Codesign – Signing an XPI (Windows)

Signing an XPI (Windows)

How to sign Mozilla* Add-ons (XPI) with Windows 2000 and XP

* Firefox, Sea Monkey, and Thunderbird

Signing Tools
* Network Security Service (NSS)
Current Windows Release: as of 5 May 2006.

* Netscape Portable Runtime (NSPR)
Current Windows Release: as of 21 November 2006.

* NSS-Tools

Important Note: If the CA that signed your Code Signing Certificate is Comodo Code Signing CA, please contact support in order to re-issue your certificate off of Comodo Code Signing CA 2.

Signing Procedure

  • Extract Contents of both (NSS and NSPR) ZIP files to the same local folder, e.g. C:\XPISign\

CodeSign XPI 1

Add the NSS tools bin/ and lib/, and the NSPR lib/ directories to the system path.
set PATH=C:\XPISign\nss-3.11\bin\;C:\XPISign\nss-3.11\lib\;C:\XPISign\nspr-4.6.4\lib\; %PATH%

  • More permanent approach: Control Panel -> System Properties-> Advanced -> Environment Variables -> System Variables
  • Create the certificate database.
    -> certutil -N -d .

    Note: Decide which directory to create the database in as the dot (.) indicates your present working directory.

CodeSign XPI 2

  • Install your certificate and its chain of trust.

* Install Comodo’s Root Authenticode CA to the certificate database. (UTN-USERFirst-Object)
-> certutil -A -n “UTN-USERFirst-Object” -t “TC,TC,TC” -d . -i “UTN-USERFirst-Object.crt”

* Install Comodo’s Intermediate CA.
-> certutil -A -n “Comodo Code Signing CA 2” -t “TC,TC,TC” -d . -i “COMODOCodeSigningCA2.crt”

* Install your certificate (without its private key).
-> certutil -A -n “My Code Signing Certificate” -t “u,u,u” -d . -i “my-cert.crt”

Note: All certificates for import should be in PEM format!

CodeSign XPI 3

If you need to download our CAs in order to import them, you may do so by navigating here.


  • Double-check if certificates were installed properly and available for object signing.

    Example Output:

    -> certutil -L -d . Certificate Check
    -> signtool -L -d . Signtool check

CodeSign XPI 4



  1. Import PKCS12 file into your certificate database created earlier.
    -> pk12util -i “YOUR_P12_FILE_NAME.p12” -d .

    Note: Still note the trailing .(dot)!

CodeSign XPI 5

  • Double-check certificate is in the certificate database.
    -> certutil -L -d . Certificate Check

    Note: Your certificate should now have the u,u,u attributes.


  • Extract your XPI to it’s own directory using any program that support ZIP files.


  • Sign your XPI directory and create signed XPI file.
    -> signtool -d . -k “My Code Signing Certificate” -p PASS_GOES_HERE -Z “my-addon.xpi” -X XPI_DIR_HERE

CodeSign XPI 6

Note: Never include your password in batch mode. -X creates XPI, -Z creates an archive and must be used together.



Related Articles

* Signing a XPI (Mozilla Developer Network)

Comments are closed