Getting a digital certificate to code-sign your work is a good idea - if you can get it to work.
We got our code-signing authenticode certificate from Comodo ( http://www.instantssl.com/code-signing/ ). It's easy as pie to use with Windows-based installers, just plug and deploy :-). However, it takes a bit more to get it to work with Mozilla Firefox. Since I couldn't find a one-stop guide on how to do this, I'm putting it online here (mostly for myself :-)).
What you need:
Let's prepare ...
Extract the contents of the NSS and NSPR archives into appropriate folders (eg c:\devtools\nss-3.9\ and c:\devtools\nspr-4.6\ )
Add the paths ...\nss-3.9\bin\, \nss-3.9\lib\ and \nspr-4.6\lib\ to your system path, either with "set PATH=C:\devtools\nss-3.9\bin\;C:\devtools\nss-3.9\lib\;C:\devtools\nspr-4.6\lib\;%PATH%" or the "System Variables" in your environment (they need to be before your Windows system path since some of the files are found in Windows as well).
Read and bookmark the NSS Tools documentation: http://www.mozilla.org/projects/security/pki/nss/tools/
Now let's get started:
1. Initialise the certificate database
Pick a folder to create the certificate database in. Use this command to create it (note the trailing dot)
C:\projects\ff\codesign> certutil -N -d .
The dot will cause the database to be created in the current directory.
You will be asked for a NSS Certificate database password - don't forget it!
C:\projects\ff\codesign> certutil -N -d .
Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character.
Enter new password: Re-enter password:
2. Import your certificate into Windows and export it as a PKCS#12 file (.pfx)
Use the Microsoft certificate tool:
c:\projects\ff\codesign> pvkimprt -import -pfx mycert.spc mycert.pvk
.. and follow the steps in the wizard (it opens a window). Export it as a PKCS#12 file, choose a password (I chose none, since it's just a temporary file to me) and a file name.
3. Import your PKCS#12 file into the certificate database
First you need to confirm the contents of the .pfx file, use "pk12util" from the NSS tools:
c:\projects\ff\codesign> pk12util -l mycert.pfx
to list the contents of the file (using your password). Now use the same tool to import it to your certificate database:
c:\projects\ff\codesign> pk12util -i mycert.pfx -d . Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL
4. Confirm that it's imported in the certificate database and find the ID for the key
c:\projects\ff\codesign> certutil -L -d .
Comodo AAA CS CT,C,C
Comodo SCS c,c,C
Comodo TCS c,c,C
79f01492-e71a-2ce3-ae1b-3ccc4abc5def u,u,u
myTestCert u,u,Cu
The certificate we imported has a strange ID as a name. We could rename it (somehow...) but it's not necessary. The certificate is now properly imported, it can be used to sign files for Mozilla. Signing a sample directory with our certifiate Just replace 'password' below with your password, keep the quotes.
c:\projects\ff\codesign> md signed c:\projects\ff\codesign> copy stuff signed\ c:\projects\ff\codesign> signtool -d . -k 79f01492-e71a-2ce3-ae1b-3ccc4abc5def -p "password" signed/ using certificate directory: . Generating signed//META-INF/manifest.mf file.. --> stuff --> (...) Generating zigbert.sf file..
tree "signed/" signed successfully
In the directory "signed/" you'll now have a folder "META-INF" with the signature files. If you want to verify the signature, you need to make sure you have all the files the way you had them, no changes, no missing files, no additional files.
Pecularities with Firefox Extensions
Firefox expects the signature information as the first part in a ZIP file. I tried several zip tools but the only one I could get to keep the order within the file was PKZIP (the command line version, payware). Apparently cygwin "zip" also works, but I had lots of issues getting it to reliably zip my files correctly.
5. Sign your Firefox Extension with a batch-file
Here's the batch-file (partly) for generating my Firefox extensions:
REM Settings ------------------------------
set oyoyvers=04
set zip==c:\programs\pkware\pkzipc\pkzipc
set orig=c:\domains\oy-oy\ff\oy-oy%oyoyvers%
if NOT "%signpath%"=="" goto skippath
set PATH=c:\domains\oy-oy\ff\nss-3.11\bin\;c:\domains\oy-oy\ff\nss-3.11\lib\;c:\domains\oy-oy\ff\nspr-4.6\lib\;%PATH%
set signpath="done"
:skippath
REM make jar file (don't sign) ------------- if exist signed_jar\*.* rd /s /q signed_jar mkdir signed_jar xcopy %orig%\chrome signed_jar /s
REM make jar file ------------------------- cd signed_jar if exist ..\oyoyjar.zip del oyoyjar.zip %zip% -add -path -recurse "../oyoyjar.zip" *.* cd ..
REM copy it all to signed ----------------- if exist signed_pkg\*.* rd /s /q signed_pkg mkdir signed_pkg mkdir signed_pkg\chrome copy oyoyjar.zip signed_pkg\chrome\oyoy.jar copy %orig%\chrome.manifest signed_pkg copy %orig%\install.rdf signed_pkg
REM sign code (use your key + password) ----------------------------- signtool -d codesign\ -k 79f01492-e71a-2ce3-ae1b-3ccc4abc5def -p "password" signed_pkg/
REM build package ------------------------------ REM add signature (zigbert.rsa, etc) first -----
if exist oyoypkg.zip del oyoypkg.zip cd signed_pkg %zip% -add -path ..\oyoypkg.zip META-INF\zigbert.rsa %zip% -add -path ..\oyoypkg.zip META-INF\manifest.mf %zip% -add -path ..\oyoypkg.zip META-INF\zigbert.sf %zip% -add -path ..\oyoypkg.zip chrome\oyoy.jar %zip% -add -path ..\oyoypkg.zip chrome.manifest %zip% -add -path ..\oyoypkg.zip install.rdf cd ..
REM move to root, rename ------------------ copy oyoypkg.zip oyoy%oyoyvers%.xpi
REM cleanup ------------------------------- del oyoy.zip del oyoyjar.zip rd /s /q signed_jar rd /s /q signed_pkg
REM done! ---------------------------------
There you have it, simple as pie :-)
Some collected resources (most of the credit goes to them, I'm just a script-kiddie):
Feel free to contact me if you spot errors. Thanks!