Firefox nixExtensions unverified and disabled by firefox

[GovanifY]

Describe the bug

After updating my NixOS configuration through nixos-install (had to reinstall the bootloader), my nix-managed firefox extensions wouldn't load no matter what, firefox complaining about them being unsigned. xpinstall.signatures.required is indeed lockPref'd to false, but that doesn't seem to change anything, and firefox willfully ignores its own configuration.

Steps To Reproduce

Install any extensions by adding nixExtensions in a firefox overlay. The extensions I used are in the additional context section although I doubt they are relevant to this particular bug.

Expected behavior

Extensions not being disabled.

Screenshots

Additional context

             nixExtensions = [
              (
                pkgs.fetchFirefoxAddon {
                  name = "ublock-origin";
                  url = "https://github.com/gorhill/uBlock/releases/download/1.35.2/uBlock0_1.35.2.firefox.xpi";
                  sha256 = "177pxq2raaap2g024xqsmyl0bnx02fg35j3q93p1sznp8yfi00ns";
                }
              )
              (
                pkgs.fetchFirefoxAddon {
                  name = "decentraleyes";
                  url = "https://git.synz.io/Synzvato/decentraleyes/uploads/a36861e0609e43d87379805ca0db063f/Decentraleyes.v2.0.15-firefox.xpi";
                  sha256 = "1pvdb0fz7jqbzwlrhdkjxhafai70bncywdsx3qsw3325d28hcm15";
                }
              )
              (
                pkgs.fetchFirefoxAddon {
                  name = "stylus";
                  url = "https://addons.mozilla.org/firefox/downloads/file/3732726/stylus-1.5.17-fx.xpi";
                  sha256 = "02cgwp5fc4zmnhikly5i8wydyi885namazgc7r9ki2dzgq67f3bd";
                }
              )
              (
                pkgs.fetchFirefoxAddon {
                  name = "noscript";
                  url = "https://addons.mozilla.org/firefox/downloads/file/3778947/noscript_security_suite-11.2.8-an+fx.xpi";
                  sha256 = "0rrlhlzljlmgns7j49c43ilb8wij2zcysrbpap1xxsfbkbczji27";
                }
              )
              (
                pkgs.fetchFirefoxAddon {
                  name = "forget-me-not";
                  url = "https://addons.mozilla.org/firefox/downloads/file/3577046/forget_me_not_forget_cookies_other_data-2.2.8-an+fx.xpi";
                  sha256 = "1qrbfsf5vmbyis29mhlmwb6dj933rrwpislpg0xi8b4r9xplb107";
                }
              )
            ];

Metadata

 - system: `"x86_64-linux"`
 - host os: `Linux 5.12.19-hardened1, NixOS, 21.11pre304626.8ecc61c91a5 (Porcupine)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.14`
 - channels(root): `"nixos-21.11pre304626.8ecc61c91a5, home-manager, nixos-mailserver"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute: firefox
# a list of nixos modules affected by the problem
module:

[GovanifY]

The issue seems to be coming from this place in firefox's logic:

XPCOMUtils.defineLazyPreferenceGetter(
  AddonSettings,
  "INSTALL_REQUIREBUILTINCERTS",
  PREF_INSTALL_REQUIREBUILTINCERTS,
  !AppConstants.MOZ_REQUIRE_SIGNING &&
    !AppConstants.MOZ_APP_VERSION_DISPLAY.endsWith("esr")
);

Since, on my config, I do not use firefox-esr (or change the policies to have a postfix for that matter as it seems it would do the exact same thing) and the official branding is enabled by default in nixOS, this check fails. MOZ_REQUIRE_SIGNING needs to be unset, which either require setting it up inside the makeFlags of the package or force disabling the official branding.

I'm recompiling my firefox without branding and will see how that turns out

[stale[bot]]

I marked this as stale due to inactivity. → More info

[buckley310]

Is this still an issue, and if so can you post an updated Firefox configuration? Briefly tried writing one, but it appears I'm not getting it right.