XPISigner v1
April 10th, 2008
XPISigner is a commandline tool that simplifies signing Firefox and Thunderbird extensions.
Written in Java and using the Bouncy Castle cryptographic libraries XPISigner produces signatures compatible with Firefox and Thunderbird
XPISigner v1.4
(http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 - Kevin O’Regan
xpisigner.cmd pfxfile password basedir|listfile output
Parameters:
 pfxfile The PKCS#12 file containing your signing credentials.
 password The passphrase for pfxfile.
 basedir Include all files under basedir.
 listfile Include only the files found in listfile.
 output Location to save the signed xpi.Version 1.4 available now!
Getting an IllegalKeySizeException? See this post.
[...] Let’s take a signed XPI apart and see what’re required to build a tool like XPISigner [...]
[...] XPISigner - Secure your Firefox Extensions [...]
test
Sorry about the basic question (not a Java guy), but how to install this addon, I have 3 jars in the zip file, what to do next (I have Java Run time installed) ?
Thanks
Dror,
Thanks, looks like I messed up the upload of the 1.1 version.
I’ve uploaded a version that contains a cmd shell script for windows. Once you have that you should be able to just do:
xpisigner.cmd <options>
thanks
kevin
Hi Kevin,
Thanks, this package worked much better
I tried to use the command line but have few questions
The command I’m using
xpisigner.cmd MyKey.pfx “” MyKey xpi\ .
(I have no password to the pfx, maybe that’s the problem ?)
1. Although I have directory with all files the command line looked for it in the current directory.
2. After copied the files to current directory I got an excepion
Excluding: []
java.lang.NullPointerException
at org.oregan.xpi.XPISigner.sign(Unknown Source)
at org.oregan.xpi.XPISigner.generateXPI(Unknown Source)
at org.oregan.xpi.Main.doSign(Unknown Source)
at org.oregan.xpi.Main.main(Unknown Source)
Exception in thread “main” java.lang.NullPointerException
at java.io.FileOutputStream.write(Unknown Source)
at org.oregan.xpi.XPISigner.saveMessage(Unknown Source)
at org.oregan.xpi.XPISigner.generateXPI(Unknown Source)
at org.oregan.xpi.Main.doSign(Unknown Source)
at org.oregan.xpi.Main.main(Unknown Source)
I meant to say
Thanks, this package worked much better
The questions still remains though
Thanks,
Dror
Hi Dror,
What this tool allows you to do is to sign a firefox extension that you want to distribute.
You’ll need (in no particular order):
a) A firefox extension
b) A code-signing certificate & private key from a Certificate Authority. They should be in PKCS#12 or PFX format.
c) This tool…
At the moment it doesn’t integrate or ‘plug-in’ to firefox, it’s a seperate tool used as a step in your extension deployment process.
I’m currently working on a GUI version.
I’ll see if I can get a full walkthrough of the signing process later tonight.
kevin
Added a walkthrough and updated the code to v1.2.
kevin
I am getting an error…
C:\xpi-signer>xpisigner devcert.pfx passwrd C:\xpi-signer\input C:\xpi-signer\output
XPISigner v1.4 (http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 - Kevin O’Regan
Excluding: []
bc
exception unwrapping private key - java.security.InvalidKeyException: Illegal key size
Hi William,
You’ll need the unlimited strength policy files from the bottom of http://java.sun.com/javase/downloads/index_jdk5.jsp
You copy the 2 jar files from the download to the
jre/lib/extjre/lib/security folder of your JDK, replacing the ones already there.regards
kevin
Thanks for the speedy response.
I tried exporting the pvk with less encryption but no change.
Does your Java specifically use 1.5 or can it be 1.6?
Java 5 for the moment, I haven’t done much testing with 1.6 yet so there may be an issue with the BouncyCastle provider and Java 6.
Sun’s download site is down right now, but I’ll check later.
I found that this works ok in both 1.6 and 1.5.
Thanks for resolving the issues with our Developer Cert… we now have an invaluable tool that solves a problem for us. Also, I believe this to be the first time an XPI has been codesigned using Authenticode.
