Home
Scripts
Pics
GuestBook
Contact
Site Style
User:  Pasword:         

Netscape Code Signing -- Specifically Signing an XPI file
THIS FILE IS OUT OF DATE. I never finished writing this tutorial. It's half my own notes and half tutorial.

You need:

  1. Network Security Services (NSS) - http://www.mozilla.org/projects/security/pki/nss/
    Downloaded at http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ -- Just browse to the highest number (usually the lowest directory). As of this writing the most current version to use on Windows 2000 or XP is
    http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_RTM/WINNT5.0_OPT.OBJ/nss-3.9.zip
  2. Netscape Portable Runtime(NSPR) - http://www.mozilla.org/projects/nspr/
    Downloaded at http://ftp.mozilla.org/pub/mozilla.org/nspr/releases/ -- Once again pick the highest number and the corresponding OS. As of this writing the most current version to use on Windows 2000 or XP is
    http://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.4.1/WINNT5.0_OPT.OBJ/nspr-4.4.1.zip
  3. INFO-ZIP command line Zip tool. http://www.info-zip.org/pub/infozip/Zip.html
    This tools is the same that comes with most linux distributions. Install it into your C:\WINDOWS or SYSTEM32 folder.
  4. (Optional) Patched Signtool for automatic signed archive creation.

Now is the tricky part. Installing these bad boys. When unzipped inside their respective folders you will find three sub-directories. bin , includes, and lib. To make them run from anywhere you need to copy the contents of both bin and lib folders to C:\WINDOWS (C:\WINNT) or C:\WINDOWS\SYSTEM32 . This way you can run the signtool.exe from anywhere in the command line. You may also if you want, just copy the files in the NSPR lib directory into the NSS lib directory and just command line into the bin folder for NSS (that's what I did when I first started experimenting).

Now you can run the signtool.exe in command line. Now we need to get our Certificate Database path. Basically search your computer for cert8.db . They are saved in your profile folder for your browser.
Mozilla are in C:\Documents and Settings\<Windows Username>\Application Data\Mozilla\Profiles\<Profile Name>\<Weird Characters.something>\
FireFox they are in C:\Documents and Settings\<Windows Username>\Application Data\Mozilla\Firefox\Profiles\<Profile Name.something>\

I for the sake of convenience just copy the file cert7.db, cert8.db and secmod.db to the code signing directory. It's alot easier to put in

signtool -d ./
Then
signtool -d "C:\Documents and Settings\<Windows Username>\Application Data\Mozilla\Firefox\Profiles\<Profile Name.something>\"

Now that we have our databases located we can start signing. There are a few ways you can do this. You can sign and create a .jar file with something like this

signtool -d "path to databases" -k "Friendly Cert Name" -p "Private Key Password" -Z "Jar Filename.jar" directory_to_be_zipped_and_signed

You can verify your file by using a variation of this command.
This first one will verify the file
signtool -d "path to databases" -v "Jar Filename.jar"
This will Display the certificate information
signtool -d "path to databases" -w "Jar Filename.jar"

Since we are concentrating on XPI files it gets even more fun.

We have a directory called c:\codesigning\firefox_extension\ . This directory contains all the code for the extension we wish to sign. It should look something like 

firefox_extension\
		install.js
		extenstionfolder
		content\
		  contents.rdf
		  files.xul
		  files.js
		skin\
		  contents.rdf
		  files.css
		locale\
		  contents.rdf
		  extension.dtd

I normally create a .jar file of the main extension code folder so I just have two files in the XPI file. the install.js and the extension.jar. Which you can create using the signtool.

When installing an XPI file Mozilla based applications look for the first file in the .xpi to be the META-INF/zigbert.rsa file. This file is generated when signing files. So we must create the XPI file in parts .

Part 1. Sign the files.
From the command prompt in the codesigning directory we run the signtool without the .jar file creation.

C:\codesigning>signtool -d "path to databases" -k "Friendly Cert Name" -p "Private Key Password" firefox_extension\

Part 2. Create the .xpi file starting with META-INF/zigbert.rsa .

C:\codesigning>cd firefox_extension

C:\codesigning>
zip extension.xpi META-INF/zigbert.rsa

Part 3. Copy the rest of the signed files into the XPI file.

C:\codesigning>zip -r -D extension.xpi * -x META-INF/zigbert.rsa

Here's a bit of a break down.
We zip
zip -r
omitting the directory attributes
-D
select all files into the file
extension.xpi *
and then omitting the META-INF/zigbert.rsa file once again since it already exists
-x META-INF/zigbert.rsa

Part 4: We move the created .xpi and test it out.

C:\codesigning>cp extension.xpi ../

C:\codesigning>signtool -d ./ -v extension.xpi

If you don't get any errors throughout all of this you are lucky and followed the directions. If you did then just look back through the directions. This is everything I learned to get it right. Now all you have to do is drag and drop the XPI file over mozilla or FireFox and it should be flagged as signed.

Hosting sponsored by Dreamhost

 Best Viewed at 800x600 or higher.
Using Mozilla or FireFox 		© J-Maxx Net 1999-2008