Answer: Firefox plugin signing

[akavel]

Hi! Found your article on HN. I recently experimented with developing my own first tiny webextension for Firefox, and yes, to permanently install it outside debugging, it's enough to get it signed. I did it by uploading the plugin as a zip file to addons.mozilla.org. I had to create an account there, but other than that it's just a few steps - registering the addon and uploading new version's zip. I did it following some "your first webextension" Mozilla tutorial I believe, though I don't have a link handy at this moment to quickly share with you. I recall there were a few options explained for publishing, I chosen one with manual uploading to addons.mozilla.org as it seemed easiest for first try for me, and I didn't want to install some npm-based CLI tool they mentioned in the other options. After the procedure, you need to wait a while until the new version shows up as "Accepted", then you can download the .xpi they generated for you, and it works permanently. It seems to use some JAR-like signing, there's a META-INF directory in the .xpi after the "Accepted" status shows up.

edit: ok found the link, had it noted in the script: https://extensionworkshop.com/documentation/publish/package-your-extension/#package-linux -> then check out the "up next" links at the bottom of the page ("Submitting an add-on", etc.)

[jtagcat]

They don't sign everything, especially if you use experimental APIs etc. Not sure yet, if this project does; but for a workaround, see how https://github.com/numirias/paxmod does stuff.

For local non-temporary installation, you can go to about:addons → Install add-on from file.

.xpi is just .zip

Most zippers make a subfloder in the zip, this can not do. Files (the manifest.json) must be at the root of the zip.

[osnr]

Interesting, thanks for the report!

I'm glad to hear you can distribute the signed extension without going through the store. Maybe that could be a continuous integration step to generate those XPI files on each push. I didn't really want to use the store outright because you still need FUSE and the native application on your computer anyway (or can you distribute those automatically with the extension?), so I felt like there would still be a fairly involved install process.

I do want people to feel comfortable modifying the extension source code, so I'm not thrilled about potentially distributing it as a sealed-and-signed binary; the main reason to do it would be to avoid that temporary-add-on constraint. Maybe there are other ways to get that extensibility while keeping the extension signed.

[jtagcat]

/shrug I haven't tested it yet (I have my dear 3k tabs open).

From what I read, this is not ready for prod at all, so directing for temporary installation would not hurt.
The person looking to install this per mentally could find or be directed to #4.

[bjesus]

AFAIK, to permanently install an unsigned extension on Firefox one needs to user Developer Edition and set "xpinstall.signatures.required" to false. Here's a built version of the extension (made with web-ext build) you can then install as a file: https://host.yoavmoshe.com/store/tabfs.xpi

Signing in general shouldn't be an issue, but because of the APIs used by the extension it must have a unique ID. Firefox doesn't seem to allow multiple signatories per extension ID, so one has to edit the browser_specific_settings.gecko.id to some unique ID and only then they can run web-ext sign. However, after doing this I had to change the APP_NAME in background.js and install.sh according to my new extension ID, and I feel a little strange uploading an extension with my name on it even though all I did was search and replace over someone else's great work.

I assume the unsigned version should be fine to most Firefox users, but maybe I'm mistaken to think we're all using Developer Edition. Anyway it doesn't seem like there's a problem getting the extension signed.

[jtagcat]

(warn don't download from a random person from the internet's site, you may use this instead:)

#!/bin/bash
7z a extension.xpi ./extension/{*,.[!.]*}

Yeah I have the tweaks made and live on Developer..

[bjesus]

Not more random than any of us, I think? but like you said, .xpis are just .zips. Feel free to unzip and check do whatever checksum comparison you want, or better, run web-ext build yourself. Just thought it could save people some time 🤷