o-regan.org

Comment from o-regan.org » Firefox XPI Internal Structure
Time April 11, 2007 at 3:34 pm

[...] Let’s take a signed XPI apart and see what’re required to build a tool like XPISigner [...]

Comment from o-regan.org » XPISigner - Java cross-platorm xpi signing tool
Time April 14, 2007 at 1:58 pm

[...] XPISigner - Secure your Firefox Extensions [...]

Comment from dror
Time April 22, 2007 at 3:19 pm

test

Comment from dror
Time April 22, 2007 at 3:19 pm

Sorry about the basic question (not a Java guy), but how to install this addon, I have 3 jars in the zip file, what to do next (I have Java Run time installed) ?

Thanks

Comment from kevin
Time April 22, 2007 at 7:19 pm

Dror,
Thanks, looks like I messed up the upload of the 1.1 version.
I’ve uploaded a version that contains a cmd shell script for windows. Once you have that you should be able to just do:

xpisigner.cmd <options>

thanks

kevin

Comment from dror
Time April 23, 2007 at 6:37 pm

Hi Kevin,
Thanks, this package worked much better

I tried to use the command line but have few questions

The command I’m using
xpisigner.cmd MyKey.pfx “” MyKey xpi\ .

(I have no password to the pfx, maybe that’s the problem ?)

1. Although I have directory with all files the command line looked for it in the current directory.

2. After copied the files to current directory I got an excepion

Excluding: []
java.lang.NullPointerException
at org.oregan.xpi.XPISigner.sign(Unknown Source)
at org.oregan.xpi.XPISigner.generateXPI(Unknown Source)
at org.oregan.xpi.Main.doSign(Unknown Source)
at org.oregan.xpi.Main.main(Unknown Source)
Exception in thread “main” java.lang.NullPointerException
at java.io.FileOutputStream.write(Unknown Source)
at org.oregan.xpi.XPISigner.saveMessage(Unknown Source)
at org.oregan.xpi.XPISigner.generateXPI(Unknown Source)
at org.oregan.xpi.Main.doSign(Unknown Source)
at org.oregan.xpi.Main.main(Unknown Source)

Comment from dror
Time April 23, 2007 at 6:39 pm

I meant to say
Thanks, this package worked much better

The questions still remains though
Thanks,
Dror

Comment from kevin
Time April 23, 2007 at 9:22 pm

Hi Dror,

What this tool allows you to do is to sign a firefox extension that you want to distribute.

You’ll need (in no particular order):
a) A firefox extension
b) A code-signing certificate & private key from a Certificate Authority. They should be in PKCS#12 or PFX format.
c) This tool…

At the moment it doesn’t integrate or ‘plug-in’ to firefox, it’s a seperate tool used as a step in your extension deployment process.

I’m currently working on a GUI version.

I’ll see if I can get a full walkthrough of the signing process later tonight.

kevin

Comment from Kevin
Time April 23, 2007 at 11:30 pm

Added a walkthrough and updated the code to v1.2.
kevin

Comment from William
Time May 27, 2007 at 3:12 am

I am getting an error…

C:\xpi-signer>xpisigner devcert.pfx passwrd C:\xpi-signer\input C:\xpi-signer\output
XPISigner v1.4 (http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 - Kevin O’Regan

Excluding: []
bc
exception unwrapping private key - java.security.InvalidKeyException: Illegal key size

Comment from kevin
Time May 27, 2007 at 7:21 am

Hi William,

You’ll need the unlimited strength policy files from the bottom of http://java.sun.com/javase/downloads/index_jdk5.jsp

You copy the 2 jar files from the download to the jre/lib/extjre/lib/security folder of your JDK, replacing the ones already there.

regards

kevin

Comment from William
Time May 27, 2007 at 8:29 am

Thanks for the speedy response.

I tried exporting the pvk with less encryption but no change.

Does your Java specifically use 1.5 or can it be 1.6?

Comment from kevin
Time May 27, 2007 at 10:36 am

Java 5 for the moment, I haven’t done much testing with 1.6 yet so there may be an issue with the BouncyCastle provider and Java 6.

Sun’s download site is down right now, but I’ll check later.

Comment from William
Time May 30, 2007 at 7:36 am

I found that this works ok in both 1.6 and 1.5.

Thanks for resolving the issues with our Developer Cert… we now have an invaluable tool that solves a problem for us. Also, I believe this to be the first time an XPI has been codesigned using Authenticode.

Comment from Billy
Time July 6, 2007 at 10:03 pm

Kevin,

Hi. I’m getting the “unwrapping private key - java.security.InvalidKeyException: Illegal key size” error mentioned above.