Kevin,
Hi. I’m getting the “unwrapping private key - java.security.InvalidKeyException: Illegal key size” error mentioned above.
I got the US_export_policy.jar and local_policy.jar that you mentioned and pasted them into the jre/lib/ext directory, but those were new files so they didn’t replace anything. Anyway, that didn’t fix the error–I’m still getting it. My Java version is 1.5.0_11.
Do you any other advice to get this to work? Thanks.
I am very pleased with XPISigner. Signing an XPI file the manual way looks like a total nightmare. At first, I was having a few problems getting XPISigner to work, but Kevin helped me resolve each one of them. I think XPISigner is an invaluable tool, and it makes my work so much easier. And hey, it’s free!
So, if you ever need to sign an XPI file, I would highly recommend XPISigner as your first stop.
Hello,
Seems like I’m having the same issue with the key size. Not sure what I’m doing wrong. I downloaded
the additional 2 jar files and tried again but am still getting this error.
Here is the output I get:
D:\Program Files\Java\jre>d:\xpisigner\xpisigner.cmd d:\mykeys\upromise.pfx “**********” d:\signfiles output.xpi
XPISigner v1.4 (http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 - Kevin O’Regan
Excluding: []
bc
exception unwrapping private key - java.security.InvalidKeyException: Illegal ke
y size
D:\Program Files\Java\jre>
Hi John,
What worked for Billy (above) was to import the PFX into IE and then to re-export it and ensure you check the
[ ] Include all certificates in the chain
option.
If that doesn’t work then I’ll follow up with you via email.
kevin
Hi,
This looks like a great program - thanks for the public service. I have been working (laboriously) with the Mozilla tools and I seem to -almost- have it working but your tool is clearly much preferred.
Unfortunately, I have not yet succeeded. After going through the “illegal key size” problem (I updated the Java security files as you suggested and this error went away, I also went through the IE import export with no change in behavior). I now get the following output:
Excluding []
bc
Signing failed:null
The “manifest.mf” and “zigbert.sf” files are also created in my source directory.
I have used the same .pfx I am using here to successfully sign other code using the NSS signtool.exe, so I think my basics are in order. Any ideas what might be going wrong?
Thanks,
Jason
Hi,
I am running also into the same problems as John above (illegal key size even after installing local_policy.jar and US_export_policy.jar into the Java/jre/lib/ext directory).
Is there something else I can try?
BTW, I am using java 1.6.0_02
Thanks,
George.
Wow. I’m just making work for myself.
Where it says put the policy files in jre/lib/ext it should read jre/lib/security.
That way they’ll actually get picked up!
kevin
@Jason You need to be in ‘baseDir’ when running xpisigner.
kevin
Kevin,
Thanks for the help - yes that was the problem. Now it works with no problems. Thank you for your excellent tool and responsive support.
Jason
All I can say is ,I’m very impressed…
Does anybody explain me the XPISigner in german???
hi, does this tool work with PVK files? I saw one post here which does a indirect reference to a pvk extension..
Hi, Not directly. You need to convert the pvk and associated certificate(s) to PFX/P12 format to use with the tool. (http://msdn2.microsoft.com/en-us/library/aa906334.aspx)
There’s also a tool to convert see http://www.drh-consultancy.demon.co.uk/pvk.html
Alternatively if you’ve imported the key/cert into the windows cert store, you may be able to export it as a PFX/P12 file (that’s if you checked the ‘allow export’ box when you imported it).
(Edited to correct the link to pvktool)
I’m having a problem running xpisigner from a path that contains spaces. For example, if I run it under “C:\some path\xpisigner”, I get the error message:
Unable to access jarfile c:\some
(cuts off right at the space)
Is there a way around this? Or do I have to make sure the path doesn’t include spaces?
@EJS
Editing xpisigner.cmd to wrap the -jar parameter in quotes should do the trick:
Was:
java -jar %~dp0\xpi.jar %1 %2 %3 %4 %5 %6
Change to
java -jar “%~dp0\xpi.jar” %1 %2 %3 %4 %5 %6
kevin