<div dir="ltr"><div><div><div><div>Even though I run dev edition as my main browser and have signing enforcement turned off, I recently spent the time to get my personal extensions signed[1] using the `jpm sign` command now available and the keys issued to me by AMO[1]<br><br></div>It's actually a really painless process, I'm pretty impressed. If you're creating an add-on I really recommend the following workflow:<br><br></div>* use jpm watchpost for development against dev edition or nightly<br></div>* if you want a signed version to install in Beta or Release, use jpm sign<br><br></div>Jeff<br><div><br>[1] <a href="https://github.com/canuckistani/sup-son/">https://github.com/canuckistani/sup-son/</a><br>[2] <a href="https://addons.mozilla.org/en-US/developers/addon/api/key/">https://addons.mozilla.org/en-US/developers/addon/api/key/</a><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 16, 2015 at 10:41 PM, Sebastian Zartner <span dir="ltr"><<a href="mailto:sebastianzartner@gmail.com" target="_blank">sebastianzartner@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>What about allowing users to explicitly enable certain extensions they trust and warning them about the risks of installing an unsigned extension?<br></div>For example, I am using the Shumway[1] and MDN documentation tester[2] extensions, which are both created by Mozilla staff, though are deactivated now by default, because they are not signed.<br><br></div>Forcing users to install a different version of Firefox will surely make many of them move away from it.<br><br></div><div>I also want to remind that automatic extension signing is <i>not</i> a guarantee that it is safe.[3][4]<br></div><div><br></div>Sebastian<br><br>[1] <a href="https://github.com/mozilla/shumway/" target="_blank">https://github.com/mozilla/shumway/</a><br>[2] <a href="https://github.com/Elchi3/mdn-doc-tests" target="_blank">https://github.com/Elchi3/mdn-doc-tests</a><br>[3] <a href="https://groups.google.com/d/topic/firefox-dev/wqVkCo20c3E/discussion" target="_blank">https://groups.google.com/d/topic/firefox-dev/wqVkCo20c3E/discussion</a><br>[4] <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1227867" target="_blank">https://bugzilla.mozilla.org/show_bug.cgi?id=1227867</a><div><div class="h5"><br><div class="gmail_extra"><br><div class="gmail_quote">On 16 December 2015 at 21:47, Dave Townsend <span dir="ltr"><<a href="mailto:dtownsend@mozilla.com" target="_blank">dtownsend@mozilla.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Yes sorry I forgot about those. Those will be available from Firefox 44 onwards.<br>
<div><div><br>
On Wed, Dec 16, 2015 at 12:45 PM, »Q« <<a href="mailto:boxcars@gmx.net" target="_blank">boxcars@gmx.net</a>> wrote:<br>
> On Wed, 16 Dec 2015 11:17:05 -0800 Dave Townsend wrote:<br>
><br>
>> On Wed, Dec 16, 2015 at 11:10 AM, Axel Grude wrote:<br>
>><br>
>> > if (what I don't really believe) it becomes impossible to install an<br>
>> > unsigned addon through an about:config change, then how are we<br>
>> > supposed to test our Addons? Within a release cycle I may have to<br>
>> > build and test over 1000 different versions:<br>
>><br>
>> It won't be possible through an about:config change in beta and<br>
>> release builds however you will always be able to turn off signing<br>
>> requirements in the developer edition and nightly builds. We will<br>
>> also be including a way to load an unsigned add-on temporarily in<br>
>> future release versions, these must be restartless and will only<br>
>> remain installed until you restart Firefox.<br>
><br>
> From <<a href="https://wiki.mozilla.org/Addons/Extension_Signing#FAQ" rel="noreferrer" target="_blank">https://wiki.mozilla.org/Addons/Extension_Signing#FAQ</a>>:<br>
><br>
> There will also be special unbranded versions of Release and Beta<br>
> that will have this setting, so that add-on developers can work on<br>
> their add-ons without having to sign every build.<br>
><br>
> Is that still part of the plan?<br>
> _______________________________________________<br>
> firefox-dev mailing list<br>
> <a href="mailto:firefox-dev@mozilla.org" target="_blank">firefox-dev@mozilla.org</a><br>
> <a href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a><br>
_______________________________________________<br>
firefox-dev mailing list<br>
<a href="mailto:firefox-dev@mozilla.org" target="_blank">firefox-dev@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a><br>
</div></div></blockquote></div><br></div></div></div></div>
<br>_______________________________________________<br>
firefox-dev mailing list<br>
<a href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a><br>
<br></blockquote></div><br></div>