Sign Firefox Extensions
In the light of recent events related to the release of Mozilla Firefox 48, which brought the nickname among some users, due to the mandatory presence of a signature on the extensions, people faced with this problem faced a choice, either:
As you may have guessed, here we will talk about the latter method. If we do not plan to distribute extensions through the official catalog, then we can get a signature without manual checks, i.e. simply and easily.
For this we need:
We will consider the process of signing on the example of the "Random Agent Spoofer" extension. This extension contains a list of user agents that quickly become obsolete, and the supplement is not updated frequently. In turn, in the official repository, the files with the data we need are updated regularly and a logical desire arises to use them.
So, the account registered, the software environment is installed, you can proceed.
We take the experimental extension and unpack it into a separate folder, in our case we use the repository view located at https://github.com/dillbyrne/random-agent-spoofer .
We get the following directory structure:
If a ready-made assembled extension is used, then in the root of the folder where it is unpacked, you need to delete the “bootstrap.js” files and
“Install.rdf”, they are created by the build program, and when modifying already signed add-ons, the META-INF folder is also added. Since we are dealing with a not yet collected supplement, this is not required. The next step is to edit the file “package.json”, which is again located in the root of the unpacked extension directory. In our case, its beginning looks like this:
If it contains an “id” parameter, it must either be changed or deleted. Otherwise, we will get an error when trying to sign that we are not its owner.
Next, command the following "spell" to build the extension to the archive:
')
or simply:
The output should be the file of the assembled .xpi extension, which we will sign.
And now let's prepare our api-key, for the sake of obtaining which we registered on addons.mozilla.org . You can see it at addons.mozilla.org/ru/developers/addon/api/key in this form:
where <private data> is your personal key. And in conclusion, in fact, the act of signing itself is carried out by ordering:
If everything passes without errors and the automatic check is passed, then in the current directory we will get a signed extension, which we needed.
Useful links:
Jpm documentation: developer.mozilla.org/en-US/Add-ons/SDK/Tools/jpm
Signing Api: olympia.readthedocs.io/en/latest/topics/api/signing.html
Thank you all for your attention, good luck!
- do not use unsigned extensions (bad option);
- use non-branded builds;
- go devious ways, trying to disable checks by any means, some of which are suggested in the following comments:
https://geektimes.ru/post/279132/#comment_9480372
https://geektimes.ru/post/279132/#comment_9480382
- sign the required extension yourself.
As you may have guessed, here we will talk about the latter method. If we do not plan to distribute extensions through the official catalog, then we can get a signature without manual checks, i.e. simply and easily.
For this we need:
- account on addons.mozilla.org
- installed nodejs version> = 0.10
- npm version> = 3.0.0 (npm up npm)
- jpm for nodejs (npm install jpm).
We will consider the process of signing on the example of the "Random Agent Spoofer" extension. This extension contains a list of user agents that quickly become obsolete, and the supplement is not updated frequently. In turn, in the official repository, the files with the data we need are updated regularly and a logical desire arises to use them.
So, the account registered, the software environment is installed, you can proceed.
We take the experimental extension and unpack it into a separate folder, in our case we use the repository view located at https://github.com/dillbyrne/random-agent-spoofer .
We get the following directory structure:
test\
lib\
doc\
data\
.gitignore
LICENSE
package.json
README.md
If a ready-made assembled extension is used, then in the root of the folder where it is unpacked, you need to delete the “bootstrap.js” files and
“Install.rdf”, they are created by the build program, and when modifying already signed add-ons, the META-INF folder is also added. Since we are dealing with a not yet collected supplement, this is not required. The next step is to edit the file “package.json”, which is again located in the root of the unpacked extension directory. In our case, its beginning looks like this:
{
"name": "random-agent-spoofer",
"title": "Random Agent Spoofer",
"id": "jid1-AVgCeF1zoVzMjA@jetpack",
"description": "Allows the use of various browser profiles (including useragent ,platform, oscpu, accept headers and other options), which it can randomly switch between after a chosen period of time has expired",
"author": "dbyrne",
...
}
If it contains an “id” parameter, it must either be changed or deleted. Otherwise, we will get an error when trying to sign that we are not its owner.
Next, command the following "spell" to build the extension to the archive:
')
jpm xpi --addon-dir < >
or simply:
jpm xpi , if the current directory is the root of the unpacked extension.
The output should be the file of the assembled .xpi extension, which we will sign.
And now let's prepare our api-key, for the sake of obtaining which we registered on addons.mozilla.org . You can see it at addons.mozilla.org/ru/developers/addon/api/key in this form:
JWT: <private data>
JWT: <private data>
where <private data> is your personal key. And in conclusion, in fact, the act of signing itself is carried out by ordering:
jpm sign --api-key <api-key data> --api-secret <api-secret data> --xpi < >
If everything passes without errors and the automatic check is passed, then in the current directory we will get a signed extension, which we needed.
Useful links:
Jpm documentation: developer.mozilla.org/en-US/Add-ons/SDK/Tools/jpm
Signing Api: olympia.readthedocs.io/en/latest/topics/api/signing.html
Thank you all for your attention, good luck!
Source: https://habr.com/ru/post/355144/
All Articles