Mozilla Addons/Extension Signing

[tr37ion]

Hi, Mozilla is bringing AddOn Siging to upcoming Firefox versions. It would be nice if you could adopt your AddOn, too. Have a look at: https://wiki.mozilla.org/Addons/Extension_Signing

[dillbyrne]

Hello @tr37ion . I'm aware of the mandatory extension signing requirement being added to firefox. While Mozilla are currently signing AMO hosted addons, they are not yet accepting externally hosted addons so I must wait until then to submit the github version of RAS.

One point to make note of is that the next version of RAS will be forced to have a different id in the manifest as Mozilla can't sign the AMO hosted one and the github one if they share the same id. The result of this for end users will be that the next version will require a fresh install and will be treated as a separate addon to the AMO version and previous github versions.

I'll update this when I have submitted the next version of RAS for signing.

[paulderdash]

I am currently using your 0.9.5.3 github version. As far as I understand it, only the signed AMO version will be usable, once this policy comes into effect (sigh). Will your next RAS version (without the non-allowable github features) be available soon - before this policy becomes effective? AMO currently has 0.9.3.1.1 ... if I need to install this, do I first need to uninstall 0.9.5.3 - or better to wait for new AMO RAS version and install afresh (as above)?

[dillbyrne]

@paulderdash No both versions will still be available. As I said above the github version will be forced to change it's id in the manifest in order to be signed so it does not conflict with the signed AMO version.

The next AMO version (0.9.5.2) has been in the review queue on the addons site for a while now. I can not say when it will be ready. That depends on the reviewers and the review queue it was in position 29 out of 120 the last time I checked it.

When mozilla start allowing signing for non AMO hosted addons I will submit 0.9.5.4 for signing and when it is signed it will be available as normal on the releases page.

As the manifest id will have to be changed in the github version it will mean that if you have any previous version of RAS installed you will have to uninstall it and install the new signed github version as an upgrade will not be possible due to the different ids.

Blog post about signing for those curious

[paulderdash]

Thanks @dillbyrne. Understood. Mozilla sure seems to take their time with reviews!

[dillbyrne]

Just an update on this. I'm still waiting on mozilla to review the AMO version in the queue.

In that review I have asked the reviewers to glance at the disabled code (the same as the github code) and advise on what needs to change so I can see about adding the full version back onto AMO.

If it is the case where I can add it back in I will. If not I will continue on the plan as outlined above.

The main holdup is AMO at this stage as I want to find out where I stand before I go changing the addon ID for the github version.

0.9.5.4 is more or less ready to go. I may have to change the addon id depending on the feedback from AMO and I still have to do documentation and a final test before shipping it

Sorry about the delay everyone. I'll update when I know more

[tr37ion]

Thanks for the update. It seems Mozilla reviews take quite some time, unfortunately :( You may ask in IRC irc.mozilla.org channel #amo for its position in the queue.

[dillbyrne]

It's at position 8 out of 120 but the queue doesn't move like a normal queue. It appear reviewers review addons at their discretion. I have submitted multiple addons on the same day and some will get reviewed within an hour despite being at the back of the queue and others can take days but this has been the longest for sure.

[RoxKilly]

When Mozilla staff announced this plan, they claimed that the extensions would go through an auto-review process and be automatically signed if they pass certain algorithmic checks, and that only those extensions that get flagged would require a human review. They estimated that signing in most cases would take just two days. At least that was my understanding.

Anyway, @dillbyrne I just noticed what might be a significant shift in Mozilla's stance, from blocking add-ons that have not been signed by Mozilla to allowing users to continue using such add-ons after stern warnings.

The original announcement from Febrary 2015 stated:

There will be a transition period of two release cycles (12 weeks total) during which unsigned extensions will only generate a warning in Firefox. After the transition period, it will not be possible to install unsigned extensions in Release or Beta versions of Firefox. There won’t be any preferences or command line options to disable this.

I've just noticed a few minutes ago that the FAQ page on addon signing now states:

The new add-ons signing process requires developers to follow Mozilla Developer guidelines to ensure that their add-ons are safe. Firefox protects you by warning you when an add-on has not been verified through this signing process, but you can still install the unverified add-on at your own risk.

Then again, the Mozilla wiki page on extension signing still states:

Mozilla will begin requiring all extensions to be signed in order for them to be installable in Release and Beta versions of Firefox. Signing will be done through addons.mozilla.org (AMO) and will be mandatory for all extensions, regardless of where they are hosted...Firefox Release and Beta versions will not have any way to disable signature checks

What's going on here? Seems like Mozilla is conflicted at best, or am I misreading things? Something else that is unclear: if installing unsigned add-ons is blocked, does that mean that add-ons that were already installed before updating Firefox will continue to run?

[paulderdash]

Unacceptable, really! See also: https://blog.mozilla.org/addons/2015/08/21/the-future-of-developing-firefox-add-ons/

On 13 August 2015 at 00:52, dillbyrne notifications@github.com wrote:

It's at position 8 out of 120 but the queue doesn't move like a normal queue. It appear reviewers review addons at their discretion. I have submitted multiple addons on the same day and some will get reviewed within an hour despite being at the back of the queue and others can take days but this has been the longest for sure.

— Reply to this email directly or view it on GitHub https://github.com/dillbyrne/random-agent-spoofer/issues/228#issuecomment-130471170 .

[dillbyrne]

@RoxKilly Extension signing will be here to stay.

