[tracking] Allow add-ons to be run unsigned

RESOLVED FIXED

Status

()

Toolkit
Add-ons Manager
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: Andy McKay, Unassigned)

Tracking

({dev-doc-complete})

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
This is a tracker to track the bugs for allowing add-ons to be run unsigned in stable versions, even with the xpinstall.signatures.required, set to True (or enforced).

There have been multiple conversations about this, the last one involved having a setting that:
* needed be turned on through user input
* lasts until Firefox quits
Depends on: 1209341
Depends on: 1209344
Would that allow us to get rid of the auto signing of beta files on AMO? We currently sign all beta files, whether they pass auto validation or not.
If this bug would allow a decent/sufficient experience for beta testers, I would gladly get rid of it.

Comment 2

3 years ago
cc'in other interested people

+1000000 to this bug

tl;dr IMO (FWIW), without this, our chances of maintaining the 44 add-on signing enforcement time-line with regards to release and continuous integration automation support would be at risk. In other words, as it stands, releng, relman, and the automation team are relying on this bug to be completed before FF 44 (beta).


\o/ having a switch that allows us to override 'add-on signing enforcement' while we build+test would be a huge win

As mentioned in previous meetings, our build and test automation has an extensive list of add-ons. Without this bug, it would take weeks (longer?) of work to track and extend our logic to sign each add-on in automation whether we had an API available or not. In addition, we'd possibly have to support a duplicate set of builds + tests for developers that didn't want to go through the hassle of signing as they iterate quickly. All of this work would then be thrown out once this bug was finished.

Do we have a rough ETA when this will be available and when the release and automation team can implement it into our build and test automation? Is there anything we can do to help push this along?

Comment 3

3 years ago
"needed be turned on through user input" (comment #0) and "build and test automation" (comment #2) doesn't look like a match.

Comment 4

2 years ago
Bugs only for restartless addons seem to be tracked. Is there any discussion about non-restartless (legacy style) addons?
(Reporter)

Updated

2 years ago
Keywords: dev-doc-needed
(Reporter)

Comment 5

2 years ago
(In reply to YUKI "Piro" Hiroshi from comment #4)
> Bugs only for restartless addons seem to be tracked. Is there any discussion
> about non-restartless (legacy style) addons?

Not at this time, having the addon not be around at the next Firefox restart limits the ability to abuse this feature. There would have to be a different mechanism for non-restartless addons.
(Reporter)

Comment 6

2 years ago
https://blog.mozilla.org/addons/2015/12/23/loading-temporary-add-ons/
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
I've updated https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Packaging_and_installation, mostly to cover this feature - would you mind taking a look?
Flags: needinfo?(amckay)
(Reporter)

Comment 8

2 years ago
Minor points

* add-on needs to be bootstrapable, SDK or web extensions
* you can select any file in the add-on, but saying manifest.json is easy I guess

When the other bugs land for this, it will become more awesome.
Flags: needinfo?(amckay)
Keywords: dev-doc-needed → dev-doc-complete
You need to log in before you can comment on or make changes to this bug.