1218158 - unpacked global extensions are not verified

Status: RESOLVED INVALID

(Toolkit :: Add-ons Manager, defect)

Description

[Eschwartz]

User Agent: Mozilla/5.0 (X11; Linux i686; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20151015200501

Steps to reproduce:

On: Arch Linux i686, distribution-packaged firefox 41.0.2-1
Distro-packaged extension: firefox-adblock-plus 2.6.11-1


Install an extension globally on linux (to the /usr/lib/firefox/browser/extensions/ directory).
The extension is unpacked.
Example: Adblock Plus (downloaded from https://downloads.adblockplus.org/adblockplus-2.6.11.xpi)



Actual results:

In about:addons I receive the warning "Adblock Plus could not be verified for use in Firefox. Proceed with caution."

Adblock Plus does not specify <em:unpacked> is true.
So reinstall the extension without unpacking it, and the warning goes away.

But this won't work for many extensions, such as HTTPS Everywhere and Lastpass, which must be unpacked.
Once extension signing becomes mandatory, these extensions will not be able to be installed globally.


Expected results:

Whether installing the .xpi or the unpacked extension folder, if an extension is properly signed it should be reported as verified.

Comment 1

[Dave Townsend [:mossop]]

(In reply to Eschwartz from comment #0)
> Install an extension globally on linux (to the
> /usr/lib/firefox/browser/extensions/ directory).
> The extension is unpacked.
> Example: Adblock Plus (downloaded from
> https://downloads.adblockplus.org/adblockplus-2.6.11.xpi)

This add-on hasn't been signed by Mozilla so it is expected that it would show that warning.

More generally extensions must have undergone full review in order to be sideloaded, many extensions have only been preliminarily reviewed.

Comment 2

[Eschwartz]

I see.

It was not immediately evident that that was the issue.
ISTR hearing mention of that, but I would have thought that "sideloaded" would refer to anything not loaded from within Firefox. Like, anything in the system installation dir.
Since "sideloaded" .xpi's worked fine, I thought something must be wrong.


If "sideloading" == "unpacking", well, I could install the .xpi directly, but that doesn't really help for extensions which need to be unpacked.
Does Mozilla intend that there be no way to globally install non-AMO extensions which require unpacking?


I say non-AMO extensions, because all the ones that are distributed from their own website seem to be only "preliminarily reviewed". Which can only be determined *after* installing them and seeing that they trigger warnings, and soon, errors.

Comment 3

[Dave Townsend [:mossop]]

(In reply to Eschwartz from comment #2)
> I see.
> 
> It was not immediately evident that that was the issue.
> ISTR hearing mention of that, but I would have thought that "sideloaded"
> would refer to anything not loaded from within Firefox. Like, anything in
> the system installation dir.
> Since "sideloaded" .xpi's worked fine, I thought something must be wrong.
> 
> 
> If "sideloading" == "unpacking", well, I could install the .xpi directly,
> but that doesn't really help for extensions which need to be unpacked.
> Does Mozilla intend that there be no way to globally install non-AMO
> extensions which require unpacking?

Sideloading is completely separate to unpacking. Sideloading means any method of installing an extension that isn't the user installing it from a website from within Firefox. So any of the install locations mentioned here: https://developer.mozilla.org/en-US/Add-ons/Installing_extensions

Sideloaded extensions require full review regardless of whether they are unpacked or not.

> I say non-AMO extensions, because all the ones that are distributed from
> their own website seem to be only "preliminarily reviewed". Which can only
> be determined *after* installing them and seeing that they trigger warnings,
> and soon, errors.

Non-AMO hosted add-ons can be sideloaded as long as they are fully reviewed.