Update on Extension Signing and New Developer Agreement

Jorge Villalobos

44 responses

If you have an active extension listing on AMO you probably got a message from us already, explaining how we will automatically sign your add-on and provide it to your users via automatic updates. The automatic signing process will run this week, in batches, and we will notify you when your add-on is signed. Please take some time to test the signed version in the current release version of Firefox and either Developer Edition or Nightly (where Firefox already warns about unsigned extensions).

If you’re unfamiliar with extension signing, please read the original announcement for context.

Next week, we will activate two new features on AMO: signing of new add-on versions after they are reviewed, and add-on submission for developers who wish to have their add-ons signed but don’t want them listed on AMO. We will post another update once this happens. When this is done, all extension developers will be able to have their extensions signed, with enough time to update their users before signing becomes a requirement in release versions of Firefox.

New Developer Agreement

Since we will be signing add-ons that won’t be listed on AMO, we have updated the Add-on Distribution Developer Agreement to cover the new ways in which we will handle add-ons. This document hadn’t been touched for years, so we took our time and significantly updated its contents to reflect how we do things now. Hopefully it is also easier to read than its previous version.

Note that the new agreement will go into effect on June 1st. The version that is displayed on AMO when you submit a new add-on will be updated then, and all active developers on AMO will be notified about it.

If you want to stay up to date with changes related to extension signing, you can follow this blog or check in regularly to the wiki page, where I update the timeline information as it becomes clearer.

44 responses

  1. Jonah Bishop wrote on :

    I currently have two extensions on AMO and I also distribute them via my personal website. In situations like this, can I submit my extensions to both the “listed” and “unlisted” sections to have a package to offer on my website? Or is this not how the unlisted submissions work? Is there a way to get a signed package for third party distribution?

    If I’m forced to use AMO only going forward, how will I properly redirect users who currently hit my website for updates to the AMO package? Are there specific changes needed to my update.rdf file?

    1. Michael Kaply wrote on :

      You can’t have the same add-on be listed and unlisted unless the internal add-on ID is different between the two add-ons (which I’m guessing yours are not).

      If they have the same ID, you’ll have to change the ID on one and then submit them separately.

      The ID can be changed as part of an update.

      If you want to only use AMO going forward, all you have to do send an update to your non AMO users that removes the updateURL from install.rdf and they will start receiving updates from AMO.

    2. Jorge Villalobos wrote on :

      If you’re distributing the same versions both on AMO and not on AMO, you can just take the signed files from AMO and distribute those however you want. If you intend to have different files for AMO and non-AMO, that’s something we don’t currently support and it’s generally easier to use a different ID for each distribution like Mike pointed out.

  2. custom.firefox.lady wrote on :

    I think there are a number of AMO hosted add-ons that serve alpha/dev versions from their own website. I’ve done this myself occasionally when I have a very preliminary version I’d like some feedback on, but don’t want all my beta testers offered the early alpha. Or some temporary test version for a user willing to verify if it fixes their issue. Are you saying we should give these a different GUID while using the same add-on name? (Or perhaps ‘foo alpha’ for the name?)

    If we need to do these as separate id unlisted, do we then need to download the signed version from AMO to upload to our site, or is it fine to just link to the unlisted version and let others download/install directly from AMO unlisted (would they need an AMO account to do that) ?

    1. Jorge Villalobos wrote on :

      Since these are pre-release versions you’re talking about, there are a couple of ways to make it work:
      * Upload it to the beta channel, which will get it signed automatically, and then download the signed file and remove it from AMO. It’s very unlikely any users in your beta channel will get updated to this version if you take it down quickly.
      * Have a separate, unlisted add-on with a different ID and use that for your one-offs. You just need to tell your users to remove or disable the “real” version while testing with these alphas.

      There will be no way to link to unlisted versions on AMO, so in that case you will need to download the signed versions and then list them on your site.

      1. custom.firefox.lady wrote on :

        The first option seems simpler and less risk of confusion for all involved. Slick workaround…thanks.

  3. SecurityRequiresFlexibility wrote on :

    What is the status of the unbranded build? When will it be available, and where will it be located?

