如何对 Firefox 扩展进行签名?

发布于 2024-07-05 21:38:58 字数 543 浏览 8 评论 0原文

我已经为 Firefox 开发了几个扩展,但令扩展签名如此困难感到恼火。 当扩展未签名时,安装时会显示“作者未验证”,对我来说,这看起来是错误的。

我有一个简单的构建脚本,可以从源代码构建我的 .xpi 文件,并且我有 PKZip 的许可副本(根据许多教程,需要构建 Firefox 所需的签名 xpi 文件),但我还没有找到一种获得真正有效的免费/廉价证书的方法或一组可以实现这一目的的说明。

由于我的扩展是免费的,我不想花 400 美元购买商业证书,但我不介意花 50 美元左右来完成它。 我同时拥有 Linux 和 Windows 机器,尽管我的构建脚本当前使用 Windows 并且使用起来最方便。

你是怎么解决这个问题的? 我需要做什么才能在构建扩展时自动安全地对其进行签名?

编辑:我很欣赏谷歌的点击,但他们提供的步骤对于如何真正获得有效的证书来说还不够完整。 我的感觉让我想起了这个经典:

alt text

I have developed a couple of extensions for Firefox, and am annoyed that it is so hard to get the extension signed. When an extension isn't signed, it says "Author not verified" when it is installed, and to me that just looks wrong.

I have a simple build script that builds my .xpi file from sources, and I have a licenced copy of PKZip (which according to a number of tutorials is required to build a signed xpi file that Firefox requires), but I haven't found a way to get a free/cheap certificate that actually works or a set of instructions that do the trick.

Since my extensions are free, I don't want to spend $400 on a commercial certificate, but I don't mind spending $50 or so to get it done. I have both Linux and Windows machines, although my build script currently uses Windows and that would be most convenient to use.

How have you solved this? What do I need to do to automatically and securely sign my extensions when they are built?

Edit: I appreciate the Google hits, but the steps they provide aren't complete enough on how to actually get a certificate that works. The feeling I get reminds me of this classic:

alt text

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

旧情勿念 2024-07-12 21:38:58

我在 Google 上发现的是:http://www.mercille.org/snippets/xpiSigning。 php 其中指出:

如果你不想要广告
证书或买不起证书,
Ascertia 可以为您提供免费的
证书,但将其变成
代码签名证书需要一些
额外的工作,我已经详细说明了
另一个页面

我不能说我已经尝试过了。
http://developer.mozilla.org/en/Signing_a_XPI 上显示:

最便宜的普遍支持
(Mozilla、Java、Microsoft)证书
似乎是 Comodo Instant-SSL
奉献。 您可以获得免费的
开源开发者证书
来自 Unizeto Certum,但它们的根源
证书仅存在于 Mozilla 中
Firefox 和 Opera(不是 Java 或
微软)。

What I found with Google was this: http://www.mercille.org/snippets/xpiSigning.php which states:

If you don't want a commercial
certificate or can't afford one,
Ascertia can provide you with a free
certificate, but turning it into a
code signing certificate requires some
extra work, which I have detailed on
another page.

I can't say that I've tried it.
And on http://developer.mozilla.org/en/Signing_a_XPI it says:

The cheapest universally supported
(Mozilla, Java, Microsoft) certificate
seems to be the Comodo Instant-SSL
offering. You can get a free
certificate for open-source developers
from Unizeto Certum, but their root
certificate is only present in Mozilla
Firefox and Opera (not Java or
Microsoft).

阳光下慵懒的猫 2024-07-12 21:38:58

我使用 comodo 证书来签署 XPI。 这是当时最便宜的选择。

我在 XPI 上写了一些帖子签名的格式和操作方法 使用 java 命令行工具。

我的工具 XPISigner 大大简化了流程,并且可集成到构建系统中。

我已删除该工具,因为它不再适用于 FF4 或更高版本。 源代码可在 http://code.google.com/p/xpisigner/ 上获取,前提是任何人都想修复。

I've used the comodo certificate to sign XPIs. It was the cheapest option at the time.

I've written a few posts on the XPI Format and a howto for signing using a java commandline tool.

My tool XPISigner simplifies the process considerably and is integratable into build systems.

I've removed the tool as it no longer works with FF4 or higher. Source is available on http://code.google.com/p/xpisigner/ if anyone feels like fixing.

悲凉≈ 2024-07-12 21:38:58

避免使用 GoDaddy 共同签名证书,因为默认情况下 Firefox 中不存在必要的中间 CA 证书。
C=US,ST=亚利桑那州,L=斯科茨代尔,O=GoDaddy.com\,Inc.,OU=http://certificates.godaddy.com/repository,CN=GoDaddy Secure Certification Authority,SERIALNUMBER=07969287'

如果您使用它签名,您的用户将收到签名错误。

例如

SIgning could not be verified. -260

Avoid the GoDaddy codesigning certs as the necessary intermediate CA certificate isn't in Firefox by default.
C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\,Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,SERIALNUMBER=07969287'

If you sign with it your users will get signing errors with it.

e.g.

