Download
April 11th, 2008
XPISigner v1.6 - 01 Oct 2007
Archives the specified files and signs the archive using your digital id.
Signed archives are compatible with Firefox and Thunderbird
xpisigner keystore.pfx password basedir output.xpi
xpisigner keystore.pfx password listing.txt output.xpi
keystore.pfx The PFX/PKCS#12 file containing your signing credentials.
password The passphrase for pfxfile.
basedir Include all files under basedir.
listfile Include only the files found in listfile. The files are
assumed to be located relative to the current directory.
output.xpi Filename for the signed xpi file.
Any signature files in META-INF/ will be overwritten.
Copyright 2007 - Kevin O'Regan (http://o-regan.org)
Change Log
Version 1.6
- Fixed FileNotFound exception for xpi output file that doesn’t exist (yet). XPISigner now creates the file entry so the jar operation can use it.
- Updated the unix script
- Readme now correctly refers to the unix script as xpisigner.sh
Version 1.5
- Updated the readme.txt in the zip to the latest version.
- Some VM’s displayed FileNotFound exceptions when the META-INF folder didn’t exist. Added explicit checks and create folders as required.
- Removed some debugging statements e.g., “bc” from the output.
- When running from a folder other than the baseDir the value of baseDir needed to fully qualified. Now you can use relative paths e.g., ..\..\src
- Some PFX files fail to load and cause an “IllegalKeySize” exception. This is still being investigated.
Version 1.4
- You no longer need to run the program from the directory you want to add to your XPI.
- If a certificate chain was attached to a private key, only the end certificate would be added to the signer info in the XPI. This prevented Firefox from verifying extensions signed with multi-level certificate chains.
Version 1.3
- Automatically exclude the output file if it is in the base directory. Not excluding it resulted in xpisigner trying to include it in itself.
- More error detection and exception handling
- Added Unix shell script for running the program.
Version 1.2
- Internal refactoring to improve the file listing algorithm
- Added Windows batch script to run the program.
- Added readme.txt and improved the distribution layout
Version 1.0
- Initial release.
XPISigner v1.5 (http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 – Kevin O’Regan
Excluding: [META-INF/zigbert.rsa, META-INF/zigbert.sf, META-INF/manifest.mf]
java.lang.NullPointerException
at org.oregan.xpi.XPISigner.generateXPI(Unknown Source)
at org.oregan.xpi.Main.doSign(Unknown Source)
at org.oregan.xpi.Main.main(Unknown Source)
Exception in thread “main” java.lang.NullPointerException
at org.oregan.xpi.Main.doSign(Unknown Source)
at org.oregan.xpi.Main.main(Unknown Source)
It would be helpful to have the source code to find out where the problem lies.
By the way, the ‘xpisigner’ file mentionned in the README file doesn’t exist.
If anyone encounters the error above: (under UNIX) ‘touch’ the output.xpi file. The program will say ‘Overwriting: output.xpi’ and it will create the archive.
Hi Laurent,
Thanks for the feedback, I haven’t had very many unix ( I presume linux?) users yet so that side is a bit under developed.
I’ll take a look at the error you reported, I haven’t seen the same behaviour on windows.
kevin
Hello kevin,
Yes, I’m using Linux.
Another problem:
exception decrypting data – java.security.InvalidKeyException: Illegal key size
The problem seems to be based on the length of the password I give to my PKCS12 file. A password with 6 or 7 characters works, a password with 8 characters or greater does not work.
Hi Laurent,
Unfortunately that seems to be a BouncyCastle issue. I’ll add it in as a known issue.
I have a version of xpisigner that uses the Firefox certstore and the NSS libraries.
I’ll see if I can get it uploaded later tonight. I just need to get it off my laptop and check I have the right linux libs.
I can test on Ubuntu 32bit with 2.6 kernel, is that similar enough to you?
kevin
Hello kevin,
I’m on Debian with 2.6 kernel, so it’s almost the same setup. You’ll probably have the same error on several UNIX systems anyway.
Good work getting Firefox’s certstore and the NSS libraries to work properly. I just spent a day trying (unsuccessfully) to make them sign my extension. Thanks a lot for your tool!
Another problem:
when the XPI archive is built, the permissions of the files are not preserved. In my case this means that UNIX executables are no longer executable and that makes the extension unusable.
Hi Laurent,
http://o-regan.org/releases/xpisigner2.0beta.linux_x86.zip
Instead of the location of your pfx the first command line parameter should be the location of your firefox profile
e.g. ~/.mozilla/firefox/6k9i1ild.default
The second parameter is the password for the security store.
This build should also fix the NullPointerException when the output file doesn’t exist.
example command line:
./xpisigner.sh ../.mozilla/firefox/6k9i1ild.default/ password /home/koregan/xpisigner/ google-toolbar-win.xpi
kevin
Re: losing the exec flag.
Unfortunatly that’s something that java can’t do yet.
What you can do is:
a) Run xpisigner to generate the signatures and the output xpi
b) Delete the output xpi
c) Use unix ZIP to create another output xpi by storing the input folder.
ZIP on unix will preserve the exec flag.
kevin
I’m already fixing my build script to do this. Thank you.
You may need to give ZIP an inclusion file list and make sure that META-INF/zigbert.rsa is the first file in the archive
e.g. zip outfile.xpi -i@include.lst
Where include.lst is a file listing all the files you want in the archive.
See http://o-regan.org/2007/04/11/firefox-xpi-internal-structure/ for the reasoning.
kevin
I’ve finished implementing the workaround for the permissions. Your tool is adequate for my needs – my extension is now signed and fully working. Thank you.
