Posts

Showing posts from April, 2011

Signing firefox extensions

Signing FF extensions is pretty straightforward. Lately I've been going through some strains related to them, so I thought I'd share lesson learned. You have two sides that need to match with each other: online update URL and extension itself. Online update URL is a single file - update.rdf. Extension is an XPI file, with install.rdf file inside. Update.rdf contains a list of available extensions. Each extension should have checksum information, e.g. in sha1 algorithm. Once update.rdf is complete with all information and checksums, it must be signed with signer key. Note that, every time you change any of extension, it's checksum will likely change and so you need to update and re-sign update.rdf as well. On the other side, the install.rdf included in our XPI file needs to have our public key. Once you create install.rdf and put public key there, you can forget about it. XPI file does not have any checksum or signing. This all sounds nice and well but sometimes it doesn'