XPI file appears to be corrupt, sideloading from a website download

(Jacob Edward) #1

Following instructions from this website:

I’ve got the xpi file saved in my Androids download folder, when I click the file, firefox launchs and tells me the add on is unathorized, I then allow the install but get the error that the file appears to be corrupt… I’m pretty sure the manifest is written correctly,


“manifest_version”: 2,
“name”: “FireFoxExtension”,
“version”: “1.0”,



“content_scripts”: [
“matches”: ["://.mozilla.org/*"],
“js”: [“contentScript.js”]


I am using this simple shell script to zip the xpi file…

sudo zip -r -FS …/fireExtension.xpi *

any ideas?

(Andrei Petcu) #2

Is the xpi signed? It needs to be signed in order to install it. This is a simple process.

Also. I see you want to host it on your own web site. If you set the "Content-Type” header to “application/x-xpinstall” then it will install it without downloading it to the disk. This only happens if the extension is signed.

Here is another thread with a similar issue.

(Jacob Edward) #3

I don’t know the process of signing an xpi file, I looked for a while through the mozilla documentation on the web extensions api but I guess I missed the part about a signed xpi file…

At the moment, hosting isn’t the concern, its just easiest in the development phase to edit the files in the shell and zip - open them in the android file manager.

(Jacob Edward) #4

I also toggled this setting


in the about:config as mentioned by this documentation

(Andrei Petcu) #5

Are you using Nightly on Android? I think only Nightly can ignore signatures.

(Jacob Edward) #6

Just downloaded Nightly and toggled the signature requirement in about:config and opened the xpi file but it still appears to be corrupt…If you want to try, just run this script and you can download the xpi file onto your android and open it with firefox:

sudo rm -r firefoxExtension
sudo mkdir firefoxExtension
cd firefoxExtension

wget --no-check-certificate ‘https://docs.google.com/uc?export=download&id=0BwA2KVlVFTQtelV0QUVMc2NXZzA’ -O manifest.json
wget --no-check-certificate ‘https://docs.google.com/uc?export=download&id=0BwA2KVlVFTQtek85S3RneHJKVFU’ -O contentScript.js
wget --no-check-certificate ‘https://docs.google.com/uc?export=download&id=0BwA2KVlVFTQtRXZUMHlxMXQ3RjQ’ -O background.js

sudo zip -r -FS …/fireExtension.xpi *

You can inspect the manifest with:

sudo nano fireExtension/manifest.json


(Andrei Petcu) #7

Lots of issues :slight_smile:

First of all don’t use sudo. It should work without sudo. You should own both the source file and the destination file.

Second. zip does no validation. That is a shame. Put all your files in a directory called “extension” and use web-ext sign to pack and validate them. If you do not have web-ext then install it with the following sudo npm i -g web-ext. If you you have some ndenv/nvm tool for local node then you do not need sudo. After you have web-ext then run this to sing and validate them:

web-ext sign --api-key $API_KEY --api-secret $API_SECRET -s extesnion

You can get the values for API_KEY and API_SECRET from this page

After running this command on your extension I got this:

The URL in the error led me to this page:

After changing in the manifest from this to that it worked.



(Andrei Petcu) #8

Your ID should be either something looking like an email address "joe@example.com" or some GUUID in curly brakets “{CBF7FCD6-9792-11E7-BF90-E38E38EAFEDC}”. You can get GUUIDs from here.

Using email is not so good. You might want to change the email, you might not want people to know your email etc.

Use web-ext tool… it does all sorts of validations for you!

(Andrei Petcu) #9

If you completely skip the applications/gecko/id keys web-ext will generate one for you in a dot file in the extension dir.

(Jacob Edward) #10

Ok, I switched to the web-ext command and signed up for the API access key and secret, but its saying I dont own the addon (403), possibly because Im using google cloud shell to create the xpi file (which is a different machine that doesnt have me logged into firefox) that I then download to the android file system directly… is there a way around that issue? I dont have regular access to a shell given my two operating systems are chrome os and android, but in principle it should be handled with cloud shell no problem, right?

(Andrei Petcu) #11

Delete the application section from manifest.json and try again.

AMO wants your user to match the GUUID of the addon to the user. If the app ID is missing, it will generate a new one and assign it to you.

I generally log into AMO on my phone in FF with the same user I signed the addon with and install it from there. Go to addon versions.

(Andrei Petcu) #12

Are you passing the key and secret correctly to web-ext sign?

(Jacob Edward) #13

Deleting the application key from the manifest worked! Thank you so much lol, you made the transition from chrome extensions to firefox mobile extensions much much easier for me, thanks again!

