-1

As a follow-up to another question...

I wrote a commercial, proprietary (bootstrapped) addon that my client currently side-loads to the regular Firefox channel (not developer or nightly).

My understanding based on the Mozdev article is that if I wish my client to be able to continue using the regular Firefox channel, from Firefox 57 onward, that after I've ported it to a webextension I need to have AMO sign my code, even if I'm privately distributing it.

Self-distributed (unlisted) versions

After accepting the Developer Agreement, choose the platforms your add-on supports and upload your add-on file. The file will be scanned by an automatic code validator which will show a number of warnings or errors, depending on what it detects. If no errors are found in your add-on package, your add-on management page will be created and your file will be immediately signed. You'll receive an email with instructions on how to download the signed file.

Q1. Is that correct? Do I really have to trust Mozilla with my source code?

Q2. If I choose to forego signing and have my client use the Nightly/Developer channel, are Mozilla likely to change their policy in the next few years?

David-SkyMesh
  • 5,041
  • 1
  • 31
  • 38
  • There is nothing that's changed regarding add-on signing in Firefox 57+. The same issues have been in existence since Firefox 48. Where have you gotten the impression that something has changed with respect to add-on signing in Firefox 57+? – Makyen Oct 24 '17 at 02:15
  • Note that it's also [possible to disable the check for add-on signatures on an installation by installation basis](https://stackoverflow.com/questions/31952727/how-can-i-disable-signature-checking-for-firefox-add-ons/42403531#42403531). – Makyen Oct 24 '17 at 02:24
  • @Mayken I've built Addons (not webextensions) before. Addons didn't need to be signed or could be self-signed. Webextensions (as of 57) must be signed by AMO or Firefox release channel won't load them. That's definitely a change from the perspective of private Addon distributors that have customers side-load. – David-SkyMesh Oct 24 '17 at 04:45
  • @Mayken that work-around you posted for signature checking in Release may indeed be what I was looking for if it represents solution that won't be retcon'd by Mozilla in the next 2 years. – David-SkyMesh Oct 24 '17 at 04:49
  • *All* extensions (add-ons based on XUL, restartless, Add-on SDK, and WebExtensions) have *required* signing by Mozilla in order to be loaded into Firefox Release or Firefox Beta since Firefox 48. Add-ons could *not* be self-signed since FF48, it *always* required interaction with Mozilla. This is not changing in Firefox 57. It's possible to use Nightly, Developer Edition, Unbranded Beta and Unbranded Release to load extensions without the need to have them signed. But, again it's not a change in 57. The change in 57 is that the other types are completely not permitted (support removed). – Makyen Oct 24 '17 at 04:54
  • In order for something to have been self-signed, Mozilla would have had to release the private security certificate used to sign extensions. Doing so would have completely negated the requirement that extensions be signed by Mozilla. You may have been doing something that appeared as self-signing, but it would have involved in some way transmitting the code to Mozilla and having them sign it. – Makyen Oct 24 '17 at 04:57
  • @Makyen ... seemingly indicating that my clients are on FF versions prior to 48. Thanks for the clarification. – David-SkyMesh Oct 24 '17 at 04:57
  • @Makyen It's been a while, I believe it was https://developer.mozilla.org/en-US/docs/Signing_a_XPI (Self-signed) – David-SkyMesh Oct 24 '17 at 05:00
  • Yes, if they were on FF<48 (or any of the other FF>48 versions I mentioned above), then they could have installed an unsigned extension with just the need to change a preference in `about:config`. Note that if you are changing over to WebExtensions for your add-on, then you need to know which version of Firefox they are actually using, as WebExtension support is something that has been gradually improving since FF45, with many things not supported or buggy in earlier versions. – Makyen Oct 24 '17 at 05:01
  • @Makyen well all of these related questions have been toward me working out the feasibility of porting to webextensions. If I'm going to port, then it will be to latest Firefox (with channel being an option that's explained in terms of limitations to the customer). – David-SkyMesh Oct 24 '17 at 05:03
  • Yes, there was a way to actually self-sign an extension (and that's the correct, now outdated, doc), which gave user's some assurance that the extension was coming from you. That all got tossed out the window when Mozilla decided that they were going to require extensions to be signed by Mozilla, or not able to be installed. Unfortunately, signing an extension with your own certificate, per that page, would have been completely ineffective at making it work with FF48+. – Makyen Oct 24 '17 at 05:05
  • As to the method for disabling signature checking in the answer I linked continuing to work: there's really no way to know. I did have to add to that code for Firefox 55, so it's certainly possible it will have to be changed for future releases. However, unless Mozilla drastically changes the way they organize their code (possible, who knows), the JavaScript code which is performing the actual check to require signing is shipped with Firefox. If necessary, it's possible to modify it directly, but that would have to be done on a per release/update basis instead of a per-installation basis. – Makyen Oct 24 '17 at 05:13

1 Answers1

1

Q1. yes.. that is the situation. The Self-Distributed singing is done automatically. The code is not viewed. I am not sure if AMO archives the code either.

Q2. As answered in the other topic, in order to develop add-ons, it is necessary to have a Firefox editions that can run unsigned add-ons.

erosman
  • 7,094
  • 7
  • 27
  • 46