Signing an extension

Note: These instructions are outdated. For an extension to work in Firefox it must be signed by Mozilla, not by yourself. See Signing and distributing your add-on.

This article describes how to digitally sign your extension for Firefox and Thunderbird, with a code signing certificate for Object Signing. The following instructions also apply to a theme and other XPI files.

These instructions assume you're working on Mac and you've already got a valid certificate from CA.

Get the signing tool

We use NSS to sign an extension. This can be easily installed with MacPorts.

sudo port install nss

Export your certificate

If you have your certificate in Firefox, export it by following the steps below. The certificate which the author purchased from VeriSign was directly installed to Firefox.

  1. Click the Firefox button and select Options.
  2. In the Options window, open the Advanced panel, then select the Encryption tab.
  3. Click View Certificates.
  4. In the Certificate Manager, select the Your Certificates tab.
  5. Select your organization's certificate and click Backup.
  6. Enter the file name, e.g. codesign.p12.
  7. Enter the password to protect your certificate backup and click OK.
  8. A P12 file will be exported on your desktop.

Create a certificate database

First, create a certificate database that will be used for signing.

mkdir keystore
cd keystore
nss-certutil -N -d .

You will be asked for the password. Use a strong password to protect your database. Then cert8.db, key3.db and secmod.db will be generated. Next, import your certificate.

nss-pk12util -i codesign.p12 -d .

Show the certificate list in your database.

nss-certutil -L -d .

Set the trust for the root and intermediate certificates. Here's an example of VeriSign:

nss-certutil -M -n "Verisign Class 3 Public Primary Certification Authority" -t "C,C,C" -d .
nss-certutil -M -n "VeriSign Class 3 Public Primary Certification Authority - G5 - VeriSign, Inc." -t "C,C,C" -d .
nss-certutil -M -n "VeriSign Class 3 Code Signing 2010 CA - VeriSign, Inc." -t "C,C,C" -d .

It's all done.

Sign

The basic usage of the signing tool is as follows:

nss-signtool \
 -d (path to the directory that contains your certificate database files) \
 -k (your certificate nickname) \
 -p (your certificate password) \
 -X -Z (output path/name of signed file) \
 (path to your extension working directory that contains
   chrome directory, chrome.manifest file, install.rdf file, etc.)

Writing your password directly in the script is dangerous. For production, use such a code:

echo "Enter password for Object Signing:"
read MYPASSWORD
nss-signtool \
 -d /Volumes/Codesign/keystore \
 -k "My Company's VeriSign, Inc. ID" \
 -p $MYPASSWORD \
 -X -Z ~/Desktop/MyExtension/dest/MyExtension-1.0.xpi \
 ~/Desktop/MyExtension/source
unset MYPASSWORD

Then a signed XPI file will be generated.

Verify

Drag and drop the XPI file into the content area of Firefox. On the installation dialog, you can see your organization name along with the file name.

References