Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Automate the signature of the update.rdf manifest for my firefox extension

Tags:

scripting

command-line

firefox-addon

digital-signature

I'm developing a firefox extension and I'd like to provide automatic update to my beta-testers (who are not tech-savvy). Unfortunately, the update server doesn't provide HTTPS. According to the Extension Developer Guide on signing updates, I have to sign my update.rdf and provide an encoded public key in the install.rdf.

There is the McCoy tool to do all of this, but it is an interactive GUI tool and I'd like to automate the extension packaging using an Ant script (as this is part of a much bigger process). I can't find a more precise description of what's happening to sign the update.rdf manifest than below, and McCoy source is an awful lot of javascript.

The doc says:

The add-on author creates a public/private RSA cryptographic key pair. The public part of the key is DER encoded and then base 64 encoded and added to the add-on's install.rdf as an updateKey entry.

(...)

Roughly speaking the update information is converted to a string, then hashed using a sha512 hashing algorithm and this hash is signed using the private key. The resultant data is DER encoded then base 64 encoded for inclusion in the update.rdf as an signature entry.

I don't know well about DER encoding, but it seems like it needs some parameters.

So would anyone know

  • either the full algortihm to sign the update.rdf and install.rdf using a predefined keypair, or a scriptable alternative to McCoy
  • whether a command-line tool like asn1coding will suffise
  • a good/simple developer tutorial on DER encoding
like image 260
instanceof me Avatar asked Mar 29 '10 16:03

instanceof me

2 Answers

Things have moved since last year:

welcome to uhura (and they are listed on the official MDC McCoy page)

uhura -k signature.key yourextension.xpi http://yourupdateurl

Additional advantage is that you can generate, backup, move your own crypto keys without being bound to mozilla's DB. Only drawback is: Perl based (how painful to fix missing dependencies, with or without CPAN)

As a side note, I had almost started writing my own python-based script, but could not find any RDF-aware signing lib; or, actually, even XML-signing libs are crap for python (but hey, XML-DSig is inherently evil, isn't it). Why did Mozilla pick RDF for the extension manifest?

like image 140
Stefano Avatar answered Oct 05 '22 03:10

Stefano

not sure if you already found solution, but McCoy tool has a command line patch.

like image 40
Pablo Avatar answered Oct 05 '22 02:10

Pablo
Sign in to Comment

Related questions

C# -- Console.In.ReadToEnd() hangs on user input if no data piped to program
Crop Stamps.com PDF label
List of strings (multiple lines) as command line input in Java
debugfs command not found
User input to the command line when using Runtime.getRuntime().exec(command);
How to properly interpret a single line of python code?
How to ignore required files in node.js from istanbul coverage
Runy Open3.popen3 Entering input into the subprocess from the command-line
text auto complete using Tab in command line
Modify XML from the command line
Chrome: Call Javascript function from (system) command line?
Execute command with prompt YES input
Command line svn - "Version mismatch" error
Windows: PANIC: Broken AVD system path. Check your Android_SDK_Root value [C:\Users\[User]\AppData\Local\Android\SDK]!
Deploy Only Single Non-exported Function in Firebase Cloud Functions
Visual Studio 2017 command line prompt
how to change user (www-data) to root
Redirecting ConsoleOutput containing pseudo-loc (unicode) strings in C#
Mathematica in batch mode from the command line on Mac OS X
Idiots guide to moving a directory up in SVN

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!