Question about addon signing

There is a member on the SUMO forum that had a question about addon signing. They are making a private addon for a company and part of their contract is that it can’t be shared with third parties. Therefore, submitting the addon to AMO for signing doesn’t work because the XPI is stored on Mozilla servers.

I see that Mozilla now offers alternative signing methods, one of which is the web-ext sign command. I’ve never used this before, but does the addon get uploaded to AMO at any point during the automated signing process?

Yes, signing happens on AMO servers.

One way I could think of that avoids uploading your actual code is to write a small wrapper/bootstrapper extension that simply evaluates the actual extension code from a string source (borwser.storage.local / some encrypted file / a web server / …).

This may (I’m not sure) be against Mozillas policies, but you could still get the wrapper signed automatically for manual distribution (even with unsafe-eval in the CSP.
Distributing the actual code separately from the extension wrapper scholdn’t be a problem in this context.

The recommended approach in a situation like yours is to use the Enterprise Edition of Firefox, which supports a preference to disable signing.