verifying unpacked signed add-ons

Robert Helmer rhelmer at mozilla.com
Fri Nov 3 22:34:05 UTC 2017


On Fri, Nov 3, 2017 at 3:25 PM, David Keeler <dkeeler at mozilla.com> wrote:
> [firefox-dev, dev-addons, and the enterprise mailing list cc'd - please
> direct follow-up discussion to dev-platform]
>
> Hello All,
>
> As you're no doubt aware, from 57 onwards, only signed WebExtensions
> will be available as add-ons for the general release population. My
> understanding is these are all packaged as "xpi" files (zip files,
> really, but what's important is that they're bundled up as a single file
> rather than a directory). Add-on developers can develop their add-ons by
> temporarily loading them as unsigned packages or unsigned unbundled
> directories (again, if my understanding is correct).
>
> This leaves the question of what use we have for verifying unbundled
> add-ons. Is there ever a case where we want to verify an unbundled yet
> signed add-on? For example, do we ever do this with system add-ons? (And
> if we do, I've been told this would be bad for performance, so perhaps
> we should disallow this?)


System add-on updates must be packed into a XPI[1]. Built-in add-ons are always
shipped packed (along with Firefox in the application directory), but
unpacked will
work for builds so you can modify a file in ./browser/extensions/ and
see the change
without a rebuild.

We plan to move built-in add-ons into the omni jar eventually (bug 1357205)


>
> Thanks,
> David
>
>
> _______________________________________________
> firefox-dev mailing list
> firefox-dev at mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
>

1 - http://searchfox.org/mozilla-central/rev/af86a58b157fbed26b0e86fcd81f1b421e80e60a/toolkit/mozapps/extensions/internal/XPIProvider.jsm#6561


More information about the firefox-dev mailing list