{"id":7624,"date":"2015-12-18T08:03:33","date_gmt":"2015-12-18T16:03:33","guid":{"rendered":"http:\/\/blog.mozilla.org\/addons\/?p=7624"},"modified":"2015-12-18T08:03:33","modified_gmt":"2015-12-18T16:03:33","slug":"signing-firefox-add-ons-with-jpm-sign","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/addons\/2015\/12\/18\/signing-firefox-add-ons-with-jpm-sign\/","title":{"rendered":"Signing Firefox add-ons with jpm sign"},"content":{"rendered":"<p>With this week&#8217;s release of Firefox 43, <a href=\"https:\/\/blog.mozilla.org\/addons\/2015\/04\/15\/the-case-for-extension-signing\/\">all add-ons must now be signed<\/a>. While this will make the <a href=\"https:\/\/support.mozilla.org\/en-US\/kb\/add-ons-cause-issues-are-on-blocklist\">block-list<\/a> and other malware prevention measures more effective, add-on developers who wish to distribute outside of <a href=\"https:\/\/addons.mozilla.org\/\">addons.mozilla.org<\/a> must now add signing to their release flow.<\/p>\n<p>To make it easier for these developers, we <a href=\"https:\/\/blog.mozilla.org\/addons\/2015\/11\/20\/signing-api-now-available\/\">released<\/a> the <a href=\"http:\/\/olympia.readthedocs.org\/en\/latest\/topics\/api\/signing.html\">add-on signing API<\/a> last month. Today, we&#8217;re also providing a new version of the <a href=\"https:\/\/developer.mozilla.org\/en-US\/Add-ons\/SDK\/Tools\/jpm\">jpm<\/a> command line tool that makes add-on signing even easier.<\/p>\n<h2>Installation<\/h2>\n<p>Install <a href=\"https:\/\/developer.mozilla.org\/en-US\/Add-ons\/SDK\/Tools\/jpm\">jpm<\/a> for <a href=\"https:\/\/nodejs.org\/en\/\">NodeJS<\/a> from <a href=\"https:\/\/www.npmjs.com\/package\/jpm\">NPM<\/a> like this:<\/p>\n<p><code class=\" language-bash\">npm install jpm<\/code><\/p>\n<h2>Generate API Credentials<\/h2>\n<p>In order to work with the signing API you first need to log in to <a href=\"https:\/\/addons.mozilla.org\/en-US\/developers\/\">the addons.mozilla.org developer hub<\/a> and <a href=\"https:\/\/addons.mozilla.org\/en-US\/developers\/addon\/api\/key\/\">generate API credentials<\/a>.<\/p>\n<h2>Signing an Add-on<\/h2>\n<p>To begin signing an <a href=\"https:\/\/developer.mozilla.org\/en-US\/Add-ons\/SDK\">SDK-based add-on<\/a> with jpm, change into the source directory and run this command:<\/p>\n<p><code class=\" language-bash\">jpm sign --api-key ${AMO_API_KEY} --api-secret ${AMO_API_SECRET}<br \/>\n<\/code><\/p>\n<p>This will fetch a signed XPI file to your current directory (or <code>--addon-dir<\/code>) that you can self-host for installation into Firefox. Read more about <a href=\"https:\/\/developer.mozilla.org\/en-US\/Add-ons\/Distribution\">add-on distribution here<\/a>. Since this XPI is intended for distribution outside of <a href=\"https:\/\/addons.mozilla.org\/\">addons.mozilla.org<\/a>, it assumes you don&#8217;t want your add-on listed on <a href=\"https:\/\/addons.mozilla.org\/\">addons.mozilla.org<\/a>. This is referred to as an <em>unlisted add-on<\/em>.<\/p>\n<h2>Updating an Add-on<\/h2>\n<p>To sign a new version of your unlisted add-on, just increment the version number in your <a href=\"https:\/\/developer.mozilla.org\/en-US\/Add-ons\/SDK\/Tools\/package_json\">package.json<\/a> file and re-run the jpm sign command.<\/p>\n<h2>Signing XPI Files Directly<\/h2>\n<p>If you aren&#8217;t using jpm to manage your add-on, you can still sign the XPI file directly, like this:<\/p>\n<p><code class=\" language-bash\">jpm sign --xpi \/path\/to\/your-addon.xpi --api-key ... --api-secret ...<\/code><\/p>\n<h2>Signing Requirements<\/h2>\n<p>We recently <a href=\"https:\/\/blog.mozilla.org\/addons\/2015\/12\/01\/de-coupling-reviews-from-signing-unlisted-add-ons\/\">made changes<\/a> to the signing requirements for add-ons not listed on <a href=\"https:\/\/addons.mozilla.org\/\">addons.mozilla.org<\/a>. We still do some basic checks to make sure that the add-on is well formed enough to install without errors but if those checks pass, any add-on will be signed.<\/p>\n<p>Keep in mind that signing is only required for distributing your add-on. You can always install unsigned add-ons into a development version of Firefox for testing purposes.<\/p>\n<h2>Listed Add-ons<\/h2>\n<p>The jpm sign command currently doesn&#8217;t support add-ons distributed on <a href=\"https:\/\/addons.mozilla.org\/\">addons.mozilla.org<\/a> (referred to as <em>listed add-ons<\/em>) at the moment. Listed add-ons still require a manual review.<\/p>\n<h2>Going Further<\/h2>\n<p>We hope that the jpm command eases the development burden introduced by signing. See the <a href=\"https:\/\/developer.mozilla.org\/en-US\/Add-ons\/SDK\/Tools\/jpm#jpm_sign\">jpm sign reference documentation<\/a> for more options, features, and examples. As usual, please <a href=\"https:\/\/github.com\/mozilla-jetpack\/jpm\/\">report bugs<\/a> if you run into any.