    1. Jorge Villalobos wrote on :

      We don’t have any updates for this. They should be available by the time we enforce signing on Beta, which is when they will be needed.

  4. Igorr wrote on :

    Uh, was part of the plan to sign and replace *all* public xpi in the version page of each add-on, changing the whole historic numbering of the projects, or it was other thing?

    1. Jorge Villalobos wrote on :

      It was necessary to “bump up” the version number, yes. We think it would’ve been more disruptive to try to replace the existing version. If you’re a developer, you can submit a new version to fix this, but I would recommend that you wait until next week when all reviewed add-ons will be signed (without any version number change).

      1. igorr wrote on :

        It is understable for a single xpi, the current version of an add-on, I’m asking about the previous releases of an add-on; all the files in the versions page whose version number was altered.

        1. Jorge Villalobos wrote on :

          Yes, all compatible versions were signed, so people can still try out old versions that are probably still compatible.

          1. Igorr wrote on :

            The signing for old versions is Ok, I’m asking about the bumping up of the number version of all the older xpi’s; it was intended or inadvertent?

            now some releases gets the original version number of other previous releases (if you had 1.0 ->1.0.1… now is 1.0.1 -> 1.0.1.1); and, in general, docs don’t refer anymore to the corresponded releases…

          2. Jorge Villalobos wrote on :

            Bumping up the version number was necessary to trigger auto-updates for all versions. They all had “.1-signed” appended to them. You’re right that it could cause problems for documentation and support, but it was a necessary move.

          3. Sam wrote on :

            I think what Igorr was getting at was that *every* previous version of and add-on has had “.1-signed” appended to the version number, when it was only really needed for the very latest version.

            For example, what was originally version 4.0, is now marked as version 4.0.1-signed, which makes it look like there was never an actual version 4.0.

  5. rocksoccer wrote on :

    I am really disappointed about the move of Mozilla. They don’t hear users’ voice about signing. Just go to https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/
    You can see how many users are against this.

    Especially, if you consider ineffectiveness of extension signing used by Chrome, you just cannot defend this decision at all.

    Mozilla builds Firefox and its community, but that does not mean you can have dictatorship as you want.

    The recent moves from Mozilla is also very worrying to any users who value freedom. To support Netflix, Mozilla can just create an addon for the site. There is absolutely no need to modify Firefox to have it supported.

  6. Ken Saunders wrote on :

    Any news on the unbranded version of Firefox?
    Where can I/we follow its progress?

    For what it’s worth, thanks for putting up with all that you had to endure when you made the first post about this. I would have said something earlier, but there was way too much noise at the time.
    I believe that this is the right thing to do for users and fully support the decision.

    Anyone who’s spent any significant amount of time doing troubleshooting and support for Firefox on and offline knows how badly nasty add-ons can affect Firefox’s reputation.
    Until they’re properly informed, users blame Firefox for issues, not the add-on.
    Sometimes after that, they still blame Firefox for allowing bad add-ons to be installed.

    1. Jorge Villalobos wrote on :

      It’s up to Release Engineering to get the unbranded builds ready. I don’t know if there are any open bugs, but I know they’re working on it.

  7. Ano-Nymous wrote on :

    uhmm. updated to signed addons, replaced an extension with my modification – and it still works and shows *-signed in add-ons manager.

    really mozilla?

    1. Jorge Villalobos wrote on :

      Not sure what you’re complaining about. Can you please elaborate?

  8. custom.firefox.lady wrote on :

    One extension I have installed (Colorzilla) did not seem to properly update to the signed version. Add-ons Manager reports it having been updated on the same day as the other extensions, but it’s missing the ‘signed’ part of the version number (just 2.8.1) and does not contain the META folder. Right-click (context menu) > About shows version 2.8 (not 2.8.1). Tried re-doing “Find Updates”, but none found. This is on Fx 39b1.

    1. Jorge Villalobos wrote on :

      Can you still reproduce the problem? It could have been a temporary issue.

