With all the addons waiting for review, is or would you consider an option for a paid priority process? We are seeing people waiting months to get their add ons reviewed. Our current verified, unlisted add on is being disabled every time the user restarts their browser.
1 Like
If your unlisted and signed add-on is being disabled between restarts then it is either a bug and should be reported or the add-on has been modified after being signed.
Don’t mistake signing an add-on with having a signed add-on, the first doesn’t make your add-on a signed one, instead it takes your add-on, signs it on their end and then returns the signed add-on.
It is that returned and signed add-on which you have to download/use and only then you can distribute that signed add-on which has the signature files in it.
Thanks Particle. That’s quite possible. We are using the crossrider framework which unfortunately doesn’t work with AMO.
We are in the process of rebuilding all our extensions without crossrider. It has been a bumpy road using the crossrider framework this past year getting flagged as a virus or just flat out blocked in Firefox.
If I recall correctly, there have been a lot of problems with Crossrider and Firefox add-ons in the past year to the point of even considering blocking any add-on built on Crossrider (extensively abused for malware), it is possible that your add-on could be signed but it is blacklisted just because of Crossrider or even anti-virus might be tampering with it.
To be certain of what your issue might be at this point I think it is best to wait for a team member to check your situation.
In the meantime you could provide helpful information such as the process of signing you are using, how you are doing it and if you are changing the signed add-on after it has been signed before distribution, or any other information you can share that might be relevant.
1 Like
Thanks Particle!
Here is a link to the add on.
https://addons.mozilla.org/en-US/developers/addon/classlink-oneclick/versions/1785416
The process we used for signing is, we uploaded the add on to the AMO Hub as unlisted. It verified the app automatically. We then downloaded the file from the link above and hosted it on our server.
https://www.evernote.com/l/AIZj9z9EbK1C3ZHPPBkoXm7kPIWxB4nsgDg
Installing the add on works perfectly fine. After a restart, it gets disabled.
https://www.evernote.com/l/AIbtAjb8DxdFXqQocfPZkrNd_qOiShFBrm8
This addon is only used by our customers that use our product. Is there anyway we can get it whitelisted? We really have no need to even list it in the AMO store. We would also be happy to donate to the Mozilla cause.
A quick search shows that you have already posted about a similar issue around a month ago:
The team members’ responses lead me to believe that everything is alright, whatever is happening appears to be only on your end and by the looks of it it sounds like the hosts you use are modifying the add-on itself, which invalidates the signature.
Try downloading the signed add-on from AMO to your desktop and install it through the Firefox Add-on manager page:
If it installs correctly and it is no longer disabled after browser restarts then it is confirmed that something is modifying the add-on when you host it yourself.
Never modify a signed add-on, once you change anything inside a signed add-on its signature will become automatically invalid.
Thanks will give it a shot. All we did was change the name. That shouldn’t invalidate the signature should it? It installs fine the first time.
No, changing just the filename (Extension.xpi to NewExtensionName.xpi) will not invalidate the signature, modifying the contents will.
Ok I was able to replicate the failure.
If I drag and drop the file onto Firefox or have it auto install from the download link, it fails after restart.
If I manually install the file using install add on from file it works after restart. Any ideas why the same file fails if we try to install the file from the link or drag and drop on to Firefox?
Also what mime type do you recommend? Amazon defaulted to application/octet-stream. This forces a download of the file instead of auto launching. If I set the mime type to application/x-xpinstall, Firefox blocks it.
For now, we will keep the mime type octet-stream. That seems to be the most reliable. Then instruct users to add it manually.
Firefox no longer allows the installation of local add-ons by drag and drop, downloading and installing (via drag and drop or open downloaded file) is exactly the same thing since it installs the file that was downloaded to your local hard drive.
To prompt the add-on install from outside AMO I think you can no longer do it:
https://developer.mozilla.org/en-US/docs/Archive/Mozilla/XPInstall/Installing_plugins
You are using the right mime type (application/x-xpinstall) but I think they stopped allowing direct install of add-ons hosted outside AMO unless they are whitelisted websites (as such is the case of AMO).
So far the only choices you have as far as I can see are to either do as you mentioned, instruct users on how to install the add-on via the add-on manager after downloading, or host the add-on on the AMO store and link its page (not the direct link to the add-on, but a link to its AMO page) for users to install with a couple of clicks.
You can also ask for further help from a team member.
Thanks. At least now we know a workaround. Until such time we host a new non-crossrider version of the add on, we will just instruct users to manually install the file.
Keep in mind that the limitations you are facing are not related to the Crossrider platform, but due to these being imposed by Mozilla themselves to increase security.
You will still have to instruct users on how to install it manually (if it is unlisted) unless Mozilla whitelists your website.
If you don’t mind, in my opinion, considering your focus and business, you would be better off hosting it on AMO, that way all you had to do would be to link users to the add-on page and they can install it with a click of a button (or two clicks, to be more accurate).
Understood, we are rewriting the add on without crossrider (almost done) and eventually plan on hosting it on AMO. That takes considerable time and requires us to wait for it to get approved which according to some posts here, could be months.
There were good comments by @Particle … thank you. 
Please note that Unlisted addons are reviewed by Admin reviewers and there are only a few admin reviewers.
On the other hand, there are more normal reviewers (like me).
Crossrider framework is not allowed on AMO at the moment.
Addons with minified, library (especially obscure libraries) will take longer to review.
There is no system for a paid review … however… you can get someone to check your code for problems before submitting to AMO!!
The AMO validator also gives a lot of good pointers to where some issues might be.
The big issue we have is crossrider and it will never pass until we strip it out completely. That is mostly done. We are now enhancing and testing the app.
The new version did pass the initial upload validation test with 23 warnings so we will focus on getting that down.
This is no longer the case, see https://blog.mozilla.org/addons/2015/12/01/de-coupling-reviews-from-signing-unlisted-add-ons/
I found today that you can install an add-on hosted outside AMO, as long as the content type is the correct one (application/x-xpinstall), all you have to do is instruct your users to click “Allow” on the add-on installation when prompted and then click “Install” at the end, example:
I tried hosting it from amazon cloudfront and its blocked by Firefox. Doesn’t prompt user to allow. When hosting the add-on from our domain directly and use the mime type above, it gets disabled on next restart automatically. It doesn’t get disabled if you use Install from file.