Signing an XPI (Windows)
How to sign Mozilla* Add-ons (XPI) with Windows 2000 and XP
* Firefox, Sea Monkey, and Thunderbird
Signing Tools
* Network Security Service (NSS)
Current Windows Release: nss-3.11.zip as of 5 May 2006.
* Netscape Portable Runtime (NSPR)
Current Windows Release: nspr-4.6.4.zip as of 21 November 2006.
Documentation
* NSS
* NSPR
* NSS-Tools
Important Note: If the CA that signed your Code Signing Certificate is Comodo Code Signing CA, please contact support in order to re-issue your certificate off of Comodo Code Signing CA 2.
Signing Procedure
- Extract Contents of both (NSS and NSPR) ZIP files to the same local folder, e.g. C:\XPISign\
Add the NSS tools bin/ and lib/, and the NSPR lib/ directories to the system path.
set PATH=C:\XPISign\nss-3.11\bin\;C:\XPISign\nss-3.11\lib\;C:\XPISign\nspr-4.6.4\lib\; %PATH%
- More permanent approach: Control Panel -> System Properties-> Advanced -> Environment Variables -> System Variables
- Create the certificate database.
-> certutil -N -d .Note: Decide which directory to create the database in as the dot (.) indicates your present working directory.
- Install your certificate and its chain of trust.
* Install Comodo’s Root Authenticode CA to the certificate database. (UTN-USERFirst-Object)
-> certutil -A -n “UTN-USERFirst-Object” -t “TC,TC,TC” -d . -i “UTN-USERFirst-Object.crt”
* Install Comodo’s Intermediate CA.
-> certutil -A -n “Comodo Code Signing CA 2” -t “TC,TC,TC” -d . -i “COMODOCodeSigningCA2.crt”
* Install your certificate (without its private key).
-> certutil -A -n “My Code Signing Certificate” -t “u,u,u” -d . -i “my-cert.crt”
Note: All certificates for import should be in PEM format!
If you need to download our CAs in order to import them, you may do so by navigating here.
- Double-check if certificates were installed properly and available for object signing.
Example Output:
-> certutil -L -d . Certificate Check
-> signtool -L -d . Signtool check
- Export Code Signing Certificate in PKCS12 format (.p12/.pfx)
Exporting out of Firefox: How do I backup my certificate with Firefox?
- Import PKCS12 file into your certificate database created earlier.
-> pk12util -i “YOUR_P12_FILE_NAME.p12” -d .Note: Still note the trailing .(dot)!
- Double-check certificate is in the certificate database.
-> certutil -L -d . Certificate CheckNote: Your certificate should now have the u,u,u attributes.
- Extract your XPI to it’s own directory using any program that support ZIP files.
- Sign your XPI directory and create signed XPI file.
-> signtool -d . -k “My Code Signing Certificate” -p PASS_GOES_HERE -Z “my-addon.xpi” -X XPI_DIR_HERE
Note: Never include your password in batch mode. -X creates XPI, -Z creates an archive and must be used together.
Related Articles
* Signing a XPI (Mozilla Developer Network)