I have developed a couple of extensions for Firefox, and am annoyed that it is so hard to get the extension signed. When an extension isn't signed, it says "Author not verified" when it is installed, and to me that just looks wrong.
I have a simple build script that builds my .xpi file from sources, and I have a licenced copy of PKZip (which according to a number of tutorials is required to build a signed xpi file that Firefox requires), but I haven't found a way to get a free/cheap certificate that actually works or a set of instructions that do the trick.
Since my extensions are free, I don't want to spend $400 on a commercial certificate, but I don't mind spending $50 or so to get it done. I have both Linux and Windows machines, although my build script currently uses Windows and that would be most convenient to use.
How have you solved this? What do I need to do to automatically and securely sign my extensions when they are built?
Edit: I appreciate the Google hits, but the steps they provide aren't complete enough on how to actually get a certificate that works. The feeling I get reminds me of this classic:
Avoid the GoDaddy codesigning certs as the necessary intermediate CA certificate isn't in Firefox by default.
C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\,Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,SERIALNUMBER=07969287'
If you sign with it your users will get signing errors with it.
e.g. SIgning could not be verified. -260
I've used the comodo certificate to sign XPIs. It was the cheapest option at the time.
I've written a few posts on the XPI Format and a howto for signing using a java commandline tool.
My tool XPISigner simplifies the process considerably and is integratable into build systems.
I've removed the tool as it no longer works with FF4 or higher. Source is available on http://code.google.com/p/xpisigner/ if anyone feels like fixing.
What I found with Google was this: http://www.mercille.org/snippets/xpiSigning.php which states:
If you don't want a commercial
certificate or can't afford one,
Ascertia can provide you with a free
certificate, but turning it into a
code signing certificate requires some
extra work, which I have detailed on
another page.
I can't say that I've tried it.
And on http://developer.mozilla.org/en/Signing_a_XPI it says:
The cheapest universally supported
(Mozilla, Java, Microsoft) certificate
seems to be the Comodo Instant-SSL
offering. You can get a free
certificate for open-source developers
from Unizeto Certum, but their root
certificate is only present in Mozilla
Firefox and Opera (not Java or
Microsoft).
Yes, XPI signing is unfortunately quite untrivial. I would advise searching/posting to the mozilla newsgroups (dev-extensions, project owners # mozdev, irc.mozilla.org) and also trying to get in touch with the people who got it to work.
Tucows sells Comodo code signing certificates for $75 per year, that's as cheap as it goes from what I can tell (https://author.tucows.com/, "Code Signing Certificates" section). That's still too much money for me to spend so I didn't try how it works. Not that I can try, from what I can tell you need to be a registered organization to buy a Comodo certificate.
As to Ascertia, getting a certificate is easy enough (http://www.ascertia.com/onlineCA/Issuer/CerIssue.aspx) - but such a certificate is as worthless as a self-issued certificate because you would need to import their root certificate before seeing an effect.
If you have an Open Source project, you can get a free code signing certificate from Unizeto.
The steps to get the certificate itself are described in detail here.
Once you have the certificate, do the following:
get the private key from your browser (e.g. download it as .p12 from your keychain - do not set a password) and convert it into PEM format via openssl pkcs12 -in key.p12 -nodes -out private.key -nocerts
Open your .pem file that you downloaded from Unicert, add your private key beneath it, and the Public Key of Certum Level III CA from here beneath the private key, so it looks like this:
-----BEGIN CERTIFICATE-----
[your certificate from Certum]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[the private key you just converted from the .p12 file from your keychain]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[the Certum Level III CA public key you just downloaded]
-----END CERTIFICATE-----
Save this file as cert_with_key_and_ca.pem
Install xpisign.py with pip install https://github.com/nmaier/xpisign.py/zipball/master
Run xpisign -k cert_with_key_and_ca.pem unsigned.xpi signed.xpi
Drag & Drop the signed.xpi into Firefox and you should see the author name where before there was a (Author not verified) message next to the extension name.
Related
I've a self-extracting .exe created with 7zip (7z.sfx). I've signed it with signtool. The signing certificate is in my Local Machine store, and it's root certificate is in the "Trusted root certificate authorities" and "Trusted publishers" folders.
I would like the signature details to appear in the publisher field of the UAC prompt, but it still shows "Unknown Publisher". Anyone know what's going on? The certificate does not have the "Code signing" EKU. Will this cause the problem?
This person had a similar problem, with no answers. This question covers code signing in detail but it's still not working for me.
Ok, perhaps as I suspected, the EKU for code signing is essential for UAC. There's no problem generating the signature with a vanilla certificate, but UAC will ignore signatures generated with non code-signing certificates, even if those certificates are in Trusted Publisers, Trusted Root Authorities etc..
the eku for code signing is 1.3.6.1.5.5.7.3.3
The following PowerShell command gets you a self signed code signing cert...
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname sby-port -type CodeSigningCert
I am using a standard (i.e. not EV) Authenticode code signing certificate to sign a Windows desktop application in the hope that Smartscreen Filter will eventually stop blocking it.
I was hoping to certify the application but since my code signing certificate was issued by GoDaddy it appears that I can't do that since you need a certificate from Symantec, Entrust, GlobalSign, WoSign or Digicert in order to create a Windows Certification Dashboard account (the first step in the certification process).
So here's my question: Will my non-certified Windows application signed with a standard GoDaddy SHA-2 code signing certificate still accumulate reputation?
