This article describes how to digitally sign your extension for Firefox and Thunderbird, with a code signing certificate for Object Signing. The following instructions also apply to a theme and other XPI files.
These instructions assume you're working on Mac and you've already got a valid certificate from CA.
Get the signing tool
sudo port install nss
Export your certificate
If you have your certificate in Firefox, export it by following the steps below. The certificate which the author purchased from VeriSign was directly installed to Firefox.
- Click the Firefox button and select Options.
- In the Options window, open the Advanced panel, then select the Encryption tab.
- Click View Certificates.
- In the Certificate Manager, select the Your Certificates tab.
- Select your organization's certificate and click Backup.
- Enter the file name, e.g.
- Enter the password to protect your certificate backup and click OK.
- A P12 file will be exported on your desktop.
Create a certificate database
First, create a certificate database that will be used for signing.
mkdir keystore cd keystore nss-certutil -N -d .
You will be asked for the password. Use a strong password to protect your database. Then
secmod.db will be generated. Next, import your certificate.
nss-pk12util -i codesign.p12 -d .
Show the certificate list in your database.
nss-certutil -L -d .
Set the trust for the root and intermediate certificates. Here's an example of VeriSign:
nss-certutil -M -n "Verisign Class 3 Public Primary Certification Authority" -t "C,C,C" -d . nss-certutil -M -n "VeriSign Class 3 Public Primary Certification Authority - G5 - VeriSign, Inc." -t "C,C,C" -d . nss-certutil -M -n "VeriSign Class 3 Code Signing 2010 CA - VeriSign, Inc." -t "C,C,C" -d .
It's all done.
The basic usage of the signing tool is as follows:
nss-signtool \ -d (path to the directory that contains your certificate database files) \ -k (your certificate nickname) \ -p (your certificate password) \ -X -Z (output path/name of signed file) \ (path to your extension working directory that contains chrome directory, chrome.manifest file, install.rdf file, etc.)
Writing your password directly in the script is dangerous. For production, use such a code:
echo "Enter password for Object Signing:" read MYPASSWORD nss-signtool \ -d /Volumes/Codesign/keystore \ -k "My Company's VeriSign, Inc. ID" \ -p $MYPASSWORD \ -X -Z ~/Desktop/MyExtension/dest/MyExtension-1.0.xpi \ ~/Desktop/MyExtension/source unset MYPASSWORD
Then a signed XPI file will be generated.
Drag and drop the XPI file into the content area of Firefox. On the installation dialog, you can see your organization name along with the file name.
- Signing a XPI - more detailed instructions including test procedures.
- Key Manager - a Firefox extention that has the ability to sign XPI files.
- Signing a Firefox extension with a Windows Authenticode SSL certificate / key - Note that some CAs do not allow (or support) to divert an Authenticode certificate to Object Signing. Please check the terms of service.
- Signing an executable with Authenticode - for signing executable file (exe)