How do I view code signing certificates?

Add-ons Add-on Support
#1

Given that code signing certificate expirations are a problem for add-ons:

  • As a user, how do I view the list of code signing certificates my browser trusts for add-ons, with their expiration dates and trust chain?

  • As a user, how do I view and independently verify the signing certificate chain for each of my installed extensions?

  • As an extension developer, what do I need to do when a certificate that was used to sign my extension expires?

(If, for any of the above questions, the simple answer is “there is no UI in Firefox to do this”, then I want to know the complicated answer, namely, in which files/databases/etc these are stored, in which data formats, which algorithms are applied to what data when signing and verifying, and which existing third-party tools can be used for that. Links to existing documentation in MDN or elsewhere are welcome.)

(Basically, I’m not content with a “CHECK ENGINE” light. I want to look under the hood and I want a service manual.)

#2

As far as I’m aware there is currently only ever one (okay, probably two, but the second one isn’t relevant to extensions you can install afaik) certificates that Firefox trusts for extensions. Thus the certificate chain having an expiry in it leads to all kinds of havoc.

This means there’s not much to check out for extensions, since they’ll be signed with the cert that’s valid in your browser or if they’re not, Firefox will disable them. Which is exactly the issue here…

You can find some details on how singing works at https://wiki.mozilla.org/Add-ons/Extension_Signing though I’m not sure if it’s entirely up to date.

If you’re listing it on addons.mozilla.org and thus AMO handles updates, nothing at all. If you are managing an “unlisted”/self-distributed extension, you may have to release an update. However in this case that is not needed, from what I understand, since it’s a cert in the chain that’s affected, not the main signing cert.
I’d expect Mozilla to inform add-on developers if they had to take any action in the case of a cert change.

2 Likes