According to these article, most likely yes, but you need to check details in your certificate
https://social.technet.microsoft.com/wiki/contents/articles/51151.microsoft-trusted-root-certificate-program-participants-as-of-january-30-2018.aspx
We purchased the Microsoft Authenticode certificate from Thawte. Now I have it in a PFX file. I try the following:
D:\sign>signtool sign /f ./cert/cert.pfx /p mypass /t http://timestamp.verisign.com/scripts/timstamp.dll "mySetup.exe"
Done Adding Additional Store
Successfully signed and timestamped: mySetup.exe
But when I run mySetup.exe, it runs like unsigned, and shows "Unknown Publishier".
When I verify the EXE file with SignTool, I get following.
D:\sign>SignTool verify mySetup.exe
SignTool Error: WinVerifyTrust returned error: 0x800B010A
SignTool Error: File not valid: mySetup.exe
Number of errors: 1
What is wrong?
It may be related to the fact that Thawte uses an Intermediate Certificate for signing. They consider this to be within best practices, which I won't argue one way or the other.
From an end user standpoint, however, this can lead to complications. This is a known issue with VSTO (Visual Studio Tools for Office) solutions using ClickOnce, and may be what is affecting you here.
The solution for dealing with this is, sadly, that you will need to add the appropriate Intermediate CA's cert to all end user machines:
Resolution
The workaround to this issue is to include the Intermediate Certificate Authorities’ certificate on all end user machines where the application will be installed. As of now the issue is reported only with the handling of Thawte certificate and would require that Thawte intermediate certificate be installed on the end users machine.
Thawte provides links to the appropriate CA certs for their Intermediate Certificates
How would I sign a Visual C# executable?
SignTool.exe can't find a certificate.
How would I create a self signed key and certificate, and have signtool be able to see the certificate and use it?
OpenSSL and Visual Studio 2010 Express are installed. Running Windows 7 Ultimate x64.
Using SignTool.exe from Windows Driver Kit.
Using self-signed certificates for digitally signing your binaries pretty much goes against the concept of using digital certificates with programs. The basic idea is to prove the code was created by you (authenticity) and has not been modified since you released it (integrity). This must be done by using a signed certificate that is signed by a trusted Certificate Authority (CA).
With .Net, when a binary is digitally signed, it is automatically verified for integrity and authenticity during startup. While I have not personally tested this, using a self-signed certificate is probably going to cause you a great deal of problems.
If you want to digitally sign your programs, you need to invest in a code signing certificate from a CA. There are a number of companies out there that can provide this service (Verisign, Thawte), for a fee.
While the fee might seem a bit extreme in price, remember that you are not just purchasing a digital certificate but also 24/7 validation of that certificate. Any time someone starts your program it will ensure the program was written by you and that the program has not been changed since you released it.
Once you have a certificate, you can digitally sign your program by following the steps in How to: Sign Application and Deployment Manifests.
Update: If this program is strictly an internal application (limited to you or your business), you can created your own CA. Since you would be the only one running it, only you would need to validate it. The CA certificate would need to be installed as a Trusted Root Certificate on all the machines that would run the program (or if you have access to Windows Server, you could set up a real working CA).
I made a driver, and now I need to sign it. It runs in kernel mode.
From what I've read in Microsoft's Kernel Mode Code Signing Walkthrough, I have to buy a software publisher certificate from a commercial CA. In that document, they say to look at the end, and follow this link for a list of CAs from which I can buy that certificate. I find the link very confusing somehow because I can't figure out exactly what certificate I need to buy. I need to sign the driver so that it will install on 64-bit Windows systems. A direct link would be very welcome (I would like to buy it from GlobalSign).
Is it the Microsoft Authenticode from here?
I asked a similar question in Microsoft Drivers Developers Forum some time ago. This is their answer:
You need to have your company get a code signing certificate from either GlobalSign or VeriSign (the others listed in that link are no longer offered). GlobalSign is cheaper, but Verisign has the advantage of providing access to WHQL if that is of interest to your firm. These are not cheap, the Verisign certificate costs $499 per year. Once you have
the cert you can use it instead of the test cert to sign the driver.
Your link contains this information in Supported Platforms: Digitally sign Windows ActiveX controls via Authenticode (32 bit and 64 bit .exe, .ocx, .dll or other) and kernel software for Windows. Windows 7 compatible.
It looks like you are in the right place.
Just to be precise: I have not used the code certification yet, I just learned it. I recommend you to verify this answer in osronline or Microsoft Drivers Developers Forum.
Check out https://www.startssl.com/?app=40 - StartSSL offers such certificates for US$ 199.00
The cross-signed CA certificate is at https://www.startssl.com/certs/ named microsoft.kernel.mode.pem or microsoft.kernel.mode.crt
You can buy a signature from Digicert.
Digicert will issue a cross signing certificate in a zip file. Unzip it
DigiCert High Assurance EV Root CA.crt
Double click it and add it to your IE personal store
Using IE, export the cert, with password to a .pfx file
The command to sign the driver is
signtool sign /t http://timestamp.digicert.com /f "path to .pfx file" /p PASSWORD_OF_PFX "path to driver .cat file"
You can use this same command to sign .exe files
signtool sign /t http://timestamp.digicert.com /f "path to .pfx file" /p PASSWORD_OF_PFX "path to driver .exe file"
Ensure this machine has internet access otherwise the signing process will fail.