Unable to use workaround method

[Samega7Cattac]

Since the extension got removed from the store the workaround method doesn't work. Firefox version 46.0.1 doesn't allow to install unverified extensions. Reading the docs using the ESR and changing a setting bypasses this and it's possible to install, but the extension doesn't work at all.

Btw, how the progress is going on making it work on the latest version?

[Noitidart]

We got this email from the review team, which seemed scary, so I took down the addon. I'm not sure what to do moving forward, while keeping the addon useful. What do you guys think?

Dear Chrome Store Foxified developers,

We are noticing an increased risk for users that use this add-on to convert Chrome extensions to Firefox add-ons. Indications show that a significant amount of those converted add-ons compromise the user's safety, privacy and security. Additionally, users are stuck on an old, potentially unsafe or insecure version and will never receive updates. Also, those users are often unaware they are considered add-on developers and responsible for the add-on and they code submitted.

Therefore, we need to ask you to remove the AMO signing integration from this add-on. Users can still download and/or install the add-on temporarily, but if they really want to sign it, they have to do it on their own.

We ask that you submit a new version to us that follows this request by the end of the month.

Thank you for your understanding,

The Add-ons team

[piratesephiroth]

Haven't you found a way to circumvent that AMO error? Did you get to try domain fronting? The workaround is indeed very problematic and couldn't be allowed for too long, just like the email states.

[Noitidart]

Yeah I can do domain fronting, i posted a file for people to try. However AMO reviewers don't want this. Maybe someone would have to work with the reviewers to find a way we can still sign it. Maybe asking them what if we implement something to automatically check for updates everyday.

[Samega7Cattac]

Where I can thing docs about AMO and what ur trying to do? what I find is very general

[Noitidart]

Theres no docs on this, its just working with the AMO reviewers to convince them its ok. I usually find we can't convince but there is probably another way that thye'll allow. So we have to work with them to find a middle ground.

[piratesephiroth]

Yeah, if they don't like the domain fronting then they have to tell you what to use instead.

Or maybe they're suggesting that the Chrome Web Store allows any garbage to be published? They're probably just going to ask you to prompt the user to create a Firefox Account and to warn about the implications of signing and publishing addons before every conversion.

[Samega7Cattac]

Why u need a account to install add-ons?

[piratesephiroth]

Why u need a account to install add-ons?

Because mozilla requires all addons to be signed, as a security measure. If it's signed, it complies with their standards and the user can trust it.

This addon in particular converts a Chrome extension to a Firefox one, and then it needs a Mozilla signature so it can be installed. This is a serious security breach because it can convert pretty much anything by anyone without any programming knowledge and it also allows the converted extension to be shared with other users.

After that I'm not sure but I think that in the end, the user who signed the converted addon will be held accountable for whatever happens.

[grahamperrin]

To clarify:

• is the workaround intended solely for builds of Firefox that are not intended for use with non-signed (unsigned, unverified) extensions?

[grahamperrin]

https://github.com/Noitidart/Chrome-Store-Foxified/issues/135#issuecomment-543118631

… If it's signed, it complies with their standards and the user can trust it. …

Not so. Many untrustworthy extensions are signed.

https://github.com/Noitidart/Chrome-Store-Foxified/issues/135#issuecomment-543092786

Why u need a account to install add-ons?

You do not.

[jcha1600]

From what I heard, if you go to about:config and change the value of xpinstall.signatures.required from true to false, you could possibly install unsigned extensions.

[joshieecs]

I have no problem using the current version of Firefox Dev (77.0b9) with CSF 3.4 and xpinstall.signatures.required set to false in about:config.

I can go to the Chrome Web Store, click the "Add to Firefox" and it will install the addon from a blob:moz-extension:// URI. "It just works." (Instant Upload disabled in CSF settings.)

I recall in previous versions of FF Dev (in 2018-2019) I would be able to use a workaround to save the XPI file to disk, and then manually install the XPI in developer mode. But I never had to use FF 56 like the GitHub readme.md suggests doing.

If I'm not mistaken, being unable to install extensions from blob:moz-extension:// URI's was the blocking feature that kept CSF from being updated per this comment by @Noitidart . From what I can tell it's been resolved, at least in FF Dev. The blob method is working fine.

I'm not the best code sleuth, but the behavior may have changed when FF added support to install UserScripts natively in version 68 or 69. (See this Bugzilla entry.) That would've been less than a year ago. It might also have been this change which was only implemented in FF 77 a month ago.

I don't think I have any other relevant changes in about:config to make it work.

I urge anyone interesting in trying it on the latest Firefox Developer edition and see if it "just works."

If you can't replicate my success I will dig further into what I might have changed to allow CSF to start working again.

CSF is no longer on AMO but there is an archive of CSF 3.4 on the WayBack Machine.

Take this Chrome extension, for example (I picked it at random) This is the part that didn't work in older versions: This is the prompt we want to get to so it will install. And now it's installed. Yellow warning in about:addons because it's unsigned. But it works just fine, and persists after restarting the browser.

I think being able to install unsigned Chrome extensions is probably fine for most users, without worrying about the upload to AMO.

[Samega7Cattac]

I'm using firefox 77 and indeed doesn't complain about signing but still doesn't install bc of this issue #139

[joshieecs]

Have you tried installing Chrome Store Foxified 3.4 from the WayBack Machine?

It works for me.

[s3hMC]

Have you tried installing Chrome Store Foxified 3.4 from the WayBack Machine?

It works for me.

I don't know if necroposts are frowned upon in Github, so apologies if I shouldn't be doing this, but that version doesn't work for me. The extension I'm trying to install with Chrome Store Foxified is just stuck on parsing. Is there any other workaround method?

