Add-ons/Extension Signing: Difference between revisions

Jump to navigation Jump to search

Add-ons/Extension Signing (view source)

Revision as of 20:33, 19 April 2017

250 bytes added ,  19 April 2017
no edit summary
No edit summary
No edit summary
Line 33: Line 33:


A PKCS7 detached signature is computed on "mozilla.sf", using a signing certificate generated for each signature. The signing certificate, also called end-entity cert, is issued by an intermediate certificate of the Firefox private PKI. No special key usage or extended key usage is required in the end-entity cert, but its subject CN must match the addon ID (for example, addon ID test@tests.mozilla.org would have a cert CN set to that value).
A PKCS7 detached signature is computed on "mozilla.sf", using a signing certificate generated for each signature. The signing certificate, also called end-entity cert, is issued by an intermediate certificate of the Firefox private PKI. No special key usage or extended key usage is required in the end-entity cert, but its subject CN must match the addon ID (for example, addon ID test@tests.mozilla.org would have a cert CN set to that value).
Note: If the addon ID is longer than 64 character, we use the SHA256 hash of the addon ID in the end-entity subject CN, to work around issues with long string in certificates (see [https://bugzilla.mozilla.org/show_bug.cgi?id=1203787 bug 1203787]).


The [https://tools.ietf.org/html/rfc2315 PKCS #7 (section 9.1 SignedData type)] signature is a binary file stored in the XPI under '''META-INF/mozilla.rsa'''. Because it is a standard PKCS7 signature, it can be verified using OpenSSL, as follows:
The [https://tools.ietf.org/html/rfc2315 PKCS #7 (section 9.1 SignedData type)] signature is a binary file stored in the XPI under '''META-INF/mozilla.rsa'''. Because it is a standard PKCS7 signature, it can be verified using OpenSSL, as follows:
Ulfr
Confirmed users
529

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1168795"

Navigation menu