We had crashes on older versions of Fx (see bug 1158467). Testing shows that adding two newlines to the end of mozilla.sf will fix these crashes.
This would be to work around lacking the parsing as outlined in the jar signing docs: "Before parsing: If the last character of the file is an EOF character (code 26), the EOF is treated as whitespace. Two newlines are appended (one for editors that don't put a newline at the end of the last line, and one so that the grammar doesn't have to special-case the last entry, which may not have a blank line after it)."  The parser should probably be changed (if you are going to use the jar signing spec) to account for this rule, and instead of just ignoring the error with a nullcheck as is done currently, the extension should be considered untrusted: "Errors: If a file cannot be parsed according to this spec, a warning should be output, and none of the signatures should be trusted."   http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Notes_on_Manifest_and_Signature_Files
We're not in the best spot since old browsers literally crash (vs just ignoring it or something benign) so we might not be able to do everything we want. That said, adhering to a spec would be nice. Dave - let us know if two newlines is still the plan.
We're actually just adding an additional newline to mozilla.sf so it ends with two newlines. This should still be complaint with the JAR spec.
PR submitted: https://github.com/mozilla/signing-clients/pull/17
Fixed in signing_clients: https://github.com/mozilla/signing-clients/commit/b7ca3c1029b67176668c29bb5f5b1b4ad5f3fac5 PR on olympia: https://github.com/mozilla/olympia/pull/532 STR: 1/ upload a new add-on 2/ have it signed by reviewing it (prelim or full, it doesn't matter) 3/ go the add-on install page, once it's signed, with an old version of firefox (version 28 or below), and install it 4/ Firefox should not crash