[joshieecs]

I can replicate your experience where clicking the "Add To Firefox" button causes Chrome Store Foxified to get stuck on "Parsing".

The "Parsing" step is not about the extension itself, but rather parsing the Chrome Web Store to determine the url to retrieve the actual .crx file for the Chrome extension. Since my post 9 months ago, something must have changed on Chrome Web Store that breaks Chrome Store Foxified's webscraping algorithm.

However, the actual conversion function still works!

What you will have to do is manually download the .crx file for the Chrome extension and use Chrome Store Foxified's option to select a local file from your computer to convert. It's on the right-hand side of the CSF Dashboard, which you can access directly by opening the Firefox Addons Manager, clicking the "..." menu for CSF and choosing Options.

You might find some third-party tool to assist you in downloading the .crx file, but it is easy to do manually if you construct the URL as follows:

https://clients2.google.com/service/update2/crx?response=redirect&prodversion=89.0.4389.90&acceptformat=crx2,crx3&x=id%3D[EXTENSION_ID]%26uc

Just replace the [EXTENSION_ID] including brackets with the text string comprising the last path segment of the URL of the extension's Chrome Web Store page.

For example, if you want to convert GIPHY for Chrome you would find it on the Chrome Web Store at this url:

https://chrome.google.com/webstore/detail/giphy-for-chrome/jlleokkdhkflpmghiioglgmnminbekdi

The extension ID is jlleokkdhkflpmghiioglgmnminbekdi so the url to download the .crx file would be:

https://clients2.google.com/service/update2/crx?response=redirect&prodversion=89.0.4389.90&acceptformat=crx2,crx3&x=id%3Djlleokkdhkflpmghiioglgmnminbekdi%26uc

This URL method has worked for me several years, so I expect it will continue to work in the future. (I have updated the prodversion value occasionally, not sure if it matters.)

Once you have the .crx file, go to the Chrome Store Foxified Dashboard, click "click here to browse" and select the .crx file you just downloaded, then click the "Add To Firefox" button. It should say "Validating..." briefly then the selection dialog will collapse and the extension's entry box on the Dashboard should appear and say "Converting" at the bottom briefly. It will automatically trigger the install of the converted extension and you should get a prompt like this just below the url bar:

For smaller extensions the steps happen so quickly that it seems to jump directly to this prompt. A very large extension such as Grammarly (36 MB) takes about 10 seconds on my machine. If it keeps going and going something probably went wrong.

One warning -- go to the Settings page of CSF and click "Disable" for Instant Upload. (If it says "Enable" then it is already disabled.) Otherwise the conversion will hang on an AMO Credentials step.

If you run into problems, or you try to delete an extension but later want to convert the same extension again, if something hangs, or if you have any other problems, go to Settings in CSF, click "Clear Memory" and restart Firefox. This will reset CSF to a freshly-installed state. (Be sure to disable Instant Upload again after you do this.) I have found it necessary to reset CSF frequently, since it doesn't seem to be able to recover from hiccups very well.

Check for Updates will not work either. So you will need to manually download the .crx for updates. I'm not sure whether CSF will gracefully convert an updated version of an extension you already converted. So it may be necessary to clear memory to convert an updated version. If you do this, I'm also not sure whether Firefox will gracefully update the existing Addon or if it will create a duplicate Addon in the Addon Manager. It may not matter for some Addons, you can just delete the out of date verion. But for others you will need to preserve your data across updates.

The workaround for the duplicate Addon problem would be manually uploading the converted Addon to AMO (addons.mozilla.org) as a developer version. That was actually a critical part of the original design of CSF, and the main reason why the project was abandoned. AMO changed some things server-side that broke CSF's ability to automate the process of uploading a converted Addon .xpi and having it essentially "test signed" by AMO for your personal use.

But you can still do it manually if run into issues with new versions causing duplicate Addons. Creating an AMO account and getting access to developer hub is a bit of a pain. But here is a (very) rough outline if you want to try it:

How to manually upload Addon to AMO for test signing

> > First you need the .xpi file of the converted Addon. From the CSF Dashbord, click "Unsigned" text to save the .xpi file to disk. Then login to AMO and upload it as if you were going to publish it. There is an option to indicate it's just for your own use, not for public listing. It's not super clear that you *aren't* actually publishing the Addon to the whole world, but trust me that if you choose the option, it's only accessible to you from your AMO developer hub. > > Then rather than installing the converted Addon from CSF as a blob:, you would install it from your AMO developer portal. It's not at all clear how to do this, so here are the steps: First go to the developer hub, click "Edit Product Page" for the Addon. On the product page, click "View All" under the version information. On the version information page click the newest version number you uploaded. Then finally you will be on a page with a link to the .xpi file which you click to actually install the Addon the same as the "+Add to Firefox" button on AMO. > > This also means the Addon is properly signed, so you don't have the bright yellow warning bar. I believe it would also install on the Release version of Firefox rather than only Dev or Nightly. (I don't think Release allows unsigned Addons, but I might be wrong.) > > It's not straightforward, but I have tested it and it does work, and it should resolve the problem of CSF creating duplicate Addons rather than updating existing ones _if_ that problem occurs. You would clear memory in CSF, convert the updated .crx, CANCEL the install from CSF, then save the unsigned .xpi file to disk, and upload it to AMO as an updated version from the Addon product page, and install the updated version as described above. That should trigger and update to the existing Addon rather than installing a duplicate one. >

After you go through the process the first time and understand the workflow, it's not really as confusing or time-consuming as it might sound.

[Xaemyl]

I've tried the above and it doesnt seem to work. When I click on the Unsigned (to download it), it doesn't do anything.

[joshieecs]

I just tested and it is working for me. Have you tried "Clear Memory" then restart Firefox? When I click Unsigned I get the prompt to download an xpi file of the converted extension.