Open akavel opened 3 years ago
They don't sign everything, especially if you use experimental APIs etc. Not sure yet, if this project does; but for a workaround, see how https://github.com/numirias/paxmod does stuff.
For local non-temporary installation, you can go to about:addons → Install add-on from file.
.xpi is just .zip
Most zippers make a subfloder in the zip, this can not do. Files (the manifest.json) must be at the root of the zip.
Interesting, thanks for the report!
I'm glad to hear you can distribute the signed extension without going through the store. Maybe that could be a continuous integration step to generate those XPI files on each push. I didn't really want to use the store outright because you still need FUSE and the native application on your computer anyway (or can you distribute those automatically with the extension?), so I felt like there would still be a fairly involved install process.
I do want people to feel comfortable modifying the extension source code, so I'm not thrilled about potentially distributing it as a sealed-and-signed binary; the main reason to do it would be to avoid that temporary-add-on constraint. Maybe there are other ways to get that extensibility while keeping the extension signed.
/shrug I haven't tested it yet (I have my dear 3k tabs open).
From what I read, this is not ready for prod at all, so directing for temporary installation would not hurt. The person looking to install this per mentally could find or be directed to #4.
AFAIK, to permanently install an unsigned extension on Firefox one needs to user Developer Edition and set "xpinstall.signatures.required" to false
. Here's a built version of the extension (made with web-ext build
) you can then install as a file: https://host.yoavmoshe.com/store/tabfs.xpi
Signing in general shouldn't be an issue, but because of the APIs used by the extension it must have a unique ID. Firefox doesn't seem to allow multiple signatories per extension ID, so one has to edit the browser_specific_settings.gecko.id
to some unique ID and only then they can run web-ext sign
. However, after doing this I had to change the APP_NAME in background.js
and install.sh
according to my new extension ID, and I feel a little strange uploading an extension with my name on it even though all I did was search and replace over someone else's great work.
I assume the unsigned version should be fine to most Firefox users, but maybe I'm mistaken to think we're all using Developer Edition. Anyway it doesn't seem like there's a problem getting the extension signed.
(warn don't download from a random person from the internet's site, you may use this instead:)
#!/bin/bash
7z a extension.xpi ./extension/{*,.[!.]*}
Yeah I have the tweaks made and live on Developer..
Not more random than any of us, I think? but like you said, .xpi
s are just .zip
s. Feel free to unzip and check do whatever checksum comparison you want, or better, run web-ext build
yourself. Just thought it could save people some time 🤷
Hi! Found your article on HN. I recently experimented with developing my own first tiny webextension for Firefox, and yes, to permanently install it outside debugging, it's enough to get it signed. I did it by uploading the plugin as a zip file to addons.mozilla.org. I had to create an account there, but other than that it's just a few steps - registering the addon and uploading new version's zip. I did it following some "your first webextension" Mozilla tutorial I believe, though I don't have a link handy at this moment to quickly share with you. I recall there were a few options explained for publishing, I chosen one with manual uploading to addons.mozilla.org as it seemed easiest for first try for me, and I didn't want to install some npm-based CLI tool they mentioned in the other options. After the procedure, you need to wait a while until the new version shows up as "Accepted", then you can download the .xpi they generated for you, and it works permanently. It seems to use some JAR-like signing, there's a META-INF directory in the .xpi after the "Accepted" status shows up.
edit: ok found the link, had it noted in the script: https://extensionworkshop.com/documentation/publish/package-your-extension/#package-linux -> then check out the "up next" links at the bottom of the page ("Submitting an add-on", etc.)