How do you sign your Firefox extensions?

Question

I have developed a couple of extensions for Firefox, and am annoyed that it is so hard to get the extension signed. When an extension isn't signed, it says "Author not verified" when it is installed, and to me that just looks wrong.

I have a simple build script that builds my .xpi file from sources, and I have a licenced copy of PKZip (which according to a number of tutorials is required to build a signed xpi file that Firefox requires), but I haven't found a way to get a free/cheap certificate that actually works or a set of instructions that do the trick.

Since my extensions are free, I don't want to spend $400 on a commercial certificate, but I don't mind spending $50 or so to get it done. I have both Linux and Windows machines, although my build script currently uses Windows and that would be most convenient to use.

How have you solved this? What do I need to do to automatically and securely sign my extensions when they are built?

Edit: I appreciate the Google hits, but the steps they provide aren't complete enough on how to actually get a certificate that works. The feeling I get reminds me of this classic:

Answer 1

I've used the comodo certificate to sign XPIs. It was the cheapest option at the time.

I've written a few posts on the XPI Format and a howto for signing using a java commandline tool.

My tool XPISigner simplifies the process considerably and is integratable into build systems.

I've removed the tool as it no longer works with FF4 or higher. Source is available on http://code.google.com/p/xpisigner/ if anyone feels like fixing.

Answer 2

Avoid the GoDaddy codesigning certs as the necessary intermediate CA certificate isn't in Firefox by default. C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\,Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,SERIALNUMBER=07969287'

If you sign with it your users will get signing errors with it.

e.g.

SIgning could not be verified. -260

Answer 3

What I found with Google was this: http://www.mercille.org/snippets/xpiSigning.php which states:

If you don't want a commercial certificate or can't afford one, Ascertia can provide you with a free certificate, but turning it into a code signing certificate requires some extra work, which I have detailed on another page.

I can't say that I've tried it. And on http://developer.mozilla.org/en/Signing_a_XPI it says:

The cheapest universally supported (Mozilla, Java, Microsoft) certificate seems to be the Comodo Instant-SSL offering. You can get a free certificate for open-source developers from Unizeto Certum, but their root certificate is only present in Mozilla Firefox and Opera (not Java or Microsoft).

Answer 4

Yes, XPI signing is unfortunately quite untrivial. I would advise searching/posting to the mozilla newsgroups (dev-extensions, project owners @ mozdev, irc.mozilla.org) and also trying to get in touch with the people who got it to work.

Answer 5

Tucows sells Comodo code signing certificates for $75 per year, that's as cheap as it goes from what I can tell (https://author.tucows.com/, "Code Signing Certificates" section). That's still too much money for me to spend so I didn't try how it works. Not that I can try, from what I can tell you need to be a registered organization to buy a Comodo certificate.

As to Ascertia, getting a certificate is easy enough (http://www.ascertia.com/onlineCA/Issuer/CerIssue.aspx) - but such a certificate is as worthless as a self-issued certificate because you would need to import their root certificate before seeing an effect.

Answer 6

If you have an Open Source project, you can get a free code signing certificate from Unizeto.

The steps to get the certificate itself are described in detail here.

Once you have the certificate, do the following:

• get the private key from your browser (e.g. download it as .p12 from your keychain - do not set a password) and convert it into PEM format via openssl pkcs12 -in key.p12 -nodes -out private.key -nocerts

• Open your .pem file that you downloaded from Unicert, add your private key beneath it, and the Public Key of Certum Level III CA from here beneath the private key, so it looks like this:

  -----BEGIN CERTIFICATE----- [your certificate from Certum] -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- [the private key you just converted from the .p12 file from your keychain] -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- [the Certum Level III CA public key you just downloaded] -----END CERTIFICATE-----

• Save this file as cert_with_key_and_ca.pem
• Install xpisign.py with pip install https://github.com/nmaier/xpisign.py/zipball/master
• Run xpisign -k cert_with_key_and_ca.pem unsigned.xpi signed.xpi
• Drag & Drop the signed.xpi into Firefox and you should see the author name where before there was a (Author not verified) message next to the extension name.