Guide to signing XPIs

This guide is based substantially on the one created by Pete Collins:

https://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html

Step 1 - Install NSS

Simplest is to grab an appropriate binary distribution:

ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_RTM/

I downloaded version 3.9 to the directory ~/XPI_signing

You can build it yourself if you wish:

http://www.mozilla.org/projects/security/pki/nss/nss-3.9/nss-3.9-build.html

IMPORTANT: Version 3.9 and 3.10 work fine but I have not been able to sign anything with version 3.11 onwards. Most commands result in the error message 'signtool: function failed: An I/O error occurred during security authorization.'

Step 2 - Set up your Environment

Now I have all the NSS tools and libs I need in ~/XPI_signing/nss-3.9

I set up my env in order to use these tools:

export PATH=$PATH:~/XPI_signing/nss-3.9/bin

Step 3 - Get some code to sign (an unpacked xpi)

The code needs to be sitting in a directory unpacked (and without the xpi file present):

cd ~/XPI_signing
mkdir XPI
cd XPI
cp ~/cmiss/zinc/zinc/install/zinc.xpi .
unzip zinc.xpi
rm zinc.xpi
cd ..

Step 4 - sign the code

Use the exact nickname that identifies your certificate. In this case my nickname is "The University of Auckland's Thawte Consulting (Pty) Ltd. ID". Also make sure the certificate directory is the default firefox directory where your certificate was installed to:

signtool -d ~/.mozilla/firefox/idr1qmb5.default/ -k "The University of Auckland's Thawte Consulting (Pty) Ltd. ID" XPI/

Step 5 - repackage the signed xpi

The zigbert.rsa file must be the first thing in the package so add that first and then the remaining files:

cd XPI
zip zinc.xpi META-INF/zigbert.rsa
zip -r -D zinc.xpi * -x META-INF/zigbert.rsa

Step 6 - a little housekeeping

I tidy some things up as these commands are going to be run from a shell script:

mv zinc.xpi ../
cd ..
rm -r XPI