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>With this week&#8217;s release of Firefox 43, all add-ons must now be signed. While this will make the block-list and other malware prevention measures more effective, add-on developers who wish &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/addons\/2015\/12\/18\/signing-firefox-add-ons-with-jpm-sign\/\">Read more<\/a><\/p>\n","protected":false},"author":293,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[44,581,588,742],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Signing Firefox add-ons with jpm sign - Mozilla Add-ons Community Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/addons\/2015\/12\/18\/signing-firefox-add-ons-with-jpm-sign\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"kumar303\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/addons\/2015\/12\/18\/signing-firefox-add-ons-with-jpm-sign\/\",\"url\":\"https:\/\/blog.mozilla.org\/addons\/2015\/12\/18\/signing-firefox-add-ons-with-jpm-sign\/\",\"name\":\"Signing Firefox add-ons with jpm sign - Mozilla Add-ons Community Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/addons\/#website\"},\"datePublished\":\"2015-12-18T16:03:33+00:00\",\"dateModified\":\"2015-12-18T16:03:33+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/addons\/#\/schema\/person\/aa2b14e555e8a5fec38a51659b15e3c4\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/addons\/2015\/12\/18\/signing-firefox-add-ons-with-jpm-sign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/addons\/2015\/12\/18\/signing-firefox-add-ons-with-jpm-sign\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/addons\/2015\/12\/18\/signing-firefox-add-ons-with-jpm-sign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/addons\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Signing Firefox add-ons with jpm sign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/addons\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/addons\/\",\"name\":\"Mozilla Add-ons Community Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/addons\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/addons\/#\/schema\/person\/aa2b14e555e8a5fec38a51659b15e3c4\",\"name\":\"kumar303\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/addons\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/059920b9daee1ece045f4031037ffb79?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/059920b9daee1ece045f4031037ffb79?s=96&d=mm&r=g\",\"caption\":\"kumar303\"},\"description\":\"Kumar hacks on Mozilla web services and tools for various projects, such as those supporting Firefox Add-ons. He hacks on lots of random open source projects too.\",\"sameAs\":[\"http:\/\/farmdev.com\/\",\"https:\/\/www.facebook.com\/kumar303\",\"https:\/\/x.com\/kumar303\"],\"url\":\"https:\/\/blog.mozilla.org\/addons\/author\/kmcmillanmozilla-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Signing Firefox add-ons with jpm sign - Mozilla Add-ons Community Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/addons\/2015\/12\/18\/signing-firefox-add-ons-with-jpm-sign\/","twitter_misc":{"Written by":"kumar303","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/addons\/2015\/12\/18\/signing-firefox-add-ons-with-jpm-sign\/","url":"https:\/\/blog.mozilla.org\/addons\/2015\/12\/18\/signing-firefox-add-ons-with-jpm-sign\/","name":"Signing Firefox add-ons with jpm sign - Mozilla Add-ons Community Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/addons\/#website"},"datePublished":"2015-12-18T16:03:33+00:00","dateModified":"2015-12-18T16:03:33+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/addons\/#\/schema\/person\/aa2b14e555e8a5fec38a51659b15e3c4"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/addons\/2015\/12\/18\/signing-firefox-add-ons-with-jpm-sign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/addons\/2015\/12\/18\/signing-firefox-add-ons-with-jpm-sign\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/addons\/2015\/12\/18\/signing-firefox-add-ons-with-jpm-sign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/addons\/"},{"@type":"ListItem","position":2,"name":"Signing Firefox add-ons with jpm sign"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/addons\/#website","url":"https:\/\/blog.mozilla.org\/addons\/","name":"Mozilla Add-ons Community Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/addons\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/addons\/#\/schema\/person\/aa2b14e555e8a5fec38a51659b15e3c4","name":"kumar303","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/addons\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/059920b9daee1ece045f4031037ffb79?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/059920b9daee1ece045f4031037ffb79?s=96&d=mm&r=g","caption":"kumar303"},"description":"Kumar hacks on Mozilla web services and tools for various projects, such as those supporting Firefox Add-ons. He hacks on lots of random open source projects too.","sameAs":["http:\/\/farmdev.com\/","https:\/\/www.facebook.com\/kumar303","https:\/\/x.com\/kumar303"],"url":"https:\/\/blog.mozilla.org\/addons\/author\/kmcmillanmozilla-com\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/posts\/7624"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/users\/293"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/comments?post=7624"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/posts\/7624\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/media?parent=7624"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/categories?post=7624"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/addons\/wp-json\/wp\/v2\/tags?post=7624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}