I got the US_export_policy.jar and local_policy.jar that you mentioned and pasted them into the jre/lib/ext directory, but those were new files so they didn’t replace anything. Anyway, that didn’t fix the error–I’m still getting it. My Java version is 1.5.0_11.

Do you any other advice to get this to work? Thanks.

Comment from Billy
Time July 20, 2007 at 10:46 pm

I am very pleased with XPISigner. Signing an XPI file the manual way looks like a total nightmare. At first, I was having a few problems getting XPISigner to work, but Kevin helped me resolve each one of them. I think XPISigner is an invaluable tool, and it makes my work so much easier. And hey, it’s free! So, if you ever need to sign an XPI file, I would highly recommend XPISigner as your first stop.

Comment from John
Time August 2, 2007 at 7:13 pm

Hello,

Seems like I’m having the same issue with the key size. Not sure what I’m doing wrong. I downloaded
the additional 2 jar files and tried again but am still getting this error.

Here is the output I get:
D:\Program Files\Java\jre>d:\xpisigner\xpisigner.cmd d:\mykeys\upromise.pfx “**********” d:\signfiles output.xpi
XPISigner v1.4 (http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 - Kevin O’Regan

Excluding: []
bc
exception unwrapping private key - java.security.InvalidKeyException: Illegal ke
y size

D:\Program Files\Java\jre>

Comment from kevin
Time August 2, 2007 at 8:40 pm

Hi John,

What worked for Billy (above) was to import the PFX into IE and then to re-export it and ensure you check the

[ ] Include all certificates in the chain

option.

If that doesn’t work then I’ll follow up with you via email.

kevin

Comment from Jason
Time August 8, 2007 at 8:29 am

Hi,
This looks like a great program - thanks for the public service. I have been working (laboriously) with the Mozilla tools and I seem to -almost- have it working but your tool is clearly much preferred.

Unfortunately, I have not yet succeeded. After going through the “illegal key size” problem (I updated the Java security files as you suggested and this error went away, I also went through the IE import export with no change in behavior). I now get the following output:

Excluding []
bc
Signing failed:null

The “manifest.mf” and “zigbert.sf” files are also created in my source directory.

I have used the same .pfx I am using here to successfully sign other code using the NSS signtool.exe, so I think my basics are in order. Any ideas what might be going wrong?

Thanks,
Jason

Comment from George necula
Time August 8, 2007 at 10:17 pm

Hi,

I am running also into the same problems as John above (illegal key size even after installing local_policy.jar and US_export_policy.jar into the Java/jre/lib/ext directory).

Is there something else I can try?

BTW, I am using java 1.6.0_02

Thanks,
George.

Comment from kevin
Time August 8, 2007 at 10:36 pm

Wow. I’m just making work for myself.

Where it says put the policy files in jre/lib/ext it should read jre/lib/security.

That way they’ll actually get picked up!

kevin

Comment from kevin
Time August 12, 2007 at 10:12 am

@Jason You need to be in ‘baseDir’ when running xpisigner.

kevin

Comment from Jason
Time August 15, 2007 at 9:28 pm

Kevin,

Thanks for the help - yes that was the problem. Now it works with no problems. Thank you for your excellent tool and responsive support.

Jason

Comment from sega gningue
Time August 18, 2007 at 6:51 am

All I can say is ,I’m very impressed…

Comment from amok84
Time November 26, 2007 at 4:08 pm

Does anybody explain me the XPISigner in german???

Pingback from o-regan.org » XPISigner - Java cross-platorm xpi signing tool
Time April 10, 2008 at 10:41 pm

[...] XPISigner v1 [...]

Pingback from o-regan.org » Extension signing with XPISigner
Time April 10, 2008 at 10:44 pm

[...] XPISigner v1 [...]

Comment from cesarpachon
Time April 17, 2008 at 12:33 pm

hi, does this tool work with PVK files? I saw one post here which does a indirect reference to a pvk extension..

Comment from kevin
Time April 17, 2008 at 1:44 pm

Hi, Not directly. You need to convert the pvk and associated certificate(s) to PFX/P12 format to use with the tool. (http://msdn2.microsoft.com/en-us/library/aa906334.aspx)

There’s also a tool to convert see http://www.drh-consultancy.demon.co.uk/pvk.html

Alternatively if you’ve imported the key/cert into the windows cert store, you may be able to export it as a PFX/P12 file (that’s if you checked the ‘allow export’ box when you imported it).

(Edited to correct the link to pvktool)