+1  A: 

What I found with Google was this: http://www.mercille.org/snippets/xpiSigning.php which states:

If you don't want a commercial certificate or can't afford one, Ascertia can provide you with a free certificate, but turning it into a code signing certificate requires some extra work, which I have detailed on another page.

I can't say that I've tried it. And on http://developer.mozilla.org/en/Signing_a_XPI it says:

The cheapest universally supported (Mozilla, Java, Microsoft) certificate seems to be the Comodo Instant-SSL offering. You can get a free certificate for open-source developers from Unizeto Certum, but their root certificate is only present in Mozilla Firefox and Opera (not Java or Microsoft).

dlamblin
Unfortunately it's not clear *which* certificate on Ascertia to get, and the "another page" is mostly blank at the moment. I'd like something a little more specific please :)
Allan Mertner
Yes, I've looked at the second page too - it's why I bought PKZip. How exactly do I get the right kind of certificate from Unizeto? What is the URL to get it?
Allan Mertner
Yeah I tried to follow up on this too, and I could not figure out step 2 either.
dlamblin
+1  A: 

Yes, XPI signing is unfortunately quite untrivial. I would advise searching/posting to the mozilla newsgroups (dev-extensions, project owners @ mozdev, irc.mozilla.org) and also trying to get in touch with the people who got it to work.

Nickolay
+1  A: 

I've used the comodo certificate to sign XPIs. It was the cheapest option at the time.

I've written a few posts on the XPI Format and a howto for signing using a java commandline tool.

My tool XPISigner simplifies the process considerably and is integratable into build systems.

koregan
This is all really helpful, thanks - great info. Is the Comodo certificate the "code signing" one that costs around £110 for a year?
Allan Mertner
Finally got enough rep to answer you ;)That's it. I think I got it a bit cheaper last year by confusing the website into letting me buy in in dollars. The exchange rate with euro was quite favorable then.You may find resellers that offer it cheaper, think i saw some in another answer on here.
koregan
+1  A: 

Tucows sells Comodo code signing certificates for $75 per year, that's as cheap as it goes from what I can tell (https://author.tucows.com/, "Code Signing Certificates" section). That's still too much money for me to spend so I didn't try how it works. Not that I can try, from what I can tell you need to be a registered organization to buy a Comodo certificate.

As to Ascertia, getting a certificate is easy enough (http://www.ascertia.com/onlineCA/Issuer/CerIssue.aspx) - but such a certificate is as worthless as a self-issued certificate because you would need to import their root certificate before seeing an effect.

+3  A: 

Avoid the GoDaddy codesigning certs as the necessary intermediate CA certificate isn't in Firefox by default. C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\,Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,SERIALNUMBER=07969287'

If you sign with it your users will get signing errors with it.

e.g.

SIgning could not be verified. -260

koregan
This appears to still be a problem. Noted on this page https://developer.mozilla.org/en/Signing_a_XPI which leads to this bug entry https://bugzilla.mozilla.org/show_bug.cgi?id=321156.
Tim Keating