19

Instead of going to Extension Builder > Build Package…, I'd like to built a .safariextz package from the MyExtension.safariextension folder.

I know I can unpack an extension with xar -xf. I suspect the way back involves packing it with xar, but then I'll need to do the code signing thing, which may or may not involve codesign(1).

kch
  • 77,385
  • 46
  • 136
  • 148

2 Answers2

6

Here are Omar Ismail's instructions, omitting the need for separate shell scripts. This will all occur in a directory safari/, where we will be signing the directory safari/appname.safariextension/ to become the extension safari/appname.safariextz. The first thing is to sign the extension the official way, with Extension Builder's Build Package.

Set up Xar:
1. Download and unzip/untar https://github.com/downloads/mackyle/xar/xar-1.6.1.tar.gz to wherever you want the executable xar-1.6.1 (xar 1.6dev doesn't support the options we need)
2. in xar-1.6.1/

./configure
make
sudo make install
sudo ln -s /full/path/to/xar-1.6.1/src/xar /usr/local/bin/xar161

Set up your certificates:
1. in safari/ 

mkdir certs/
xar161 -f appname.safariextz --extract-certs certs/

2. open Keychain Access and export your Safari Developer certificate to safari/certs/certs.p12 (use a blank password for certs.p12, and then use your Mac's password to export the cert)
3. in safari/certs/

openssl pkcs12 -in certs.p12 -nodes | openssl x509 -outform der -out cert.der
(same blank password)
openssl pkcs12 -in certs.p12 -nodes | openssl rsa -out key.pem
(same blank password)
openssl dgst -sign key.pem -binary < key.pem | wc -c > size.txt

It's possible that you can get the certificates from certs/cert.p12, and not need the --extract-certs step (and hence not need the extension built the official way), but I don't know openssl well enough, and it's only for the set up that you need that step anyway.

Once everything is set up, to sign the extension:
In safari/

xar161 -czf appname.safariextz --distribution appname.safariextension/
xar161 --sign -f appname.safariextz --digestinfo-to-sign digest.dat --sig-size `cat certs/size.txt` --cert-loc certs/cert.der --cert-loc certs/cert01 --cert-loc certs/cert02
openssl rsautl -sign -inkey certs/key.pem -in digest.dat -out sig.dat
xar161 --inject-sig sig.dat -f appname.safariextz
rm -f sig.dat digest.dat

This was all on a 2006 Snow Leopard MacBook, so it's possible things may be different on a machine that's more up to date.

Teepeemm
  • 4,331
  • 5
  • 35
  • 58
  • I've done everything above, got no errors and warnings during this procedure, but when i try to import safariextz i get error: Safari can’t install this extension, An error occurred while installing this extension. In console i get com.apple.WebKit(41523) deny file-read-data /Applications/Safari.app. Any idea what's the problem? – Goran Radulovic Dec 05 '13 at 02:00
  • 1
    Found out what the problem was. I was using absolute paths to --distribution so xar packed absolute path to my build directory inside extension package. Use relative paths when compressing with xar – Goran Radulovic Dec 05 '13 at 03:59
  • Goran Radulovic: I'm getting the same error, even if path is ok. How can I open console to see error? – Alexander Beletsky Jun 26 '14 at 11:40
  • I believe it's impossible to do at the moment. Something has changed and Safari Developers certificate is no longer exported as `.p12` file. Otherwise, it's impossible to create corresponding keys. – Alexander Beletsky Jun 27 '14 at 09:35
4

Looks like there is a way to patch XAR with a signature option. http://code.google.com/p/xar/issues/detail?id=76#c0

gleuch
  • 41
  • 1