Code signing extensions

[Pelican]

I started a new post because existing topics were off in a different direction:

- AMO automatically signs uploaded/approved extensions but that uses a Mozilla signature.

I need to code sign some extensions with my own cert, ie: extensions that will be allowed to run in our custom browser.

I used to use XPIsigner but Firefox 5 and later failed to support it. There also used to be a "Key Manager" extension for Firefox but that was last updated in 2013... in fact their last version was unsigned and therefore not installable due to extension signing requirements. Online I see reference for Key Management in Firefox Tools but cannot find which version, and suspect that it may require a PFX.

So that is I my problem... to be able to codesign .XPI using a USB Token cert (code signing checks we can modify).

[Lootyhoof]

Is there a reason you can't try Key Manager? It looks to still be on AMO...

The documentation for signing XPIs is over here too for a slightly more manual process.

[Pelican]

Is there a reason you can't try Key Manager? It looks to still be on AMO

That is the one that I tried. Won't run in Firefox unless it's an old ESR version (17). Later versions of Firefox failed to support it due to the later plugin version not being signed (circa 2013). If they couldn't sign their own XPI, what does that say... end of life? Anyway on version 17 ESR at least I got to see the options, and there are none for using a USB Token Cert.

Your other link I did see before, but yet to try after chasing dead ends all morning

But now I checked it out, the resources are either not suitable for USB Token or outdated.

[Pelican]

After reading signing instructions on a Cert site... https://knowledge.digicert.com/solution/SO20728.html I decided to give the Key Manager one last try. But the latest Key Manager is not signed and would not install onto any Firefox version later than 24. By inspecting inside I noticed a limitation for max version.

Anyway found Firefox ESR 24 and found that it did recognise my eToken in the cert store. So I signed a PM language file.

Unfortunately PM dd not recognise the signature at all and Firefox reported that the XPI was corrupt. So that is the end of that dead end.

Anyone who likes working with extensions might be able to update Key Manager... to date there doesn't seem to be anything to replace it for PM or Firefox.

The Key Signer with instructions can be downloaded here - http://addmine.com/temp/KeyManager.zip (works with Firefox 24 ESR)

[JustOff]

Unfortunately PM dd not recognise the signature

Last time I experimented with Key Manager, I used FF24 to sign my add-on using self-signed cert + CA (just like you do), and it was successfully verified in Pale Moon with the corresponding CA imported.

[Pelican]

AMO might be using their own self-signing. But a lot will have changed since FF24, including SHA256 certs which we are obligated to use today.

From what I can see the only diff between signed and unsigned is 3 files in a META-INF folder. I suppose that they comprise a manifest and bitcount of each file to validate against tampering.

[JustOff]

AMO signing has nothing to do with the classic add-on signing, and you can't make your add-ons signed using your own cert in Firefox 48+. Only Pale Moon (and probably SeaMonkey) still understand such type of signing, but it only gives you the opportunity to check whether the extension is signed or not, and no restrictions can be applied based on this.

[Pelican]

We may look into whitelisting which extensions are allowed to be installed. A point in the right direction will be helpful.

I see that the language XPIs remain unpacked and get installed to
C:\Users\****\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\2lk5qn0i.default\extensions

When installing language extensions, are they registered/recorded anywhere?

[JustOff]

Could you clarify in detail what exactly you are trying to achieve?

[Pelican]

I need to limit which plugins and extensions can be installed. Plugins are not a problem as I know where they live. The language extensions are invaluable. Codesigning and checking certs may be the long way around, so I am looking into ways of limiting extension install by using a whitelist, ie: list those that will be allowed.

When a language extension is installed, what is registered and where to?

[JustOff]

AFAIK you can't enforce such limits without making changes directly to the Add-ons Manager code. There you will also find the answer to your question about language packs.

[Pelican]

Thanks for that. Where might I be able to locate the code for the status bar for some customisation?

[SpockFan02]

Thanks for that. Where might I be able to locate the code for the status bar for some customisation?

https://github.com/MoonchildProductions/UXP/tree/a26cb28c9780c015694151771d649b7cec4086db/application/palemoon/components/statusbar

It used to be an extension that was bundled with Pale Moon, but Tobin integrated it IIRC.