XPISigner v1
XPISigner is a commandline tool that simplifies signing Firefox and Thunderbird extensions.
Written in Java and using the Bouncy Castle cryptographic libraries XPISigner produces signatures compatible with Firefox and Thunderbird
XPISigner v1.4
(http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 - Kevin O’Regan
xpisigner.cmd pfxfile password basedir|listfile output
Parameters:
 pfxfile The PKCS#12 file containing your signing credentials.
 password The passphrase for pfxfile.
 basedir Include all files under basedir.
 listfile Include only the files found in listfile.
 output Location to save the signed xpi.Version 1.4 available now!
Getting an IllegalKeySizeException? See this post.
Comments
Comment from o-regan.org » XPISigner - Java cross-platorm xpi signing tool
Time April 14, 2007 at 1:58 pm
[...] XPISigner - Secure your Firefox Extensions [...]
Comment from dror
Time April 22, 2007 at 3:19 pm
Sorry about the basic question (not a Java guy), but how to install this addon, I have 3 jars in the zip file, what to do next (I have Java Run time installed) ?
Thanks
Comment from kevin
Time April 22, 2007 at 7:19 pm
Dror,
Thanks, looks like I messed up the upload of the 1.1 version.
I’ve uploaded a version that contains a cmd shell script for windows. Once you have that you should be able to just do:
xpisigner.cmd <options>
thanks
kevin
Comment from dror
Time April 23, 2007 at 6:37 pm
Hi Kevin,
Thanks, this package worked much better
I tried to use the command line but have few questions
The command I’m using
xpisigner.cmd MyKey.pfx “” MyKey xpi\ .
(I have no password to the pfx, maybe that’s the problem ?)
1. Although I have directory with all files the command line looked for it in the current directory.
2. After copied the files to current directory I got an excepion
Excluding: []
java.lang.NullPointerException
at org.oregan.xpi.XPISigner.sign(Unknown Source)
at org.oregan.xpi.XPISigner.generateXPI(Unknown Source)
at org.oregan.xpi.Main.doSign(Unknown Source)
at org.oregan.xpi.Main.main(Unknown Source)
Exception in thread “main” java.lang.NullPointerException
at java.io.FileOutputStream.write(Unknown Source)
at org.oregan.xpi.XPISigner.saveMessage(Unknown Source)
at org.oregan.xpi.XPISigner.generateXPI(Unknown Source)
at org.oregan.xpi.Main.doSign(Unknown Source)
at org.oregan.xpi.Main.main(Unknown Source)
Comment from dror
Time April 23, 2007 at 6:39 pm
I meant to say
Thanks, this package worked much better
The questions still remains though
Thanks,
Dror
Comment from kevin
Time April 23, 2007 at 9:22 pm
Hi Dror,
What this tool allows you to do is to sign a firefox extension that you want to distribute.
You’ll need (in no particular order):
a) A firefox extension
b) A code-signing certificate & private key from a Certificate Authority. They should be in PKCS#12 or PFX format.
c) This tool…
At the moment it doesn’t integrate or ‘plug-in’ to firefox, it’s a seperate tool used as a step in your extension deployment process.
I’m currently working on a GUI version.
I’ll see if I can get a full walkthrough of the signing process later tonight.
kevin
Comment from Kevin
Time April 23, 2007 at 11:30 pm
Added a walkthrough and updated the code to v1.2.
kevin
Comment from William
Time May 27, 2007 at 3:12 am
I am getting an error…
C:\xpi-signer>xpisigner devcert.pfx passwrd C:\xpi-signer\input C:\xpi-signer\output
XPISigner v1.4 (http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 - Kevin O’Regan
Excluding: []
bc
exception unwrapping private key - java.security.InvalidKeyException: Illegal key size
Comment from kevin
Time May 27, 2007 at 7:21 am
Hi William,
You’ll need the unlimited strength policy files from the bottom of http://java.sun.com/javase/downloads/index_jdk5.jsp
You copy the 2 jar files from the download to the jre/lib/extjre/lib/security folder of your JDK, replacing the ones already there.
regards
kevin
Comment from William
Time May 27, 2007 at 8:29 am
Thanks for the speedy response.
I tried exporting the pvk with less encryption but no change.
Does your Java specifically use 1.5 or can it be 1.6?
Comment from kevin
Time May 27, 2007 at 10:36 am
Java 5 for the moment, I haven’t done much testing with 1.6 yet so there may be an issue with the BouncyCastle provider and Java 6.
Sun’s download site is down right now, but I’ll check later.
Comment from William
Time May 30, 2007 at 7:36 am
I found that this works ok in both 1.6 and 1.5.
Thanks for resolving the issues with our Developer Cert… we now have an invaluable tool that solves a problem for us. Also, I believe this to be the first time an XPI has been codesigned using Authenticode.
