Note
This is a concluded experiment (attempted reproduction of a blog post) where I was unable to reproduce successfully but found a suitable workaround!
To my knowledge, it is not possible to permanently install unsigned extensions to Firefox unless Firefox Developer or Firefox ESR is used.
However, it is possible to use AMO to sign the extension (interactive, is not delayed by AMO review) and then install it from a file to Firefox!
See the [Conclusion] section.
I use Firefox and I am okay with the fact that Firefox extensions are required to be signed, but I need an escape hatch for extensions that I authored myself and want to use without uploading them to AMO.
This is possible to go to about:debugging#/runtime/this-firefox
and click on
Load Temporary Add-On to load an unsigned add-on until Firefox is restarted.
This won't do for my needs as I have many extensions that I have developed for
myself and it is impractical to reload them all on Firefox restart.
Not to mention the fact that I do not feel as though I should need to do that.
I found a question where someone asked about this on Mozilla's Discourse forums: https://discourse.mozilla.org/t/what-is-the-easiest-way-to-install-a-local-unsigned-add-on-permanently/52005
The answer says to use Firefox Developer edition and then go to about:config
where xpinstall.signatures.required
can be toggled off to install an unsigned
extension and then back on.
I don't feel as though I should need to use Firefox Developer either. The answer on this question states that the preference doesn't do anything on Release or Beta builds of Firefox, though, so it seems Firefox Developer might be needed?
I found a blog post which spells out the same steps as the question above but makes no mention of Firefox Developer, it makes it look as though this should work on Firefox Release: https://wiringbits.net/browser-extensions/2020/11/27/installing-unsigned-extensions-permanently-to-firefox.html
I decided to try this out so I followed the Firefox extension development quick start guide to create a test extension: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Your_first_WebExtension
- Create
manifest.json
- Set the required
manifest_version
,name
andversion
fields - Leave out
icons
as it doesn't matter for a test extension - Set the
description
field - Set
content_scripts
which I set toexample.org
toconsole.log
on there - Go to
about:debugging#/runtime/this-firefox
- Click Load Temporary Add-On and find and select
manifest.json
- Go to
example.org
and open the developer tools Console tab - Verify the expected message has appeared there
- Quit and restart Firefox
- Go to
about:debugging#/runtime/this-firefox
- Notice the extension is no longer there
So this is not what we want, now let's try following the blog post's steps:
- Add
browser_specific_settings.gecko.id
tomanifest.json
- Set it to any valid email address
- Go to
about:config
and findxpinstall.signatures.required
- Set
xpinstall.signatures.required
tofalse
- Go to
about:addons
and click on the hamburger menu - Run
zip -r -FS ../my-extension.zip * --exclude '*.git*'
- Find and select
my-extension.zip
At this point the article makes it sound like this should work, but in reality I get this popup:
So it seems the answer on the question I linked above is correct; this setting does nothing in Release and Beta builds of Firefox and I do need to be using Firefox Developer for this to work. :/
I created a PR against the post's source code so that the author can consider updating it: wiringbits/wiringbits.github.io#38
Either this worked in 2020 when they published it or they were always using the Developer / ESR build of Firefox but did not mention it in the post.
Mozilla manages to disappoint the power user yet again. The choice is to either use Firefox Developer (or ESR) and suffer the forced use of the non-happy-path or to succumb to the AMO review shenanigans and suffer the cycles of review ghosting for a review interleaved with comment-free rejections and other bullshit which doesn't matter for personal extensions which do not make sense to be published on AMO in the first place.
I decided to verify these steps work in Firefox Developer and I am even more disappointed now:
The steps to pack the extension, disable extension signature checks and loading the extension all work, but afterwards, when turning extension signing back on, I am greeted with this:
The only way to be able to use the extension at all is to keep the extension signing disabled forever. When I do that, the screen looks like this now:
In the name of security, Mozilla has forced me to disable signature checks for all extensions instead of allowing me to grant an exception to an extension I wrote myself.
Alexis who wrote the blog post above mentioned recalling it might be possible to sign the extension without going through the AMO publishing process. I assume this includes no need to go through the review and get own extension reviewed needlessly.
I found steps for signing an extension here on Stack Overflow: https://stackoverflow.com/a/59172713/2715716
-
Go to AMO and generate an API key: https://addons.mozilla.org/en-US/developers/addon/api/key
-
Install
web-ext
using NPM:npm install --global web-ext
It looks like https://github.com/mozilla/sign-addon is an alternative.
-
Run
web-ext sign --api-key="JWT issuer" --api-secret="JWT secret"
-
Find
web-ext-artifacts/*.xpi
-
Go to
about:addons
and press the Gear icon -
Select Install Add-On From File and rejoyce