Signed extension displaying warning on 40.0.3

[tom-giga]

Hi All,

I have an issue that I am not understanding currently and I thought I would reach out.

I have an extension that I designed about 3 years ago that has worked without having to do any maintenance. Every year I have updated the code signing certificated (Thawte) and repackaged the XPI.

This year my customer gave me a new certificate (Symantec) that supposedly was a Thawte based certificate. At least that is what I was led to believe. At any rate, I signed and repackaged the XPI – sign tool succeeded without error. Then I installed the extension on Firefox 40.0.3, I now get a warning stating that the extension could not be verified. The extension is enabled and is working, but the warning is driving me crazy.

So obviously either the certificate is not correct, or there is something I am missing in the install RDF file.

Any help would be appreciated.

Thanks,
Tom

[WaltS48]

You didn't submit it to Mozilla to be signed. Probably.

Mozilla will begin requiring all extensions to be signed in order for them to be installable in Release and Beta versions of Firefox. Signing will be done through addons.mozilla.org (AMO) and will be mandatory for all extensions, regardless of where they are hosted.

Addons/Extension Signing - MozillaWiki

[patrickjdempsey]

I am not sure that Mozilla allows 3rd party signing anymore. I believe all extensions have to be uploaded to and signed by AMO.

https://wiki.mozilla.org/Addons/Extension_Signing

[lithopsian]

Yes, this warning is about a type of signing that must be done by AMO. I'm sure your certificate is valid and the RDF is correct, but you also need to submit it to AMO to be signed by them. They will modify the xpi to include information that identifies it as valid. Every time the xpi file is modified, it will have to be re-submitted. As an alternative, it may be possible for limited client bases to install an "unbranded" version of Firefox that does not enforce signing. Such a thing is promised but not yet issued. Unsigned addons will be unable to run in normal Firefox releases starting with 44 (maybe), so you'll probably get warnings until then.

Incidentally, the type of signing you are doing is largely obsolete. I don't know exactly why it needs to be signed, but I'm guessing it is hosted outside AMO. That is now done very easily from an https address, which is available in most cases.

[tom-giga]

Lithopsian - thanks for your reply. Looks like after 4 years i will have to migrate this extension to the new environment. How long will the old XPI format be supported? Is there a web page that will give me more details? Thanks again for the clarifications.

[lithopsian]

Lithopsian - thanks for your reply. Looks like after 4 years i will have to migrate this extension to the new environment. How long will the old XPI format be supported? Is there a web page that will give me more details? Thanks again for the clarifications.

Maybe a third thing? Overlay-style extensions will be deprecated in the next 1-2 years. How long they will continue to work is anybody's guess. Maybe small things will be allowed to fail along the way until they are completely non-viable. No real details yet, just an expression of intent:
https://blog.mozilla.org/addons/2015/08 ... x-add-ons/

Slightly more surprising, parts of the addon SDK will also be deprecated, basically all access to low-level APIs. None of this should affect you right now. The current addon formats continue to work, just they will need to be signed, or your users will have to run special versions of Firefox. Also possibly you will need to make changes so they work in the multi-process mode:
https://developer.mozilla.org/en-US/Fir ... ss_Firefox

Perhaps I shouldn't have mentioned the https issue, it may have just confused things further. However, it is a simple way of avoiding messing with update keys:
https://developer.mozilla.org/en-US/Add ... #updateURL

[tom-giga]

Thank you!