How do you retrieve the extension ID from the xpi file? (It is needed f.ex. for global extension installation)

In previous versions, you could get it from the install.rdf, which no longer exists in WebExtensions. http://www.di-mgt.com.au/how-mozilla-signs-addons.html describes that it is contained in the META-INF/mozilla.rsa file.

In python, there is the pyasn1 library. I could not get it to work on the first attempt:

from pyasn1.codec.der import decoder
f = open('/path/to/addon-dir/META-INF/mozilla.rsa')
decoder.decode(f)

gave

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py", line 623, in __call__
    raise error.PyAsn1Error('Bad octet stream type')
pyasn1.error.PyAsn1Error: Bad octet stream type

The decode method want a buffer (string), not a file object. Use:

from pyasn1.codec.der import decoder
buf = open('/path/to/addon-dir/META-INF/mozilla.rsa').read()
decoder.decode(buf)

Worked for me.

Edit:

The pyasn1_modules package includes classes that represent some common PKCS structs. You can start with something like this:

from pyasn1.codec.der import decoder as der_decoder
from pyasn1_modules import rfc5652, rfc2315, rfc5280

mozPath = "/path/to/mozilla.rsa"
buf = open(mozPath,"rb").read()
contentInfo = der_decoder.decode(buf, asn1Spec=rfc5652.ContentInfo())[0]

if contentInfo[0] != rfc2315.signedData:
    # fail...

signedData = der_decoder.decode(contentInfo[1], asn1Spec=rfc5652.SignedData())[0]

print(signedData.prettyPrint())

This produces output similar to openssl asn1parse -inform DER -in mozilla.rsa (I myself prefer pyasn1's indentation over openssl's "d=depth".)

If you want to further parse it using pyasn1 you can try something like:

for cert in signedData["certificates"]:
    subject = cert["certificate"]["tbsCertificate"]["subject"]
    for rdn in subject["rdnSequence"]:
        if rdn[0][0] == rfc5280.AttributeType("2.5.4.3"):
            cn = rdn[0][1].asOctets()[2:]          ### Not nice
            if cn != "production-signing-ca.addons.mozilla.org":
                print cn

The major problem is here is that I'm doing something kind awful to get the string in the marked line, but except for this I don't think you can get much better.

If you find out how to get the string properly please share.

This hack worked:

openssl asn1parse -inform DER -in mozilla.rsa  | grep -A 1 commonName | grep '{' | cut -d ':' -f 4

It relies on

• the output of asn1parse, and
• that the only commonName with a { belongs to the id

Anything more elegant is appreciated.