      1. custom.firefox.lady wrote on :

        I investigated further and found that its updateURL is http://updates.colorzilla.com/update/ so perhaps 2.8.1 was available on the Colorzilla site at some time (it’s not currently that I can see). For myself, I’ll just uninstall it and install the current signed AMO version.

        Wondering though about the possible existence of non-AMO versions of other extensions with identical numbering (except the ‘signed’ part) without they’re own updateURL. How will they be handled by this process (e.g. 1.1.1 obtained elsewhere but receiving updates from AMO where the only 1.1.1 that exists is the version-number-altered signed version) ?

        1. Jorge Villalobos wrote on :

          If an add-on doesn’t have an updateURL, then updates are handled by AMO. So, unless they have much larger version numbers than their AMO equivalents, users will eventually end up with a signed AMO version.

          Since the ‘.1-signed’ version numbers are greater than the normal numbers, all users should be automatically updated to signed versions. The main exception would be users who disabled automatic updates.

  9. Mingyi Liu wrote on :

    A user of one of my addons said whenever he modifies my addon’s code (as I suggested, because he needs a feature useful only for him, I won’t release a new feature just for that), Firefox would delete it because it’s not signed. It used to work for him for a month, but now this signed thing ruined it. Is that normal to disallow users to modify addon code and ONLY use it on their own machine? I don’t think it makes sense if so.

    1. Robert Pfeiffer wrote on :

      The same problem for me: I like to make changes to some Add-ons just for me/build Add-ons just for myself and only to be used on my computer. How I can do this in future?

    2. Jorge Villalobos wrote on :

      The add-on shouldn’t be deleted, only disabled. There’s a preference that can be changed to deactivate signature enforcement. That preference should always work in Developer Edition and Nightly.

      Edit: it’s probably a good idea to remove the META-INF dir when you modify the add-on, since the “broken signature” scenario may be handled differently than the “no signature” one.

  10. Endor wrote on :

    How to sign Add-ons, which are not hosted on AMO?
    Actually I found no way to make this. I hope there is a easy fast way to make this
    available. I am just a Person who provides German localisations, for only in
    English language available Add-ons, from authors, the are not interested to provide
    other localisations as US-EN.
    There are a lot hard coded Add-on out there, only in English localisation.
    I contacted a couple of authors but no answer, or refusing answers.

    1. Jorge Villalobos wrote on :

      Signing for non-AMO add-ons will be activated later this week. There will be a separate announcement on this blog when that happens.

      1. Endor wrote on :

        Now it is possible to signed non hosted Add-ons. I see this this morning.
        But how much time it needs to signed a Add-on. Now I am in queue since
        7 hours and nothing goes on. The queue goes higher and higher.
        After uploading the Add-on it was 5 of 6 now it is 8 of 16. Strange thing.

        I read somewhere it needs just a couple of seconds to signed the Add-on.
        I think it needs 3 to 4 months or maybe a year or so.
        Absolutely user unfriendly.

        1. Jorge Villalobos wrote on :

          The submission form was activated, but the automatic validation isn’t active yet. Unhosted submissions are now working like regular ones, with a queue, rather than how they will in the future. It will be announced in this blog when everything is in place.

          1. Endor wrote on :

            Ok!
            Thank you for the Info.
            Lets hope, that it will be activated as soon as possible.

  11. RJ wrote on :

    “For extensions that will never be publicly distributed and will never leave an internal network, there will be a third option. We’ll have more details available on this in the near future.”
    Where is the information for this since this was stated 4 months ago? What does near future mean? The wiki says: “What about private add-ons used in enterprise environments?
    We haven’t announced our plan for this case yet. Stay tuned. In the interim, ESR will not support signing at least until version 45, which won’t come out until 2016.”
    Not all employees using Firefox internally are using ESR versions. We need some details on the plan for add-ons intended for employee use.
    Details please!

    1. Jorge Villalobos wrote on :

      There’s no definitive answer yet, but ESR appears to be the most likely solution. That means that developers and users will have the following options to install unsigned add-ons: Nightly, Developer Edition, unbranded Release and Beta builds, and ESR.

