Paul "suckerformimi" wrote: > I've seen this asked many times, but I haven't seen any solutions > posted. > > What zip utility can I use under windows to create a signed XPI? > I can't find any that let me control the order of the files.
Don't look for a special zip tool. Look for a JAR signing tool, and an ordinary zip tool. Any command line zip tool will let you control the order in which the files are added to the zip archive. It might require you to run the zip tool once for each file to be added. If you get a signed XPI file whose contents are not in the right order, you can merely unzip its contents into a tree of files, and then rezip those files into a new zip file in the right order. Any signed XPI file is actually a signed JAR file. The important thing about both types of files is *NOT* that they're zip files. There's nothing special about the zip format itself in XPI files or JAR files. This is somewhat explained in http://developer.mozilla.org/en/docs/XPI The important thing is that the files that make up the contents of the zip must conform to the specification of a signed JAR (Java ARchive). http://java.sun.com/j2se/1.5.0/docs/guide/jar/jar.html To make either a signed XPI or signed JAR file takes two steps: 1. set the hierarchy of files according to the signed JAR specification, using any of the spec-conformant JAR signing tools, then 2. zip them up. In the case of XPI files, the files have to be zipped up in a certain order. But that's a mere detail of how they're zipped up, after the full signed JAR contents have been created. Creating the files that go into the JAR (zip) is the hard part. I am aware of two tools for creating signed JARs. 1. Sun's "jar" and "jarsigner" tools (which make a JAR, and then sign it) http://java.sun.com/j2se/1.5.0/docs/guide/security/SecurityToolsSummary.html 2. NSS's "signtool" http://docs.sun.com/source/816-5531-10/app_sign.htm http://lxr.mozilla.org/security/source/security/nss/cmd/signtool/README The JAR specification does not impose any order on the files within the zipped JAR. The files may appear in any order in the zipped JAR. It permits multiple signatures ("signature block" files) to exist in the JAR, with different subsets of files signed with each signature block. The XPI specification allows only one "signature block" file (that is, .rsa or .dsa) per JAR, and requires that it be the first file in the zipped JAR. NSS's signtool utility has some command line options that will also zip up the results. The -Z option does this. When used together, the -Z and -X options cause the "zigbert.[rd]sa" file to come first in the zipped output. Whether -Z is used or not, signtool leaves the hierarchy of files intact so that any ordinary zip tool may be used to do the final zip step. This gives the zip creator maximum flexibility over the type of compression used with each file, among other things. > Also, what's the easiest way to tell whether my XPI is properly signed? > Is there an NSS utility that does this? Signtool will tell you if your file is a valid JAR file, but will not check that it is also a valid XPI file. Ultimately, FireFox or SeaMonkey themselves are the best test tools for XPI files. > Thanks in advance, > > Paul -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto