Mandatory signing requirement for add-ons is coming

Talk about add-ons and extension development.
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: Mandatory signing requirement for add-ons is coming

Post by LoudNoise »

A question.

I know a fellow who writes an extension. Due to medical issues (a notable fall), he hasn't updated it for the last couple of versions but hopes to get back to it in a couple of months. Will the existing, non-working version be automatically signed or should he throw together something that does so he won't have to go through the BS?
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

AMO considers everything that is maxVersion of 4.0 or higher, which does not fail over a certain number of validation checks to be compatible... and an automated system marks them as compatible.

AMO also has a system that flags extensions which are using deprecated APIs in Aurora. So if by chance the extension we are talking about just happened to rely on an API that was removed in Firefox 40 (and reported by the developer who removed it as important) then that extension would not automatically be version-bumped as compatible. That case should cause the developer to be notified by email that they need to update their extension. The chances of that happening are extremely rare simply because the mechanism for polling deprecated APIs isn't very good and broken extensions get automatically bumped every version. It's far more likely that a broken extension would be automatically version bumped and automatically signed even though it doesn't work than the opposite.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
therube
Posts: 21685
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Mandatory signing requirement for add-ons is coming

Post by therube »

Hmm, I wonder?

I'm thinking that while the .xpi itself may not work, the actual Plugin would ? simply by copying the .dll into a /plugins/ directory?

So the intent with signing is to block malicious "extensions" (type 2), so typically a .xpi.
But what if the malware doesn't use an extension, per se, but instead drops a malicious .dll into Profile/plugins/?
Say some malicious 'npwidevinemediaoptimizer.dll' gets dropped there.
No .xpi involved, so no signing needed, but the .dll provides the necessary piece to "get the job done".
Will something like that fly?

(You might think that you would get a "UAC-like" prompt on detection of a new Plugin that hasn't been specifically accepted, or at the least anything "new" would automatically be set to a 'Never activate' status?)


Themes, dictionaries, language packs, and plugins don't need to be signed.
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

I'm not sure that a plugin can actually do anything unless it is requested. I DO wish Mozilla would automatically mark new plugins as Ask to Activate.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
sonthakit
Posts: 28
Joined: July 13th, 2011, 11:31 pm

Re: Mandatory signing requirement for add-ons is coming

Post by sonthakit »

I try to upload my add-on to signed to see what happen (bookmark favicon changer, gmail watcher, hotmail watcher, yahoo mail watcher, yandex mail watcher)

It return error "Duplicate UUID found"

So I think the error come from the history that these add-ons had been at AMO in the past. When I change to self-host, I cannot signed it even Mozilla had delete it from their store.

... I just want to to tell my user that I had tried to signed but fail. Sorry for my user.

Sonthakit
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

You should probably contact someone at AMO or file a bug against that. If an extension has been removed, AMO needs to purge the GUID. Creating a new GUID is not a solution because then it will not automatically update and users who install the signed extension will end up with two identical extensions, which could cause serious problems.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: Mandatory signing requirement for add-ons is coming

Post by LoudNoise »

You might want to enter a bug at bugzilla. This entire thing reeks of something driven by marketing. Also, knowing mozilla, you might want to clear your mozilla cookies.
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
User avatar
therube
Posts: 21685
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Mandatory signing requirement for add-ons is coming

Post by therube »

AMO needs to purge the GUID

Maybe they might want to keep deprecated GUID around for something like blocklist usage?
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
WaltS48
Posts: 5141
Joined: May 7th, 2010, 9:38 am
Location: Pennsylvania, USA

Re: Mandatory signing requirement for add-ons is coming

Post by WaltS48 »

sonthakit wrote:I try to upload my add-on to signed to see what happen (bookmark favicon changer, gmail watcher, hotmail watcher, yahoo mail watcher, yandex mail watcher)

It return error "Duplicate UUID found"

So I think the error come from the history that these add-ons had been at AMO in the past. When I change to self-host, I cannot signed it even Mozilla had delete it from their store.

... I just want to to tell my user that I had tried to signed but fail. Sorry for my user.

Sonthakit


All use the same UUID? Maybe they need a unique UUID for each extension.

Add-ons must use a single unique ID during their entire lifetime.

