A Tool for checking if extension is signed?

jerrykrinock · August 23, 2015, 11:35am

For some of us, our Firefox extension is a small part of a larger product. We don’t pay that much attention to it. Therefore, for quality control, we’d like a command-line tool we could script into our build system to, say, Check signature of the Firefox Extension. Our script would stop the build if it fails.

Because signing requirements might change in the future, and because maintaining such a separate tool would be an extra burden on the Mozilla team and thus itself be a source of bugs, I would suggest that this tool be built into Firefox. Maybe it could work with a command-line argument the way the -ProfileManager does.

Do we have such a thing?

noitidart · August 23, 2015, 2:51pm

I don’t know how to ensure the validity of the signature. But this is what you can do. Open up the xpi with your command line tool (the xpi is just a zip file) and then look for a META-INF folder, then in there look for manifest.mf, manifest.rsa, and mozilla.sf. If thats all there it has the stuff needed to be signed, but im not sure how to test if its for the current version, as someone may upload it with the previous versions signatures which will be invalid for the new version.

jerrykrinock · August 23, 2015, 3:22pm

Thank you, noitidart. Yes, that test would be better than nothing but not too much better. For this type of opaque process, I need approval from the horse’s mouth, say, the current version of Firefox Developer Edition, that the Firefox extension in my product is shippable.

TheOne · August 23, 2015, 7:42pm

I think @dveditz knows how to verify the certificates.