MozillaZine

Mandatory signing requirement for add-ons is coming

Talk about add-ons and extension development.
LoudNoise
New Member

User avatar
 
Posts: 40048
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Post Posted June 3rd, 2015, 8:16 pm

A question.

I know a fellow who writes an extension. Due to medical issues (a notable fall), he hasn't updated it for the last couple of versions but hopes to get back to it in a couple of months. Will the existing, non-working version be automatically signed or should he throw together something that does so he won't have to go through the BS?
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted June 3rd, 2015, 11:37 pm

AMO considers everything that is maxVersion of 4.0 or higher, which does not fail over a certain number of validation checks to be compatible... and an automated system marks them as compatible.

AMO also has a system that flags extensions which are using deprecated APIs in Aurora. So if by chance the extension we are talking about just happened to rely on an API that was removed in Firefox 40 (and reported by the developer who removed it as important) then that extension would not automatically be version-bumped as compatible. That case should cause the developer to be notified by email that they need to update their extension. The chances of that happening are extremely rare simply because the mechanism for polling deprecated APIs isn't very good and broken extensions get automatically bumped every version. It's far more likely that a broken extension would be automatically version bumped and automatically signed even though it doesn't work than the opposite.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

therube

User avatar
 
Posts: 19784
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted June 4th, 2015, 8:33 am

Hmm, I wonder?

I'm thinking that while the .xpi itself may not work, the actual Plugin would ? simply by copying the .dll into a /plugins/ directory?

So the intent with signing is to block malicious "extensions" (type 2), so typically a .xpi.
But what if the malware doesn't use an extension, per se, but instead drops a malicious .dll into Profile/plugins/?
Say some malicious 'npwidevinemediaoptimizer.dll' gets dropped there.
No .xpi involved, so no signing needed, but the .dll provides the necessary piece to "get the job done".
Will something like that fly?

(You might think that you would get a "UAC-like" prompt on detection of a new Plugin that hasn't been specifically accepted, or at the least anything "new" would automatically be set to a 'Never activate' status?)


Themes, dictionaries, language packs, and plugins don't need to be signed.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted June 4th, 2015, 12:06 pm

I'm not sure that a plugin can actually do anything unless it is requested. I DO wish Mozilla would automatically mark new plugins as Ask to Activate.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

sonthakit
 
Posts: 28
Joined: July 13th, 2011, 11:31 pm

Post Posted June 5th, 2015, 9:27 pm

I try to upload my add-on to signed to see what happen (bookmark favicon changer, gmail watcher, hotmail watcher, yahoo mail watcher, yandex mail watcher)

It return error "Duplicate UUID found"

So I think the error come from the history that these add-ons had been at AMO in the past. When I change to self-host, I cannot signed it even Mozilla had delete it from their store.

... I just want to to tell my user that I had tried to signed but fail. Sorry for my user.

Sonthakit

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted June 5th, 2015, 9:31 pm

You should probably contact someone at AMO or file a bug against that. If an extension has been removed, AMO needs to purge the GUID. Creating a new GUID is not a solution because then it will not automatically update and users who install the signed extension will end up with two identical extensions, which could cause serious problems.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

LoudNoise
New Member

User avatar
 
Posts: 40048
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Post Posted June 5th, 2015, 9:32 pm

You might want to enter a bug at bugzilla. This entire thing reeks of something driven by marketing. Also, knowing mozilla, you might want to clear your mozilla cookies.
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."

therube

User avatar
 
Posts: 19784
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted June 7th, 2015, 7:19 am

AMO needs to purge the GUID

Maybe they might want to keep deprecated GUID around for something like blocklist usage?
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

WaltS48

User avatar
 
Posts: 3911
Joined: May 7th, 2010, 9:38 am
Location: Pennsylvania, USA

Post Posted June 7th, 2015, 8:30 am

sonthakit wrote:I try to upload my add-on to signed to see what happen (bookmark favicon changer, gmail watcher, hotmail watcher, yahoo mail watcher, yandex mail watcher)

It return error "Duplicate UUID found"

So I think the error come from the history that these add-ons had been at AMO in the past. When I change to self-host, I cannot signed it even Mozilla had delete it from their store.

... I just want to to tell my user that I had tried to signed but fail. Sorry for my user.

Sonthakit


All use the same UUID? Maybe they need a unique UUID for each extension.

