Signing an XPI (Windows)

How to sign Mozilla* Add-ons (XPI) with Windows 2000 and XP

* Firefox, Sea Monkey, and Thunderbird

Signing Tools
* Network Security Service (NSS)
Current Windows Release: nss-3.11.zip as of 5 May 2006.

* Netscape Portable Runtime (NSPR)
Current Windows Release: nspr-4.6.4.zip as of 21 November 2006.

Documentation
* NSS
* NSPR
* NSS-Tools

Important Note: If the CA that signed your Code Signing Certificate is Comodo Code Signing CA, please contact support in order to re-issue your certificate off of Comodo Code Signing CA 2.

Signing Procedure

• Extract Contents of both (NSS and NSPR) ZIP files to the same local folder, e.g. C:\XPISign\

Add the NSS tools bin/ and lib/, and the NSPR lib/ directories to the system path.
set PATH=C:\XPISign\nss-3.11\bin\;C:\XPISign\nss-3.11\lib\;C:\XPISign\nspr-4.6.4\lib\; %PATH%

• More permanent approach: Control Panel -> System Properties-> Advanced -> Environment Variables -> System Variables
• Create the certificate database.
  -> certutil -N -d .

  Note: Decide which directory to create the database in as the dot (.) indicates your present working directory.

• Install your certificate and its chain of trust.

* Install Comodo’s Root Authenticode CA to the certificate database. (UTN-USERFirst-Object)
-> certutil -A -n “UTN-USERFirst-Object” -t “TC,TC,TC” -d . -i “UTN-USERFirst-Object.crt”

* Install Comodo’s Intermediate CA.
-> certutil -A -n “Comodo Code Signing CA 2” -t “TC,TC,TC” -d . -i “COMODOCodeSigningCA2.crt”

* Install your certificate (without its private key).
-> certutil -A -n “My Code Signing Certificate” -t “u,u,u” -d . -i “my-cert.crt”

Note: All certificates for import should be in PEM format!

If you need to download our CAs in order to import them, you may do so by navigating here.

 

• Double-check if certificates were installed properly and available for object signing.

  Example Output:

  -> certutil -L -d . Certificate Check
  -> signtool -L -d . Signtool check

 

• Export Code Signing Certificate in PKCS12 format (.p12/.pfx)
  Exporting out of Firefox: How do I backup my certificate with Firefox?

 

1. Import PKCS12 file into your certificate database created earlier.
   -> pk12util -i “YOUR_P12_FILE_NAME.p12” -d .

   Note: Still note the trailing .(dot)!

• Double-check certificate is in the certificate database.
  -> certutil -L -d . Certificate Check

  Note: Your certificate should now have the u,u,u attributes.

 

• Extract your XPI to it’s own directory using any program that support ZIP files.

 

• Sign your XPI directory and create signed XPI file.
  -> signtool -d . -k “My Code Signing Certificate” -p PASS_GOES_HERE -Z “my-addon.xpi” -X XPI_DIR_HERE

Note: Never include your password in batch mode. -X creates XPI, -Z creates an archive and must be used together.

 

 

Related Articles

* Signing a XPI (Mozilla Developer Network)