Comment from Billy
Time July 6, 2007 at 10:03 pm
Kevin,
Hi. I’m getting the “unwrapping private key - java.security.InvalidKeyException: Illegal key size” error mentioned above.
I got the US_export_policy.jar and local_policy.jar that you mentioned and pasted them into the jre/lib/ext directory, but those were new files so they didn’t replace anything. Anyway, that didn’t fix the error–I’m still getting it. My Java version is 1.5.0_11.
Do you any other advice to get this to work? Thanks.
Comment from Billy
Time July 20, 2007 at 10:46 pm
I am very pleased with XPISigner. Signing an XPI file the manual way looks like a total nightmare. At first, I was having a few problems getting XPISigner to work, but Kevin helped me resolve each one of them. I think XPISigner is an invaluable tool, and it makes my work so much easier. And hey, it’s free!
So, if you ever need to sign an XPI file, I would highly recommend XPISigner as your first stop.
Comment from John
Time August 2, 2007 at 7:13 pm
Hello,
Seems like I’m having the same issue with the key size. Not sure what I’m doing wrong. I downloaded
the additional 2 jar files and tried again but am still getting this error.
Here is the output I get:
D:\Program Files\Java\jre>d:\xpisigner\xpisigner.cmd d:\mykeys\upromise.pfx “**********” d:\signfiles output.xpi
XPISigner v1.4 (http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 - Kevin O’Regan
Excluding: []
bc
exception unwrapping private key - java.security.InvalidKeyException: Illegal ke
y size
D:\Program Files\Java\jre>
Comment from kevin
Time August 2, 2007 at 8:40 pm
Hi John,
What worked for Billy (above) was to import the PFX into IE and then to re-export it and ensure you check the
[ ] Include all certificates in the chain
option.
If that doesn’t work then I’ll follow up with you via email.
kevin
Comment from Jason
Time August 8, 2007 at 8:29 am
Hi,
This looks like a great program - thanks for the public service. I have been working (laboriously) with the Mozilla tools and I seem to -almost- have it working but your tool is clearly much preferred.
Unfortunately, I have not yet succeeded. After going through the “illegal key size” problem (I updated the Java security files as you suggested and this error went away, I also went through the IE import export with no change in behavior). I now get the following output:
Excluding []
bc
Signing failed:null
The “manifest.mf” and “zigbert.sf” files are also created in my source directory.
I have used the same .pfx I am using here to successfully sign other code using the NSS signtool.exe, so I think my basics are in order. Any ideas what might be going wrong?
Thanks,
Jason
Comment from George necula
Time August 8, 2007 at 10:17 pm
Hi,
I am running also into the same problems as John above (illegal key size even after installing local_policy.jar and US_export_policy.jar into the Java/jre/lib/ext directory).
Is there something else I can try?
BTW, I am using java 1.6.0_02
Thanks,
George.
Comment from kevin
Time August 8, 2007 at 10:36 pm
Wow. I’m just making work for myself.
Where it says put the policy files in jre/lib/ext it should read jre/lib/security.
That way they’ll actually get picked up!
kevin
Comment from kevin
Time August 12, 2007 at 10:12 am
@Jason You need to be in ‘baseDir’ when running xpisigner.
kevin
Comment from Jason
Time August 15, 2007 at 9:28 pm
Kevin,
Thanks for the help - yes that was the problem. Now it works with no problems. Thank you for your excellent tool and responsive support.
Jason
Comment from amok84
Time November 26, 2007 at 4:08 pm
Does anybody explain me the XPISigner in german???
Pingback from o-regan.org » XPISigner - Java cross-platorm xpi signing tool
Time April 10, 2008 at 10:41 pm
[...] XPISigner v1 [...]
Pingback from o-regan.org » Extension signing with XPISigner
Time April 10, 2008 at 10:44 pm
[...] XPISigner v1 [...]
Comment from cesarpachon
Time April 17, 2008 at 12:33 pm
hi, does this tool work with PVK files? I saw one post here which does a indirect reference to a pvk extension..
Comment from kevin
Time April 17, 2008 at 1:44 pm
Hi, Not directly. You need to convert the pvk and associated certificate(s) to PFX/P12 format to use with the tool. (http://msdn2.microsoft.com/en-us/library/aa906334.aspx)
There’s also a tool to convert see http://www.drh-consultancy.demon.co.uk/pvk.html
Alternatively if you’ve imported the key/cert into the windows cert store, you may be able to export it as a PFX/P12 file (that’s if you checked the ‘allow export’ box when you imported it).
(Edited to correct the link to pvktool)

Comment from o-regan.org » Firefox XPI Internal Structure
Time April 11, 2007 at 3:34 pm
[...] Let’s take a signed XPI apart and see what’re required to build a tool like XPISigner [...]