@paulderdash I know, it will have consequences for RAS too. See #282 for more details

[paulderdash]

Can't believe how long it's taking Mozilla to review 9.5.2 ... how can they mess around add-on developers like this?

On 24 August 2015 at 15:40, dillbyrne notifications@github.com wrote:

@RoxKilly https://github.com/RoxKilly Extension signing will be here to stay.

@paulderdash https://github.com/paulderdash I know, it will have consequences for RAS too. See #282 https://github.com/dillbyrne/random-agent-spoofer/issues/282 for more details

— Reply to this email directly or view it on GitHub https://github.com/dillbyrne/random-agent-spoofer/issues/228#issuecomment-134204329 .

[dillbyrne]

@paulderdash Its ridiculous. I know of a few addon developers who have quit because of a culmination of the latest changes.

I'm already getting bad reviews on AMO because the addon was not reviewed when firefox 40 went live and addons suddenly broke due to the deprecation of the widget module but people perceive it as RAS and that is that.

It is at position 5 out of 71 now.

[RoxKilly]

@dillbyrne Have you thought about pulling the version you have up on AMO now, or at least change its compatibility list, given that it is broken for newer FF install? The bad will and negative reviews may stay with RAS well after this is sorted out .

[dillbyrne]

@RoxKilly I did change the compatibility back to 39 once I realised it was happening.

AMO usually does automated checks for compatibility for each new version of firefox and since a deprecated module is easy to detect I wrongfully assumed it would have flagged it as non compatible as it has detected other things such as require chrome based calls in the past as warnings.

By the time I realized the compatibility had been incremented many users had already updated to ff 40 and as that version of RAS was incompatible it caused a lot of problems.

[ghost]

Please continue github edition.

I don't care about Firefox signed add-on. I care about open source. Mozilla scrapped my unsigned project, so I dumped my Firefox.

I recommend firefox fork, for eaxmple "Pale moon". https://github.com/MoonchildProductions/Pale-Moon/issues/179

[RoxKilly]

What was your unsigned project, what do you mean by "scraped", and why was it scraped?

Thanks for the info on PaleMoon

[paulderdash]

It may have happened a few days agao already but I see 0.9.5.2 is finally signed on AMO!

On 6 September 2015 at 16:45, dillbyrne notifications@github.com wrote:

@paulderdash https://github.com/paulderdash Its ridiculous. I know of a few addon developers who have quit because of a culmination of the latest changes.

I'm already getting bad reviews on AMO because the addon was not reviewed when firefox 40 went live and addons suddenly broke due to the deprecation of the widget module but people perceive it as RAS and that is that.

It is at position 5 out of 71 now.

— Reply to this email directly or view it on GitHub https://github.com/dillbyrne/random-agent-spoofer/issues/228#issuecomment-138090623 .

[RoxKilly]

The AMO version is missing some features (and it's still older than the current version on github) but that's good news. Wishing Mozilla would allow the github hosted add-on to be signed in a timely manner.

[dillbyrne]

@paulderdash Sorry for the late reply, I have just been really busy. Yes it was reviewed finally. More importantly the reviewer said to consult AMO to work on a way to keep the features without losing the approval, so that is good news. I have not yet had a chance to get in touch with them but will do so soon and update everyone here.

[dillbyrne]

Hi all Sorry for the delay on this. I got some quick feedback specifically for the script injection code and for the most part it now appears to be ok. I have to make some small changes #324 and then I'll add upgrade code for 0.9.5.4 but if all goes well I should be able to get the full version back on AMO which will take care of signing and reduce the maintenance load .

[dillbyrne]

I have a full version of 0.9.5.4 in the review queue on AMO. Hopefully it will pass a review due to the changes I have made. it is at position 82 in the queue

[RoxKilly]

How come you did not post the .xpi file for 0.9.5.4 on the releases page here on github? Do you intend to post only after the AMO signing?

[dillbyrne]

No I intend to only submit the xpi files to AMO from now on. This is assuming that 0.9.5.4 passes review. I have stated on multiple occasions that I want to get the full version back on AMO. 0.9.5.4 is not a limited version

[Gitoffthelawn]

@dillbyrne I think it's great that you are committed to getting the full version back on AMO!

I'm interested in understanding why this wasn't always the case. Can you explain briefly what happened, or point me to the issue that explains what happened?

[dillbyrne]

@Gitoffthelawn the 0.9.2 version of RAS was rejected from AMO due to certain aspects of the script injection code which at the time was a lot different. I split RAS into two versions so I could keep the script injection stuff and also still provide updates to users on AMO.

I have changed a lot of the script injection code since then and with the signing requirements it makes sense to try get the full version back on AMO.

[RoxKilly]

@dillbyrne , instead of explaining this over and over, it may save you time to write 2 or so paragraph about this in the Readme (or Wiki if you have one) and link there to this issue. Then wherever the question is raised we can just respond with the link to the paragraph.

I hope AMO accepts 0.9.5.4

[dillbyrne]

0.9.5.5 was accepted and signed by AMO. You can download it from the addon site. Thanks for your patience.

[RoxKilly]

@dillbyrne Congrats! I know this must be a big check off your list. No need now to maintain 2 versions.

[dillbyrne]

@RoxKilly Thanks. Yes, the signatures was the main concern as it was time sensitive and also reducing user confusion when it comes to what version and where to get it.

[Gitoffthelawn]

Great job! Congrats!

[tr37ion]

Great Thanks.