.XPISigner.generateXPI(Unknown Source)
at org.oregan.xpi.Main.doSign(Unknown Source)
at org.oregan.xpi.Main.main(Unknown Source)
Exception in thread “main” java.lang.NullPointerException
at java.io.FileOutputStream.write(Unknown Source)
at org.oregan.xpi.XPISigner.saveMessage(Unknown Source)
at org.oregan.xpi.XPISigner.generateXPI(Unknown Source)
at org.oregan.xpi.Main.doSign(Unknown Source)
at org.oregan.xpi.Main.main(Unknown Source)

I meant to say
Thanks, this package worked much better

The questions still remains though
Thanks,
Dror

Hi Dror,

What this tool allows you to do is to sign a firefox extension that you want to distribute.

You’ll need (in no particular order):
a) A firefox extension
b) A code-signing certificate & private key from a Certificate Authority. They should be in PKCS#12 or PFX format.
c) This tool…

At the moment it doesn’t integrate or ‘plug-in’ to firefox, it’s a seperate tool used as a step in your extension deployment process.

I’m currently working on a GUI version.

I’ll see if I can get a full walkthrough of the signing process later tonight.

kevin

Added a walkthrough and updated the code to v1.2.
kevin

I am getting an error…

C:\xpi-signer>xpisigner devcert.pfx passwrd C:\xpi-signer\input C:\xpi-signer\output
XPISigner v1.4 (http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 - Kevin O’Regan

Excluding: []
bc
exception unwrapping private key - java.security.InvalidKeyException: Illegal key size

Thanks for the speedy response.

I tried exporting the pvk with less encryption but no change.

Does your Java specifically use 1.5 or can it be 1.6?

I found that this works ok in both 1.6 and 1.5.

Thanks for resolving the issues with our Developer Cert… we now have an invaluable tool that solves a problem for us. Also, I believe this to be the first time an XPI has been codesigned using Authenticode.

Kevin,

Hi. I’m getting the “unwrapping private key - java.security.InvalidKeyException: Illegal key size” error mentioned above.

I got the US_export_policy.jar and local_policy.jar that you mentioned and pasted them into the jre/lib/ext directory, but those were new files so they didn’t replace anything. Anyway, that didn’t fix the error–I’m still getting it. My Java version is 1.5.0_11.

Do you any other advice to get this to work? Thanks.

I am very pleased with XPISigner. Signing an XPI file the manual way looks like a total nightmare. At first, I was having a few problems getting XPISigner to work, but Kevin helped me resolve each one of them. I think XPISigner is an invaluable tool, and it makes my work so much easier. And hey, it’s free! So, if you ever need to sign an XPI file, I would highly recommend XPISigner as your first stop.

Hello,

Seems like I’m having the same issue with the key size. Not sure what I’m doing wrong. I downloaded
the additional 2 jar files and tried again but am still getting this error.

Here is the output I get:
D:\Program Files\Java\jre>d:\xpisigner\xpisigner.cmd d:\mykeys\upromise.pfx “**********” d:\signfiles output.xpi
XPISigner v1.4 (http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 - Kevin O’Regan

Excluding: []
bc
exception unwrapping private key - java.security.InvalidKeyException: Illegal ke
y size

D:\Program Files\Java\jre>

Hi,
This looks like a great program - thanks for the public service. I have been working (laboriously) with the Mozilla tools and I seem to -almost- have it working but your tool is clearly much preferred.

Unfortunately, I have not yet succeeded. After going through the “illegal key size” problem (I updated the Java security files as you suggested and this error went away, I also went through the IE import export with no change in behavior). I now get the following output:

Excluding []
bc
Signing failed:null

The “manifest.mf” and “zigbert.sf” files are also created in my source directory.

I have used the same .pfx I am using here to successfully sign other code using the NSS signtool.exe, so I think my basics are in order. Any ideas what might be going wrong?

Thanks,
Jason

Hi,

I am running also into the same problems as John above (illegal key size even after installing local_policy.jar and US_export_policy.jar into the Java/jre/lib/ext directory).

Is there something else I can try?

BTW, I am using java 1.6.0_02

Thanks,
George.

Kevin,

Thanks for the help - yes that was the problem. Now it works with no problems. Thank you for your excellent tool and responsive support.

Jason

All I can say is ,I’m very impressed…

Does anybody explain me the XPISigner in german???

hi, does this tool work with PVK files? I saw one post here which does a indirect reference to a pvk extension..

I’m having a problem running xpisigner from a path that contains spaces. For example, if I run it under “C:\some path\xpisigner”, I get the error message:
Unable to access jarfile c:\some

(cuts off right at the space)

Is there a way around this? Or do I have to make sure the path doesn’t include spaces?