verifying unpacked signed add-ons

Robert Helmer rhelmer at
Fri Nov 3 22:34:05 UTC 2017

On Fri, Nov 3, 2017 at 3:25 PM, David Keeler <dkeeler at> wrote:
> [firefox-dev, dev-addons, and the enterprise mailing list cc'd - please
> direct follow-up discussion to dev-platform]
> Hello All,
> As you're no doubt aware, from 57 onwards, only signed WebExtensions
> will be available as add-ons for the general release population. My
> understanding is these are all packaged as "xpi" files (zip files,
> really, but what's important is that they're bundled up as a single file
> rather than a directory). Add-on developers can develop their add-ons by
> temporarily loading them as unsigned packages or unsigned unbundled
> directories (again, if my understanding is correct).
> This leaves the question of what use we have for verifying unbundled
> add-ons. Is there ever a case where we want to verify an unbundled yet
> signed add-on? For example, do we ever do this with system add-ons? (And
> if we do, I've been told this would be bad for performance, so perhaps
> we should disallow this?)

System add-on updates must be packed into a XPI[1]. Built-in add-ons are always
shipped packed (along with Firefox in the application directory), but
unpacked will
work for builds so you can modify a file in ./browser/extensions/ and
see the change
without a rebuild.

We plan to move built-in add-ons into the omni jar eventually (bug 1357205)

> Thanks,
> David
> _______________________________________________
> firefox-dev mailing list
> firefox-dev at

1 -

More information about the firefox-dev mailing list