Didier Stevens

Thursday 1 January 2009

Howto: Add a Digital Signature to a Firefox Add-on

Filed under: Encryption — Didier Stevens @ 22:02

After signing a Windows executable with our own certificate, let’s sign an XPI file.

There is a nice Firefox add-on we’ll use to achieve this: Key Manager. But the subordinate CA certificate we create is not suited to sign XPI files, because it doesn’t state explicitly that it can be used for code signing. We have to create another one with an extendedKeyUsage property for code signing.

First we need to create a config file with the extended key usage, eku.cnf:

[eku_codesigning]
extendedKeyUsage=codeSigning

Then we issue the next OpenSSL commands to create a new certificate and PKCS12 file:

openssl x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out ia2.crt -extfile eku.cnf -extensions eku_codesigning

openssl pkcs12 -export -out ia2.p12 -inkey ia.key -in ia2.crt -chain -CAfile ca.crt

Now we use the Key Manager add-on to import the PKCS12 file (this can also be done with the Firefox options manager):

20090101-220132

20090101-220237

20090101-220326

20090101-2203431

20090101-2203561

20090101-2204091

After importing the certificates and keys, we need to enable the root CA certificate for code signing:

20090101-220428

20090101-220454

Now this is done, we’re ready to sign an XPI file. As an example, I’m taking my WhoAmI Firefox add-on:

20090101-220543

20090101-220724

20090101-220735

When installing this signed Firefox add-on, we get to see the identity of the signer:

20090101-220802

For an unsigned add-on, it says “Author not verified”:

20090101-220010

If we don’t trust the root CA for code signing (or the root CA certificate is missing), we can’t install the add-on!

20090101-221028

So it doesn’t make sense to sign a Firefox add-on with your own self-signed certificate if you plan to make it public (e.g. publish it on the Mozilla add-on site). Users will not be able to install your add-on if they don’t have imported and approved your root CA certificate.

3 Comments »

  1. Hi, great tutorial. Thanks.

    Comment by Alan — Monday 15 June 2009 @ 12:48

  2. Hi, Didier

    It’s a very useful stuff, thanks a lot.
    Anyway, I need to sign an xpt file. I wonder if you’d mind telling me the solution.
    Thank you very much!

    Have a nice day!

    C

    Comment by Cabsav — Monday 12 October 2009 @ 14:24

  3. Isn’t an xpt file an archive file like an xpi file? I believe you can use the same procedure.

    Comment by Didier Stevens — Monday 12 October 2009 @ 17:45


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.