self-signing librewolf

1password integration for unsigned browsers on windows

2026-02-04

I use LibreWolf as my daily driver web browser and 1Password as my password manager. Notionally, 1Password supports integration between the browser extension and the desktop app via native messaging, but this traditionally didn't work for non-blessed browsers (Chrome, Firefox, Safari, eventually Brave and Arc).

This is to protect against anything else on your computer pretending to be the browser and stealing all your credentials, since the pipe provided by the native messaging host is privileged and has complete access to whatever vaults are decrypted in the native app. The NMH checks both browser identity and code signature validity to ensure that its parent process really is the browser it says it is.

Recently, Agilebits has opened up the ability for end users to add entries to their local browser whitelist -- they did this on Linux and macOS first, but the change was also recently rolled out to Windows, which is my lowest-potential-energy OS platform. I was excited to finally not have to sign into the browser extension every 10 minutes, but unfortunately, LibreWolf doesn't yet provide code-signed executables, though they're working with OSSign to remedy this (who appear to be swamped with requests for certs). In the meantime, the 1Password browser integration doesn't work because the code signature check fails.

I resolved this by creating a local self-signed cert, adding it as a root CA, and signing the executable myself. Evidently, 1Password doesn't embed its own CA trust bundle, because this works fine.

In an admin PowerShell session:

# create cert
> New-SelfSignedCertificate -DnsName you@name.com -Type CodeSigning -CertStoreLocation cert:\CurrentUser\My

# reimport the cert as a trusted publisher and root ca
> Export-Certificate -Cert (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[0] -FilePath codesigning.crt
> Import-Certificate -FilePath codesigning.crt -Cert Cert:\CurrentUser\TrustedPublisher
> Import-Certificate -FilePath codesigning.crt -Cert Cert:\CurrentUser\Root

# sign librewolf executable
> signtool sign /a /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 "C:\Program Files\LibreWolf\librewolf.exe"

Obviously, be careful with the self-signed cert, since your system now trusts any software and TLS connections signed with it. You'll need signtool as well this, which is part of the Windows SDK, but here's mine (Microsoft code signature intact) -- it seems to work fine standalone.