There is a nice Firefox add-on we’ll use to achieve this: Key Manager. But the subordinate CA certificate we create is not suited to sign XPI files, because it doesn’t state explicitly that it can be used for code signing. We have to create another one with an extendedKeyUsage property for code signing.
First we need to create a config file with the extended key usage, eku.cnf:
Then we issue the next OpenSSL commands to create a new certificate and PKCS12 file:
openssl x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out ia2.crt -extfile eku.cnf -extensions eku_codesigning openssl pkcs12 -export -out ia2.p12 -inkey ia.key -in ia2.crt -chain -CAfile ca.crt
Now we use the Key Manager add-on to import the PKCS12 file (this can also be done with the Firefox options manager):
After importing the certificates and keys, we need to enable the root CA certificate for code signing:
Now this is done, we’re ready to sign an XPI file. As an example, I’m taking my WhoAmI Firefox add-on:
When installing this signed Firefox add-on, we get to see the identity of the signer:
For an unsigned add-on, it says “Author not verified”:
If we don’t trust the root CA for code signing (or the root CA certificate is missing), we can’t install the add-on!
So it doesn’t make sense to sign a Firefox add-on with your own self-signed certificate if you plan to make it public (e.g. publish it on the Mozilla add-on site). Users will not be able to install your add-on if they don’t have imported and approved your root CA certificate.