I’ve tried the version you sent me. I couldn’t get it to work unfortunately.
Exception in thread “main” java.lang.UnsatisfiedLinkError: libjss4.so: Can’t load IA 32-bit .so on a IA 32-bit platform
at java.lang.ClassLoader$NativeLibrary.load(Native Method)
at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1751)
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1676)
at java.lang.Runtime.loadLibrary0(Runtime.java:822)
at java.lang.System.loadLibrary(System.java:993)
at org.mozilla.jss.CryptoManager.loadNativeLibraries(CryptoManager.java:1339)
at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:827)
at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:800)
at org.oregan.xpi.jss.XPISignerImpl.sign(Unknown Source)
at org.oregan.xpi.XPISigner.generateXPI(Unknown Source)
at org.oregan.xpi.Main.doSign(Unknown Source)
at org.oregan.xpi.Main.main(Unknown Source)
I copied some of the *.so from the NSS package I’ve compiled myself, but I don’t know where libjss4.so is. If you want me to, I can try to hunt it out.
Note that it would great if xpisigner did not depend on the NSS tools. Getting those tools to work is challenging. I prefer the problem with the password length, if I have to choose between that problem and using the NSS tools.
I think that was the script.
It should have set LD_LIBRARY_PATH to the directory xpisigner was in and not passed -Djava.library.path=. to the vm.
I’ll look at the password length issue again. What application generated your p12?
thanks
kevin
You were right about LD_LIBRARY_PATH. I’ve set it manually.
The output is:
XPISigner v2.0 (http://o-regan.org/xpisigner-secure-your-firefox-extensions)
Copyright 2007 – Kevin O’Regan
Excluding: [META-INF/zigbert.rsa, META-INF/zigbert.sf, META-INF/manifest.mf]
jss
e = org.mozilla.jss.crypto.ObjectNotFoundException
Generated XPI…
Filename: /foo/output.xpi
Size: 2 kb
Created at: Tue Sep 25 11:09:17 EDT 2007
Signed by:
Num entries: 4
Done.
Notice that there is an exception thrown. Nevertheless the processing appear to work correctly. I confirm that the bug about output.xpi not being created is resolved.
I am using ‘openssl pkcs12′ to create my pkcs12 file. The file contains 3 certificates and one private key.
I’ll remove the extra output.
The exception occurs when looking for a private key to match a certificate. NSS doesn’t give you a list of nicknames so you have to list the certs and see which have private keys.
The CA certs don’t and that exception message is displayed. It’s harmless and will be removed.
Signed by: is blank. Did it do that, or did you remove it for the comment?
kevin
The signed by: ‘blank’ is me. I had replaced the text by angle bracket snip angle bracket when I wrote the comment, but it was removed by the formatting software. The output I got is correct.
Thanks
[...] from the download [...]
[...] Now available from the download page. [...]
[...] brought this up recently in the comments on the XPISigner download page. He ran into an issue signing his Firefox Linux plug-in with XPISigner. Some files were no longer [...]
Hi Kevin
Back again… and have wee problem. Need to update our plugin and resign. Before updating the plugin I tried running the setup that we had used last time. Nothing has changed on the computer, files are the same and cmd line is the same. But when I ran it on the old setup I am now getting this error…
Starting scan of files…
install.js
MD5 7408D9595F7F007F8ADC88FF52D2393C
SHA-1 EFCF4A13C5B26F5B00A7FF359AEE08E57E9233A7
npCopysafe35.dll
MD5 30E93CA2F2B3D06CDDBBE979D9A7C74F
SHA-1 ED7AADE897455F2A0F2955FD46AB7342AACE57F7
Saving manifest file…done.
Saving signature file…done.
Loading credential and signing …exception unwrapping private key – java.securi
ty.InvalidKeyException: Illegal key size
====================================
The only thing that may have changed is Java being updated to 1.6 which apparently has caused a lot of problems for a lot of developers.
So the question is how to fix it? Was using version 1.3. Will version 1.6 resolve the problem?
Same problem with version 1.6… “illegal key size”.
Found this but still no further clues as to how to fix…
You do not have the *unlimited strength* local_policy.jar and
US_export_policy.jar files installed. The ones that come with your JDK
download from Sun are the “strong” policy files, not the “unlimited”
policy files.
Updating to “strong” policy files did not resolve the problem, in fact it got worse. Now xpi-signer won’t run at all.
I have been successfully using XPISIgner 1.6 with a comodo certificate for almost a year. Recently, we changed over to a GoDaddy code signing cert. Now, XPISigner appears to run fine, however, when attempting to install the extension into firefox, I get the following error:
SIgning could not be verified. -260
Further detail of the extension install error is:
Signature Verification Error: the signature on this .jar archive is invalid because the digital signature (*.RSA) file is not a valid signature of the signature instruction file (*.SF).
Another possible clue… when I look at the zigbert.sf file, I see something curious:
Signature-Version: 1.0
Created-by: XPISigner
XPI-Signer-Version: 1.4 (free) http://o-regan.org
I am using 1.6, and that is what the command line says also, but the contents of this file say 1.4. I installed 1.5 just to be certain, and 1.5 says 1.5 in the zigbert.sf file as it should. Problem with the 1.6 package?
Anyhow, thanks for creating this tool, and any light that you could shed on this would be greatly appreciated.
Looks like the Intermediate CA certificate from GoDaddy isn’t in the shipping firefox cert store.
There’s no real workaround for that unless you find a more compatible CA.