      1. RJ wrote on :

        ESR versions are not used by all employees. That means there will be thousands of employees using non-ESR versions of Firefox. For those thousands of employees the frustration of having company approved add-ons blocked by Firefox is going to be a logistical nightmare. Forcing all employees to use a specific ESR version of Firefox isn’t an option. Employees have the ability to install whatever browser they want, ESR or the latest version of Firefox. Mozilla needs to provide other options for large corporations using Firefox, and ESR is not the answer.

  12. lioa wrote on :

    I am in queue since 4 hours and nothing goes on. I read somewhere it needs just a couple of seconds to signed the Add-on. The queue goes higher and higher. I’ll just uninstall it and install the current signed AMO version. Thank for all

    1. Jorge Villalobos wrote on :

      Which add-on are you referring to?

  13. Endor wrote on :

    I am in queue since 4 Days, yes, unbelievable.
    I have now only 2 of 10 Add-ons, with immediately signing.
    I add always only a German locale, of course a new ID and I change the Name.
    With some of the Add-ons, I got this Message:

    „Looks like your add-on requires a manual review before it can be signed.“

    Why? The original Add-ons is signed, and my Version has to be manual reviewed?
    Strange. So my Version end in a queue and nothing goes on.
    Just waiting, waiting, waiting…..

    1. toady wrote on :

      Yes, Ques are going to be the main problem, Regular addons take months to review yet for google chrome 1-24hours to be processed.

      Regular addons have lengthy ques so do getting addons signed topped with the current new addon validation system neutering what can and can’t be modified.

      What intensives are there to keep a addon developer going when they dedicate countless hours of there time for free only to have there work die slowly in long ques every release.

      They said they were addressing it so far since that announcement the que length has doubled taking even longer then previously.

      I found developing chrome addons much more developer friendly and less hassle free i hope Mozilla can learn from them.

      1. Endor wrote on :

        I have the feeling, that Mozilla never likes the Add-ons.
        I don’t know why this simple signing need so much time.
        User unfriendly behaviour. But this is usual by Mozilla.
        I am using Firefox since the beginning. Where is the
        user friendly, small, and totally customizable browser gone?

  14. salta wrote on :

    “unsigned add-ons: Nightly, Developer Edition, unbranded Release and Beta builds, and ESR.”

    Nightly <—- so buggy
    Developer Edition <—- heavy and buggy
    unbranded Release and Beta builds <— en-us only
    ESR <—- don't have latest feature

    For me, I modify add-ons for fixing bad translation and ugly icons to my taste.

    ESR is my choice. Better than never.
    If ESR 45 don't have unsinged option, then I'll say good bye to Firefox and I'll use google chrome. why? Firefox is chrome copycat and don't have any advantage.

  15. Travis Garner wrote on :

    Hello,

    I’ve been trying to give my an extension approved by Firefox in hopes to proper give the launch this extension deserves. Please forgive me created inside of this awesome community so I been trying to figure out as much they possibly can in order to hear the policy. After submitting the extension it was reviewed by your team almost immediately. I was told to make some changes the code in order to meet extension standards. I have made the changes promptly in research the best tools in order to test in a bug my extension. It’s been tested on multiple versions of Firefox it Is even received some reviews. Currently there’re about 40 active users Justin Firefox which I’m having a difficult time getting in front of someone to relook at the extension. In that first month I noticed a post but you with new license. So far the only thing I’ve read is that you will be implementing shortly and looking to create the new signatures for past plus new Extensions. Any advice would be greatly appreciated as it’s been close to three months now and I’m a little unclear this might happen. When skating more information on how Firefox besides to utilize its resources I’m greatly thinking about where and how I can help. Thank you for all contributors Firefox is really become an amazing browser especially for someone in my industry.

    1. Jorge Villalobos wrote on :

      The review queues are fairly slow at the moment because most of our attention is going on getting signing working correctly. We will focus again on reviews starting next week, and I hope this will make a big difference in waiting times. All I can ask from you know is to please be patient as we work through the backlog.

  16. olicy02lnw wrote on :

    Thank u