Using the same ID for multiple products, or multiple IDs for a single product, can lead to problems with automatic updates as well as blocklisting conflicts. Add-ons may change their IDs due to ownership changes, as they commonly use an email address-like format ( e.g., personasplus@mozilla.com).


Add-on guidelines - Mozilla | MDN
Linux Desktop - AMD Athlon(tm) II X3 455 3.3GHz | 8.0GB RAM | GeForce GT 630
Windows Notebook - AMD A8 7410 2.2GHz | 6.0GB RAM | AMD Radeon R5
User avatar
Frank Lion
Posts: 21172
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by Frank Lion »

WLS wrote:All use the same UUID?

No.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
lithopsian
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Re: Mandatory signing requirement for add-ons is coming

Post by lithopsian »

therube wrote:
AMO needs to purge the GUID

Maybe they might want to keep deprecated GUID around for something like blocklist usage?

If you explicitly delete an addon, the UUID is available immediately for re-use. I don't know how this addon was "removed", but I suspect it never actually was. Perhaps just "disabled" so still there really.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

Actual *deletion* of extensions was not available until relatively recently. I actually only noticed it a few months ago because I have dozens of "test" extensions just sitting there with no way to get rid of them for years.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
mightyglydd
Posts: 9813
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Re: Mandatory signing requirement for add-ons is coming

Post by mightyglydd »

Philip Chee wrote:
jimfitter wrote:Patrick, LCD Clock is an extension that hasn't been supported in at least 7-8 years, yet still works fine today, with compatibility disabled. You won't find it on AMO.
It was originally made by Bloodeye. viewtopic.php?f=19&t=376281
I have version 0.3. PM me if you want it.

I have 0.4.2 on my website: http://xsidebar.mozdev.org/modifiedmisc.html#lcdclock
Phil

Hmm..I just go an update from 0.4.2 to Clocki 0.4.6 (unsigned) ?

<!-- FireFox -->
<em:targetApplication>
<Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:minVersion>1.5</em:minVersion>
<em:maxVersion>42.0</em:maxVersion>

Not that I'm complaining but how did this happen, it's not at AMO :-k SeaMonkey too..Do we have a tooth fairy :)
#KeepFightingMichael and Alex.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

The entire install.rdf would have been more informative... especially the bit that specifies (or not) an update source.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
mightyglydd
Posts: 9813
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Re: Mandatory signing requirement for add-ons is coming

Post by mightyglydd »

Your wish is...

<?xml version="1.0"?>
<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:em="http://www.mozilla.org/2004/em-rdf#">

<Description about="urn:mozilla:install-manifest">

<!-- em:id="lkopi@pkp.net"
Front End MetaData -->
<em:id>lcdclock_bloodeye@gmail.com</em:id>
<em:name>Clocki</em:name>
<em:version>0.4.6</em:version>
<em:description>An LCD looking clock</em:description>

<em:creator>Bloodeye</em:creator>
<em:contributor>menet fr-FR</em:contributor>
<em:contributor>MetalStream es-AR</em:contributor>
<em:optionsURL>chrome://lcdclock/content/options.xul</em:optionsURL>
<!-- <em:aboutURL>chrome://____EXTENSION_NAME____/content/_____XUL_FILE_NAME_____</em:aboutURL> -->
<em:iconURL>chrome://lcdclock/skin/exticon.png</em:iconURL>

<!-- FireFox -->
<em:targetApplication>
<Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:minVersion>1.5</em:minVersion>
<em:maxVersion>42.0</em:maxVersion>
</Description>
</em:targetApplication>

<!-- Thunderbird -->
<em:targetApplication>
<Description>
<em:id>{3550f703-e582-4d05-9a08-453d09bdfdc6}</em:id>
<em:minVersion>3.0a1pre</em:minVersion>
<em:maxVersion>42.0</em:maxVersion>
</Description>
</em:targetApplication>

<!-- SuiteRunner -->
<em:targetApplication>
<Description>
<em:id>{92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a}</em:id>
<em:minVersion>1.5a</em:minVersion>
<em:maxVersion>2.38</em:maxVersion>
</Description>
</em:targetApplication>

</Description>
</RDF>
#KeepFightingMichael and Alex.
Post Reply