Signing Firefox add-ons with jpm sign

With this week’s release of Firefox 43, all add-ons must now be signed. While this will make the block-list and other malware prevention measures more effective, add-on developers who wish to distribute outside of addons.mozilla.org must now add signing to their release flow.

To make it easier for these developers, we released the add-on signing API last month. Today, we’re also providing a new version of the jpm command line tool that makes add-on signing even easier.

Installation

Install jpm for NodeJS from NPM like this:

npm install jpm

Generate API Credentials

In order to work with the signing API you first need to log in to the addons.mozilla.org developer hub and generate API credentials.

Signing an Add-on

To begin signing an SDK-based add-on with jpm, change into the source directory and run this command:

jpm sign --api-key ${AMO_API_KEY} --api-secret ${AMO_API_SECRET}

This will fetch a signed XPI file to your current directory (or --addon-dir) that you can self-host for installation into Firefox. Read more about add-on distribution here. Since this XPI is intended for distribution outside of addons.mozilla.org, it assumes you don’t want your add-on listed on addons.mozilla.org. This is referred to as an unlisted add-on.

Updating an Add-on

To sign a new version of your unlisted add-on, just increment the version number in your package.json file and re-run the jpm sign command.

Signing XPI Files Directly

If you aren’t using jpm to manage your add-on, you can still sign the XPI file directly, like this:

jpm sign --xpi /path/to/your-addon.xpi --api-key ... --api-secret ...

Signing Requirements

We recently made changes to the signing requirements for add-ons not listed on addons.mozilla.org. We still do some basic checks to make sure that the add-on is well formed enough to install without errors but if those checks pass, any add-on will be signed.

Keep in mind that signing is only required for distributing your add-on. You can always install unsigned add-ons into a development version of Firefox for testing purposes.

Listed Add-ons

The jpm sign command currently doesn’t support add-ons distributed on addons.mozilla.org (referred to as listed add-ons) at the moment. Listed add-ons still require a manual review.

Going Further

We hope that the jpm command eases the development burden introduced by signing. See the jpm sign reference documentation for more options, features, and examples. As usual, please report bugs if you run into any.

7 comments on “Signing Firefox add-ons with jpm sign”

  1. dal wrote on

    QUESTION: is this signing process to get around the months-long process that’s plagued developers, and if so, is it the same process that the new xkit people are having an issue with? ( http://new-xkit-discussion.tumblr.com/post/135418506184/im-curious-how-involvedlengthy-a-process-is-it )

    Secondly, how does the signing process get around the fact that it’s still easy to bypass this check? ( http://www.ghacks.net/2015/11/25/firefox-add-on-signing-criticized-for-being-ineffective/ )

    1. Jorge Villalobos wrote on

      I haven’t read those articles, but, to answer your questions: (1) signing doesn’t do away with add-on reviews, (2) the criticism in that article has to do with the review process and not the signing verification itself. Regardless, this system isn’t designed to be bulletproof. It should give us more control over the add-ons ecosystem and improve add-on security significantly.

  2. Ann L Everett wrote on

    I am very disappointed with how this is being handled. I have been using the Yahoo toolbar for years and now all of a sudden Mozilla is not allowing it. I am certain that thousands of other users are experiencing the same issue. Every time I turn on my laptop I have to reinstall Yahoo toolbar. Please do whatever you can to overcome this problem. Thank you for whatever you do.

  3. AnneTheAgile wrote on

    hi! As Ann LW mentioned, there are likely many plugins that are now in trouble due to no signing.
    I would like to install Highlighter, https://addons.mozilla.org/en-US/firefox/addon/highlighter/ , and it refuses. The addon is almost 10 years old and the dev page does not redirect. How would I go about trying to take ownership, getting the code, and updating the plugin?
    thank you!

    1. Jorge Villalobos wrote on

      Ownership can only be transferred by the original developer, so you would need to contact them about it. You can, however, create a new add-on with a new ID that implements the same behavior. According to the add-on homepage, it’s open source, so you’re allowed to use and modify the existing code.

  4. Noitidart wrote on

    Does this work on webext addons? I have an addon that makes the Google Chrome Webstore compatible with Firefox. So users of the addon can go to the webstore and click “add to chrome” and it will modify the crx into an xpi then load it into firefox.

    I used to be able to do this with xpi.signatures.required=false but I have to move away from that. So just wondering, does this work with webext xpi files?

    Thanks 😉

    1. Noitidart wrote on

      Crud got my answer:

      https://github.com/Noitidart/Chrome-Store-Foxified/blob/master/bootstrap.js#L114-L126

      gave me:

      {“error”: “WebExtensions aren’t allowed yet”}

      Do you know when it will be supporting WebExtensions? 🙂