Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Automate the signature of the update.rdf manifest for my firefox extension

I'm developing a firefox extension and I'd like to provide automatic update to my beta-testers (who are not tech-savvy). Unfortunately, the update server doesn't provide HTTPS. According to the Extension Developer Guide on signing updates, I have to sign my update.rdf and provide an encoded public key in the install.rdf.

There is the McCoy tool to do all of this, but it is an interactive GUI tool and I'd like to automate the extension packaging using an Ant script (as this is part of a much bigger process). I can't find a more precise description of what's happening to sign the update.rdf manifest than below, and McCoy source is an awful lot of javascript.

The doc says:

The add-on author creates a public/private RSA cryptographic key pair. The public part of the key is DER encoded and then base 64 encoded and added to the add-on's install.rdf as an updateKey entry.

(...)

Roughly speaking the update information is converted to a string, then hashed using a sha512 hashing algorithm and this hash is signed using the private key. The resultant data is DER encoded then base 64 encoded for inclusion in the update.rdf as an signature entry.

I don't know well about DER encoding, but it seems like it needs some parameters.

So would anyone know

  • either the full algortihm to sign the update.rdf and install.rdf using a predefined keypair, or a scriptable alternative to McCoy
  • whether a command-line tool like asn1coding will suffise
  • a good/simple developer tutorial on DER encoding
like image 260
instanceof me Avatar asked Mar 29 '10 16:03

instanceof me


2 Answers

Things have moved since last year:

welcome to uhura (and they are listed on the official MDC McCoy page)

uhura -k signature.key yourextension.xpi http://yourupdateurl

Additional advantage is that you can generate, backup, move your own crypto keys without being bound to mozilla's DB. Only drawback is: Perl based (how painful to fix missing dependencies, with or without CPAN)

As a side note, I had almost started writing my own python-based script, but could not find any RDF-aware signing lib; or, actually, even XML-signing libs are crap for python (but hey, XML-DSig is inherently evil, isn't it). Why did Mozilla pick RDF for the extension manifest?

like image 140
Stefano Avatar answered Oct 05 '22 03:10

Stefano


not sure if you already found solution, but McCoy tool has a command line patch.

like image 40
Pablo Avatar answered Oct 05 '22 02:10

Pablo