Wednesday, June 18, 2008

How to sign a Firefox 3 addon

Of course you've noticed that Firefox 3 has been released (and that it didn't go that smoothly, trying to break the world record).

One of the major changes in the new FF3 release is that add-ons (plugins, extensions, whatever you wanna call it :-) need to either use an HTTPs updateLink, or if it is an HTTP updateLink, you need to sign the .xpi. The exact info on how to do this is quite scattered, so here I summarize it all in one place, in three steps! :-)

Below I'll focus on Step 2 mentioned in the high level migration steps: providing secure updates.

Step 1
Add the updateKey tag to install.rdf inside the em:updateKey tag. For details see here. Follow the mentioned McCoy link. In short: create a key with the tool, rightclick on the key you created, select Copy and put that inside em:updateKey tags within install.rdf, below em:updateURL.

Step 2
Create the .xpi and add its sha1 hash (right click on the .xpi + select properties in Windows.) to update.rdf as mentioned here. Note that you should put the em:updateHash below each em:updateLink you have in your update.rdf. Also don't forget the sha1: prefix.

Step 3
Add the signature to update.rdf. See here for an example signature. Select the key you used in Step1 in the McCoy tool. Click Sign in the menu. You'll be prompted to select your update.rdf. It will then generate (and overwrite!) your update.rdf, with the em:signature in it. I guess you can reuse this generated update.rdf for next updates (you'll need to re-hash and re-sign it when you update it), but to be save I also made a backup copy of my original update.rdf).

All in all not too complex, but the information was scattered. Useful in getting my mind around it and how it all relates was this thread.

1 comment:

ShaCow said...

Thank you for taking to time to put all this info in one place! It has saved me hours of frustration trying to get my addon working with ff3.