Didier Stevens

Thursday 1 January 2009

Howto: Add a Digital Signature to a Firefox Add-on

Filed under: Encryption — Didier Stevens @ 22:02

After signing a Windows executable with our own certificate, let’s sign an XPI file.

There is a nice Firefox add-on we’ll use to achieve this: Key Manager. But the subordinate CA certificate we create is not suited to sign XPI files, because it doesn’t state explicitly that it can be used for code signing. We have to create another one with an extendedKeyUsage property for code signing.

First we need to create a config file with the extended key usage, eku.cnf:

[eku_codesigning]
extendedKeyUsage=codeSigning

Then we issue the next OpenSSL commands to create a new certificate and PKCS12 file:

openssl x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out ia2.crt -extfile eku.cnf -extensions eku_codesigning

openssl pkcs12 -export -out ia2.p12 -inkey ia.key -in ia2.crt -chain -CAfile ca.crt

Now we use the Key Manager add-on to import the PKCS12 file (this can also be done with the Firefox options manager):

20090101-220132

20090101-220237

20090101-220326

20090101-2203431

20090101-2203561

20090101-2204091

After importing the certificates and keys, we need to enable the root CA certificate for code signing:

20090101-220428

20090101-220454

Now this is done, we’re ready to sign an XPI file. As an example, I’m taking my WhoAmI Firefox add-on:

20090101-220543

20090101-220724

20090101-220735

When installing this signed Firefox add-on, we get to see the identity of the signer:

20090101-220802

For an unsigned add-on, it says “Author not verified”:

20090101-220010

If we don’t trust the root CA for code signing (or the root CA certificate is missing), we can’t install the add-on!

20090101-221028

So it doesn’t make sense to sign a Firefox add-on with your own self-signed certificate if you plan to make it public (e.g. publish it on the Mozilla add-on site). Users will not be able to install your add-on if they don’t have imported and approved your root CA certificate.

Blog at WordPress.com.