SIgning could not be verified. -260

他不在意 2024-07-12 21:38:58

Tucows 以每年 75 美元的价格出售 Comodo 代码签名证书,据我所知,这是最便宜的 (https:// author.tucows.com/,“代码签名证书”部分)。 这对我来说还是太多了,所以我没有尝试它是如何运作的。 我不能尝试,据我所知,您需要成为注册组织才能购买 Comodo 证书。

对于 Ascertia 来说,获得证书非常容易 (http://www.ascertia.com /onlineCA/Issuer/CerIssue.aspx) - 但这样的证书与自行颁发的证书一样毫无价值,因为您需要导入其根证书才能看到效果。

Tucows sells Comodo code signing certificates for $75 per year, that's as cheap as it goes from what I can tell (https://author.tucows.com/, "Code Signing Certificates" section). That's still too much money for me to spend so I didn't try how it works. Not that I can try, from what I can tell you need to be a registered organization to buy a Comodo certificate.

As to Ascertia, getting a certificate is easy enough (http://www.ascertia.com/onlineCA/Issuer/CerIssue.aspx) - but such a certificate is as worthless as a self-issued certificate because you would need to import their root certificate before seeing an effect.

梦幻之岛 2024-07-12 21:38:58

是的,不幸的是,XPI 签名非常不重要。 我建议搜索/发布到 mozilla 新闻组(dev-extensions、项目所有者@mozdev、irc.mozilla.org),并尝试与使其发挥作用的人员取得联系。

Yes, XPI signing is unfortunately quite untrivial. I would advise searching/posting to the mozilla newsgroups (dev-extensions, project owners @ mozdev, irc.mozilla.org) and also trying to get in touch with the people who got it to work.

却一份温柔 2024-07-12 21:38:58

如果您有开源项目,则可以从 Unizeto 获取免费的代码签名证书。

此处详细介绍了获取证书本身的步骤。

获得证书后,请执行以下操作:

  • 从浏览器获取私钥(例如,从钥匙串将其下载为 .p12 - 请勿设置密码)并通过 openssl pkcs12 -in key 将其转换为 PEM 格式。 p12 -nodes -out private.key -nocerts
  • 打开从 Unicert 下载的 .pem 文件,在其下方添加您的私钥,以及Certum Level III CA 的公钥 来自 此处 在私钥下面,所以它看起来像这样:

    <代码>-----开始证书-----
    [您的 Certum 证书]
    -----证书结束-----
    -----开始 RSA 私钥-----
    [您刚刚从钥匙串中的 .p12 文件转换而来的私钥]
    -----结束 RSA 私钥-----
    -----开始证书-----
    [您刚刚下载的 Certum Level III CA 公钥]
    -----证书结束-----

  • 将此文件另存为 cert_with_key_and_ca.pem
  • 安装 xpisign.py 用 pip install https://github.com/nmaier/xpisign.py/zipball/master
  • 运行 xpisign -k cert_with_key_and_ca.pem unsigned.xpisigned.xpi
  • 拖动& 将 signed.xpi 放入 Firefox,您应该会看到作者姓名,之前​​扩展名旁边有一条(作者未验证) 消息。

If you have an Open Source project, you can get a free code signing certificate from Unizeto.

The steps to get the certificate itself are described in detail here.

Once you have the certificate, do the following:

  • get the private key from your browser (e.g. download it as .p12 from your keychain - do not set a password) and convert it into PEM format via openssl pkcs12 -in key.p12 -nodes -out private.key -nocerts
  • Open your .pem file that you downloaded from Unicert, add your private key beneath it, and the Public Key of Certum Level III CA from here beneath the private key, so it looks like this:

    -----BEGIN CERTIFICATE-----
    [your certificate from Certum]
    -----END CERTIFICATE-----
    -----BEGIN RSA PRIVATE KEY-----
    [the private key you just converted from the .p12 file from your keychain]
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    [the Certum Level III CA public key you just downloaded]
    -----END CERTIFICATE-----

  • Save this file as cert_with_key_and_ca.pem
  • Install xpisign.py with pip install https://github.com/nmaier/xpisign.py/zipball/master
  • Run xpisign -k cert_with_key_and_ca.pem unsigned.xpi signed.xpi
  • Drag & Drop the signed.xpi into Firefox and you should see the author name where before there was a (Author not verified) message next to the extension name.
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文