Reviewers can't install unsigned add-ons that don't have an ID

[spoji]

I had issues reviewing 17 WebExtensions add-ons this morning. All of those facing the same issue.

Let's take this add-on as an example :
https://addons.mozilla.org/en-US/editors/review/xorapl-czytnik version 2.0.0.

Installation of XPI xorapl_czytnik-2.0.0-fx+an.xpi (at the time when it was non signed) failed:

Firefox console shows :
Error: Cannot find id for add-on tmp-g35.xpi (resource://gre/modules/addons/XPIProvider.jsm:5676:17).

To what I remember from what Andy said at London is that id for web extensions are not mandatory anymore. Not sure what's going on here. TheOne and EvilJeff had some talks about this on #amo-editors.

I have saved a non-signed version of this xpi that can be downloaded here :
xorapl_czytnik-2.0.0-fx+an.zip . This is the exact XPI that AMO were giving me before I went ahead and approved the add-on.

Note that once approved and signed, the proper extension ID get added inside META-INF/mozilla.rsa. This seems good. To what I understand, those 17 "pushed to public" web extensions that had this issue before reviewing are good for the end users. They can install them without any problems and the proper ID got assigned (in this example @xora-czytnik is the ID).

A list of those 17 add-ons can be found in our "Add-on Review Log" on Jul 27, 2016. They all have " xora.pl," in their addon's names.

[wagnerand]

I think this comes down to: "Cannot install an unsigned webextension if it doesn't have an ID"?

[spoji]

Andreas is right. Modifying the unsigned XPI manifest.json by adding the id does the trick. For example :

"applications": {
"gecko": {
"id": "@xora-czytnik"
}
},

[andymckay]

Yeah that's going to be a problem. I can see two options:

• load the addon temporarily using about:debugging
• we could sign add-ons before they get reviewed with completely different certificate (that has ops and other considerations)

The first one is a little inconvenient for reviewers though.

[andymckay]

I suppose a third option that might be better than the second option (using a different cert):

• is to write out a copy of the add-on on the server with the manifest altered with a temporary id added, I can imagine a few problems with that though

[wagnerand]

Another option would be to add a random ID right after upload instead of after it has been signed.

[wagnerand]

load the addon temporarily using about:debugging

I just came across another add-on that is affected by this and decided to give this option a try. Unfortunately Firefox fails to load this add-on as well. Tested on release (48) and Nightly (51).

For the record, the error in Nightly is:
addons.xpi ERROR Error: aAddon must include an id, version, and type (resource://gre/modules/addons/XPIProvider.jsm:4803:20) JS Stack trace: this.XPIProvider.callBootstrapMethod@XPIProvider.jsm:4803:20 < this.XPIProvider.installTemporaryAddon<@XPIProvider.jsm:4057:5

[andymckay]

Filed: https://bugzilla.mozilla.org/show_bug.cgi?id=1298060

[andymckay]

Please note that bug 1298060 is now closed, so this should be good.

[spoji]

Thanks Andy!

[ValentinaPC]

Verified on FF51.0a1(2016-09-18)- Win7 with xpinstall.signatures.required on false and no ID add-ons, obtained the following results:

1. Unsigned add-ons return "corrupt" message while trying to install them in about:addons (drag&drop installation "method")
   
   Message returned in the browser console: https://pastebin.mozilla.org/8911336
   Used add-on:
   Instapaper_v2.0.2.zip
2. Unsigned add-ons are installed with success in about:debugging; no error message displayed in the browser console;
   Used add-ons - the above one and:
   xorapl_czytnik-2.0.0-fx.an.zip

Are the results from point 1, expected?

[andymckay]

Results from point 1 are expected. It fails with this error:

1474317752361   addons.xpi  WARN    Invalid XPI: Error: Cannot find id for addon /Users/andy/Desktop/xorapl_czytnik-2.0.0-fx+an.xpi (resource://gre/modules/addons/XPIProvider.jsm:5817:17) JS Stack trace: AddonInstall.prototype.loadManifest<@XPIProvider.jsm:5817:17 < TaskImpl_run@Task.jsm:319:40 < Handler.prototype.process@Promise-backend.js:937:23 < this.PromiseWalker.walkerLoop@Promise-backend.js:816:7 < Promise*this.PromiseWalker.scheduleWalkerLoop@Promise-backend.js:747:11 < this.PromiseWalker.schedulePromise@Promise-backend.js:779:7 < this.PromiseWalker.completePromise@Promise-backend.js:714:7 < verifyZipSignedState/</callback.openSignedAppFileFinished@XPIProvider.jsm:1781:9

Loading an add-on with no ID at all is only supported in about:debugging.

[ValentinaPC]

Thanks Andy!
Marking this verified.