How can I self-sign and distribute those extensions?

I’m currently struggling to get my addon approved on AMO because of 'unsafe-eval' being used to make vuejs work in the options_ui. The only current solution seems to be to move to Webpack if vuejs is to, but that adds a layer of complexity I don’t want to deal with.

The previous attempt was with WebComponents, but it was a much more cumbersome (and unfruitful) experience compared to vuejs.

It would be much more preferable (and fun) to explore self-distribution. How can that be achieved safely?

Current research

Self signing

  • xpisign.py: seems to be missing the step about how to generate a .pem cert, but that should be possible to figure out

  • outdated mozilla doc: was able to generate an .xpi but it’s not clear yet how to automate it for CI and if it still works

Installing self-signed extensions

This is where I’m really struggling.

  • xpinstall.signatures.required=false seems to drastic. Allowing just any unsigned extension is hopefully not the only to allow installation from sources other than AMO.

  • xpinstall.whitelist has documentation on mozillazine but I couldn’t get it to work with localhost. There’s also xpinstall.whitelist.add, however it’s unclear to me how to use that. Should it be the extension ID e.g xpinstall.whitelist.add.<ID>?
    The firefox help discussion doesn’t explain why xpinstall.whitelist.add.36 means getpersonas.com. Where does that ID come from?