Guide to signing XPIs
This guide is based substantially on the one created by Pete Collins:
https://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html
Step 1 - Install NSS
Simplest is to grab an appropriate binary distribution:
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_RTM/
I downloaded version 3.9 to the directory ~/XPI_signing
You can build it yourself if you wish:
http://www.mozilla.org/projects/security/pki/nss/nss-3.9/nss-3.9-build.html
IMPORTANT: Version 3.9 and 3.10 work fine but I have not been able to sign anything with version 3.11 onwards. Most commands result in the error message 'signtool: function failed: An I/O error occurred during security authorization.'
Step 2 - Set up your Environment
Now I have all the NSS tools and libs I need in ~/XPI_signing/nss-3.9
I set up my env in order to use these tools:
export PATH=$PATH:~/XPI_signing/nss-3.9/bin
Step 3 - Get some code to sign (an unpacked xpi)
The code needs to be sitting in a directory unpacked (and without the xpi file present):
cd ~/XPI_signing mkdir XPI cd XPI cp ~/cmiss/zinc/zinc/install/zinc.xpi . unzip zinc.xpi rm zinc.xpi cd ..
Step 4 - sign the code
Use the exact nickname that identifies your certificate. In this case my nickname is "The University of Auckland's Thawte Consulting (Pty) Ltd. ID". Also make sure the certificate directory is the default firefox directory where your certificate was installed to:
signtool -d ~/.mozilla/firefox/idr1qmb5.default/ -k "The University of Auckland's Thawte Consulting (Pty) Ltd. ID" XPI/
Step 5 - repackage the signed xpi
The zigbert.rsa file must be the first thing in the package so add that first and then the remaining files:
cd XPI zip zinc.xpi META-INF/zigbert.rsa zip -r -D zinc.xpi * -x META-INF/zigbert.rsa
Step 6 - a little housekeeping
I tidy some things up as these commands are going to be run from a shell script:
mv zinc.xpi ../ cd .. rm -r XPI