Add-ons must use a single unique ID during their entire lifetime.

Using the same ID for multiple products, or multiple IDs for a single product, can lead to problems with automatic updates as well as blocklisting conflicts. Add-ons may change their IDs due to ownership changes, as they commonly use an email address-like format ( e.g., personasplus@mozilla.com).


Add-on guidelines - Mozilla | MDN
Linux Desktop - AMD Athlon(tm) II X3 455 3.3GHz | 8.0GB RAM | GeForce GT 630
Windows Notebook - AMD A8 7410 2.2GHz | 6.0GB RAM | AMD Radeon R5

Frank Lion

User avatar
 
Posts: 20316
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted June 7th, 2015, 8:46 am

WLS wrote:All use the same UUID?

No.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

lithopsian
 
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Post Posted June 7th, 2015, 12:43 pm

therube wrote:
AMO needs to purge the GUID

Maybe they might want to keep deprecated GUID around for something like blocklist usage?

If you explicitly delete an addon, the UUID is available immediately for re-use. I don't know how this addon was "removed", but I suspect it never actually was. Perhaps just "disabled" so still there really.

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted June 7th, 2015, 6:05 pm

Actual *deletion* of extensions was not available until relatively recently. I actually only noticed it a few months ago because I have dozens of "test" extensions just sitting there with no way to get rid of them for years.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

mightyglydd

User avatar
 
Posts: 9459
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Post Posted June 8th, 2015, 6:31 pm

Philip Chee wrote:
jimfitter wrote:Patrick, LCD Clock is an extension that hasn't been supported in at least 7-8 years, yet still works fine today, with compatibility disabled. You won't find it on AMO.
It was originally made by Bloodeye. viewtopic.php?f=19&t=376281
I have version 0.3. PM me if you want it.

I have 0.4.2 on my website: http://xsidebar.mozdev.org/modifiedmisc.html#lcdclock
Phil

Hmm..I just go an update from 0.4.2 to Clocki 0.4.6 (unsigned) ?

<!-- FireFox -->
<em:targetApplication>
<Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:minVersion>1.5</em:minVersion>
<em:maxVersion>42.0</em:maxVersion>

Not that I'm complaining but how did this happen, it's not at AMO :-k SeaMonkey too..Do we have a tooth fairy :)
#KeepFightingMichael

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted June 8th, 2015, 6:59 pm

The entire install.rdf would have been more informative... especially the bit that specifies (or not) an update source.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

mightyglydd

User avatar
 
Posts: 9459
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Post Posted June 8th, 2015, 7:01 pm

Your wish is...

<?xml version="1.0"?>
<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:em="http://www.mozilla.org/2004/em-rdf#">

<Description about="urn:mozilla:install-manifest">

<!-- em:id="lkopi@pkp.net"
Front End MetaData -->
<em:id>lcdclock_bloodeye@gmail.com</em:id>
<em:name>Clocki</em:name>
<em:version>0.4.6</em:version>
<em:description>An LCD looking clock</em:description>

<em:creator>Bloodeye</em:creator>
<em:contributor>menet fr-FR</em:contributor>
<em:contributor>MetalStream es-AR</em:contributor>
<em:optionsURL>chrome://lcdclock/content/options.xul</em:optionsURL>
<!-- <em:aboutURL>chrome://____EXTENSION_NAME____/content/_____XUL_FILE_NAME_____</em:aboutURL> -->
<em:iconURL>chrome://lcdclock/skin/exticon.png</em:iconURL>

<!-- FireFox -->
<em:targetApplication>
<Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:minVersion>1.5</em:minVersion>
<em:maxVersion>42.0</em:maxVersion>
</Description>
</em:targetApplication>

<!-- Thunderbird -->
<em:targetApplication>
<Description>
<em:id>{3550f703-e582-4d05-9a08-453d09bdfdc6}</em:id>
<em:minVersion>3.0a1pre</em:minVersion>
<em:maxVersion>42.0</em:maxVersion>
</Description>
</em:targetApplication>

<!-- SuiteRunner -->
<em:targetApplication>
<Description>
<em:id>{92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a}</em:id>
<em:minVersion>1.5a</em:minVersion>
<em:maxVersion>2.38</em:maxVersion>
</Description>
</em:targetApplication>

</Description>
</RDF>
#KeepFightingMichael

Return to Extension Development


Who is online

Users browsing this forum: No registered users and 2 guests