When I was looking for a step-by-step instruction to sign JavaScript code to gain additional privileges when being run in Firefox, I visited https://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html. Not much can be gained from the site because it is assumed that you already possess a public key certificate that entitles you to sign code. But, there was one thing that caught my attention.

It was the following instruction to create an XPI file.

$ zip test.xpi META-INF/zigbert.rsa
$ zip -r -D test.xpi * -x META-INF/zigbert.rsa

I was wondering why META-INF/zigbert.rsa should be zipped first before the rest.

Not long after that, I found out the reason on http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thr....

Newsgroups: mozilla.dev.tech.crypto
From: Kaspar Brand 
Date: Tue, 12 Jun 2007 13:40:34 +0200
Local: Tues, Jun 12 2007 1:40 pm
Subject: Re: Signtool : signing firefox xpi

I suggest you use "-X -Z myextension.xpi" with signtool, this will
create a correct XPI file (META-INF/zigbert.rsa must be the first file
in the XPI archive, this might be the problem in your case). 

To conclude, META-INF/zigbert.rsa must be the first file in the ZIP/XPI archive because Firefox requires it to be so.