If I rename the output .xpi file-name, and retain the .xpi extension, will I invalidate the signing? Seems like it shouldn’t matter since it’s the contents that are signed.
Recompressing every file in .xpi (in the same order) into a new .xpi (=PKZIP) archive worked too, because signature is for individual files in a .xpi archive. File names in a .xpi archive cannot be changed. Of course until SHA-1 is truly broken …