(Andrei Petcu) #14

Glad to help! Thank you for taking the time to port your extension to Firefox! As a firefox user that sees way too often Chrome-only extension this makes me really happy. I really appreciate it.

Two more technical comments :smiley: after removing the id from manifest and running web-ext sign you should have some dot file in the project root. I think it is .web-extension-id or something like that. Add it to version control!

Second technical thing is that you should decide if your extension will be listed on AMO or unlisted and distributed on your own site. Listed ones have higher visibility, have more user privacy and get reviewer feedback which is usefull. The downside of listed addons is that review might take a few days. I hope you go with listed but if you don’t then you need to setup an update url from first version. Here is an example.

Good luck building fun stuff!

(Jacob Edward) #15

Thank you for those links, I may in the future list the project in AMO, really in experimentation mode right now given everything going on… Ive been playing with Chrome extensions for maybe two or three years now, but I just never anticipated the possibility that chrome mobile would be deliberately restricted from extensions… about a week ago I learned that firefox mobile does support extensions so I thought about it for a while and decided the only logical thing to do was to update from chrome to firefox… this wasnt something I was very interested in doing at first, but I had to admit the differences between the decision made by the two browsers were substantial. It might take a while, but the future of mobile browsing is not going to be chrome mobile… perhaps it will be Firefox or some other mobile browser supporting extensions, but Firefox is the clear leader in my opinion… if I’m right, we may see a trend in the reverse direction, of there being more popular extensions that are exclusive to firefox and not chrome given they were designed with mobile users in mind… which could be massive depending on if they can extend progressive web apps in firefox as well, I havent tested that yet but from what I know of how extensions work in Chrome, theres nothing in principle that would suggest a progressive web app couldnt take a content script… Anyways, lots on the to do list…

Another thing I’m interested in either building or installing depending if others have already built tools, is a fix for developer tools on the mobile browser… In theory it would be easy to put together some basic things like logging, but a full blown debugger tool like in the sources panel of chromes developer tools… I’m sure theres some web tools for debugging, but they would need to be iframed in an extension and the input piped from the html and javascript of all the pages the extension was injected into… know anything like that?

(Andrei Petcu) #16

Firefox Nightly supports PWAs. It’s my main mobile browser. You can enable PWAs in advanced settings.

You can debug mobile extensions. web-ext will also support debugging soon.

Firefox Focus made a pretty big splash in the mobile market.

(Jacob Edward) #17

I think you misunderstood, I am looking for a particular way of debugging… I want to be able to interact with a website on firefox mobile (using Android with a wireless keyboard and mouse like I am right now) in the same way I can interact with a website on firefox desktop but through some open source firefox extension since firefox mobile itself does not have this functionality… I think Chrome Dev Tools is open source, or at least they now give you the option to inspect Dev Tools the same way Dev Tools is used to inspect other websites… I really am only looking for the basics, like the Elements tab, Sourcs tab and the Console tab… I doubt that would be out of range of mobile devices… Either way, most of the work I do can be exclusively done through a browser portal now, so I’ve sorta moved everything to my Android device, including this browser extension I ported today for my cloud editor that gets injected into the GCP console where I can access the VM on compute engine (I run a shell script which downloads the latest version of a file from google drive and runs it with node (which has a debugger but not as familiar and not in a gui), the editor saves the file to google drive on a regular interval or on command)… everything’s working great so far… I mean, as a proof of concept for myself, I dont know what could be optimized in terms of cost accessibility (this Android is like $30 and the keyboard and mouse from ebay were about $20) and all of the functionality is there (editing still available offline with a progressive web app), including custom images and everything else available from the interface or gcloud sdk… Not sure if this thing is really what someone would want to download from the add on store though… part of the point is that its an open and customizable editor, you can see how I customized my editor here (the browser extension is just slightly modified from the chunk of code stringed in the bookmarklet file):


this is what it looks like on my device:


(Andrei Petcu) #18

I don’t think I know any such remote debugger. I’m not saying it does not exist, just that I don’t know about it.

(Jacob Edward) #19

Ok, thanks, Ill comment here if I find anything. Do you know of anybody in the Mozilla Firefox community interested in machine learning? I’ve been building my own personal JavaScript wrapper that calls Keras APIs… I’d say, having a ML interface in the most popular programming language on the planet and a very straight forward and complete means of working with ML JavaScript on the most popular and cost accessible operating system on the planet (Android) would give whatever contributions a true democraticization of ML their widest reaching potential, right? Democratizing ML is suppose to be the goal Google is pursuing, I wonder what their comments would be to my previous sentence… Anyways, Im just learning but find all this stuff absolutely fascinating.