Signed XPI cannot be installed in Firefox because of hash mismatch

[arieljannai]

Hi, I know it's not exactly related, but maybe you could still have an idea.

I'm using nodejs to create an xpi with JSZip and then I spawn the jpm process in order to sign it. Everything looks like it's passing just fine, except that after I install it on firefox and restart it, the addon disappears (not verified I guess) From my understanding, I believe that there's something wrong with the xpi creation.

I've looked in your code and saw that you also use jszip to create the xpi, and I've also tried using the same parameters as seen in your code.

Maybe some of you know if there's specific settings that needs to be applied on the archive? (Method, attributes etc..)

I've also tried asking about it in SO

Thanks in advance!

[Croydon]

Just wondering, if you call jpm anyway, why not generating the xpi directly with it?

[arieljannai]

It's a XUL addon, which its packing is not supported by jpm

[freaktechnik]

The signing has been outfactored into https://www.npmjs.com/package/sign-addon (not sure jpm uses that, but that's where the fixes are afaik). Further the XPI you upload should not matter, as AMO will re-pack as far as I know. So unless you're getting back an "xpi" that's actually a JSON error it should work.

[arieljannai]

@freaktechnik Thanks, I'm trying it now

[kumar303]

after I install it on firefox and restart it, the addon disappears

Check Tools > Web Developer > Browser Console for the real error. That should help you diagnose it.

[arieljannai]

Interesting, didn't knew this console, I was looking in the developers one.

I get: 1464846132228 addons.xpi WARN Refusing to install staged add-on EXTENSION_ID with signed state -2

I've tried looking around but couldn't find that specific error. There are other variations of the signed state (with 0 or 1), and I guess -2 is a specific error since usually in other programs just error/fail receieve -1 and other negative values indicates a more specific error.

Maybe some of you know that error? Or should I ask about it in discourse/file a bugzilla?

[kumar303]

That warning is unnecessarily cryptic but I think it's linking to this: https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.jsm#3100 which expands to "The downloaded file did not match the provided hash"

This is different from a signing problem. This means the file hash reported from the server did not match the real hash. We've actually seen this before in https://github.com/mozilla/addons/issues/1723 (although it may not be this exact issue).

What is the extension ID? If you can provide jpm --verbose output, that will show server headers which will be helpful.

[arieljannai]

Thanks for the help on all the platforms @kumar303 !

I've also asked a week ago on the discourse community, and I'm not sure if to continue here or there, since there's no point in double investigations in different locations. Should we continue the discussion here or at discourse? (and then I'll link there to that issue)

[kumar303]

If it's a jpm bug we should discuss it here. What is the extension ID? Can provide jpm --verbose ... output?

[arieljannai]

https://gist.github.com/arieljannai/2e264e8f4a2d043495cfeaf37c4012db I haven't seen anything wrong, but maybe you'll recognize something

[kumar303]

oops, I misunderstood before. I thought you were installing the file from AMO. You are installing this file by going to File > Open in Firefox, right? walkme_extension-0.0.204+test.dt-fx.xpi

[arieljannai]

Yep, I just take my latest xpi and drag it into firefox, and then the popup suggests me to install it (and then restart)

[kumar303]

Could you attach the source code (before signing) so I can try to reproduce the issue?

[arieljannai]

Apperantly GitHub don't like my zip.. I've added a docx extension to the zip so it will let me upload it. extension.zip.docx

[kumar303]

ok, thanks. Weird. I changed the ID, made an XPI, signed it, and installed it without any trouble. This was on Mac and I don't have access to a Windows machine. Maybe it's Windows related. I created the zip like zip -r ../extension.xpi *.

[arieljannai]

Indeed weird. That's why I thought that maybe there's something wrong with how I'm creating the zip with JSZip (though I took the example of JSZip's parameters from jpm's code). And it's also weird cause your server is opening, reading and re-archiving the zip I'm sending. So even if it wasn't with the right parameters, it should be fine after zipping in your server, cause it's a new zip, isn't it?