Mandatory signing requirement for add-ons is coming

Talk about add-ons and extension development.
Post Reply
User avatar
Frank Lion
Posts: 21172
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by Frank Lion »

lithopsian wrote:Signing an extension that was once hosted on AMO, and still exists there, but without the new version being hosted at AMO, is also a pain.

Yeah, mine was. What with that and trying to change details later, I ended up changing the GUID three times.

Here's the answer to my max-version question - you don't resubmit, but bump compat in the AMO dev Panel every few months (you can only bump about 2 versions ahead of the release one) -

Code: Select all

Update Compatibility

Adjusting application information here will allow users to install your add-on [b]even [/b]if the install manifest in the package indicates that the add-on is incompatible
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
lithopsian
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Re: Mandatory signing requirement for add-ons is coming

Post by lithopsian »

I assume the compatibility bump create a new signed xpi that can be downloaded?
User avatar
Frank Lion
Posts: 21172
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by Frank Lion »

lithopsian wrote:I assume the compatibility bump create a new signed xpi that can be downloaded?

As far as I can tell, no. It seems that you keep the same .xpi and it will install on later Firefox versions OK, so long as it has been already been bumped in the Dev Panel.

Yeah, seems odd to me as well.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

No. Compatibility data is stored on whole separate file system on one of those amazon servers. When Firefox checks for "updates" the first thing it does is query that db and checks it against addons.json. If the local version number matches the version number in the db then it just bumps the compatibility numbers in addons.json. If the version numbers don't match then it asks for the full update from AMO. The only time Firefox ever cares about the compatibility numbers in the install.rdf in your extension is at first install. After that it just goes by addons.json.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
lithopsian
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Re: Mandatory signing requirement for add-ons is coming

Post by lithopsian »

I might as well pile on some more to this heap. Beta versions of addons still cannot be uploaded. Unless they are 100% validation-perfect, which almost never happens. Tracking bug says it is fixed, but it still isn't working in the real world.
https://bugzilla.mozilla.org/show_bug.cgi?id=1172035
User avatar
Frank Lion
Posts: 21172
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by Frank Lion »

lithopsian wrote:I might as well pile on ...

Me too. :)

I thought I'd already posted this bug here, but seems not - 'Extensions contained in signed add-ons with type=32 aren't properly signed' https://bugzilla.mozilla.org/show_bug.cgi?id=1172696
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
Frank Lion
Posts: 21172
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by Frank Lion »

Frank Lion wrote:I thought I'd already posted this bug here, but seems not - 'Extensions contained in signed add-ons with type=32 aren't properly signed' https://bugzilla.mozilla.org/show_bug.cgi?id=1172696

This bug is now fixed. Type 32 devs now just get their .xpis signed on their own first and then add them to the Type 32 'bundle'.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
Yaron10
Posts: 472
Joined: July 5th, 2011, 6:32 am

Re: Mandatory signing requirement for add-ons is coming

Post by Yaron10 »

Hello,

I'd like to modify Firefox source-code so that I can use unsigned extensions.
Are *all* the relevant files in omni.ja?

Thank you.

***
I haven't read all the posts in this thread. :)
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

None of the relevant files are in omni.ja. If it was that easy to defeat there would be no point in doing it as malware could just mod omni.ja. You would have to actually do a build and use the correct build-time switch.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
Yaron10
Posts: 472
Joined: July 5th, 2011, 6:32 am

Re: Mandatory signing requirement for add-ons is coming

Post by Yaron10 »

Hi patrickjdempsey,

Thanks for the info. I really appreciate it.

I don't want to rebuild FF on each new version.
I suppose the alternative is the unbranded version.
Do you know if the exe file is going to be "firefox.exe"? (I know I can easily change that, but it's important to me).
And "branding" the unbranded version can be done by modifying files in omni.ja. Correct?

Best regards.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

No clue. My browser of choice has thankfully opted out of that madness. But my guess would be that you cannot have your cake and eat it too.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
Yaron10
Posts: 472
Joined: July 5th, 2011, 6:32 am

Re: Mandatory signing requirement for add-ons is coming

Post by Yaron10 »

Thanks again.

And your browser of choice?
lithopsian
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Re: Mandatory signing requirement for add-ons is coming

Post by lithopsian »

Yaron10 wrote:Hi patrickjdempsey,

Thanks for the info. I really appreciate it.

I don't want to rebuild FF on each new version.
I suppose the alternative is the unbranded version.
Do you know if the exe file is going to be "firefox.exe"? (I know I can easily change that, but it's important to me).
And "branding" the unbranded version can be done by modifying files in omni.ja. Correct?

Best regards.

Who knows? Such a thing should now be available, but I haven't seen it yet.
Yaron10
Posts: 472
Joined: July 5th, 2011, 6:32 am

Re: Mandatory signing requirement for add-ons is coming

Post by Yaron10 »

Hi lithopsian,

Thank you. I hope you're doing well.

Do you mean the unbranded version is already available?

Best regards.
Post Reply