tl;dr where is Mozilla’s the root CA for verifying Mozilla-signed Firefox extensions?
I’m trying to understand and validate Mozilla’s Add-on/Extension signatures outside of the Firefox GUI. In Mozilla’s documentation, the *.xpi
file created and signed by Mozilla is easily understood as a zip-file with a META-INF
folder containing a sha256 checksum file cryptographically signed by mozilla. However, the root Certificate Authority is (obviously) not bundled with the extension but with the Firefox binary. The documentation describes how to verify a signature of the sha256sum file as:
$ openssl cms -verify -inform der -in META-INF/mozilla.rsa -content META-INF/mozilla.sf -CAfile test.addons.signing.root.ca.crt -purpose any
Signature-Version: 1.0
MD5-Digest-Manifest: OlmmwIHcPmhoIt4uMxdh8A==
SHA1-Digest-Manifest: 82zZH0Aq6GaTNMq+PnBlzep6fEA=
Verification successful
However, I cannot for the life of me find the location of test.addons.signing.root.ca.crt
(for -CAfile
). The documentation is unhelpful: "The root cert is not stored in the document but shipped with Firefox directly."
Scanning both system and user mozilla and firefox directories for *.pem
and *.crt
files yielded only results related to verifying website certificates but nothing for addons.
So, then, where is Mozilla’s the root CA for verifying Mozilla-signed Firefox extensions?