Addons unsigned dev pdf.js in Firefox

[ryanbr]

http://mozilla.github.io/pdf.js/extensions/firefox/pdf.js.xpi

Is currently Unsigned via the Firefox addons, can we have a signed copy of the dev xpi?

[Snuffleupagus]

Some information is available at https://wiki.mozilla.org/Addons/Extension_Signing.

[timvandermeij]

We need to look into this soon, as discussed on IRC, as otherwise the extension will not be installable anymore in the coming versions of Firefox.

[Snuffleupagus]

[...] as otherwise the extension will not be installable anymore in the coming versions of Firefox.

Given that extension signing is only going to be forced in Release and Beta versions, the statement above is not completely accurate.
In Nightly, and Aurora/DevEdition, it's possible to disable the signature requirement by setting xpinstall.signatures.required = false in about:config.

Since the development version is mainly intended for developers/testers (and not "regular" users), I don't think it's completely unreasonable to assume that those people are using Nightly or Aurora/DevEdition. This, in my opinion, makes signing of the development addon something more along the lines of a feature, rather than a hard requirement.

[automatedbugreportingfacility]

FWIW, the ability to install the development version in the release builds is useful for bug triaging occasionally -- one of the font issues I came across didn't bisect properly, installing the development version in the release build showed that it must have been a fallout from some change in the browser. Yes, you can probably do the same by installing older Nightlies, but it was nice to avoid the hassle.

I don't think it's completely unreasonable to assume that those people are using Nightly or Aurora/DevEdition

This assumption won't be correct in all cases, and limiting your target audience is never a good idea. And it basically leaves Release users who experience problems with the built-in pdf viewer with no other choice than wait until the changes bubble up in the release cycles. Not that I think that this whole sigining requirement is a good idea either, but I digress :)

[13xforever]

Firefox Developer Edition just disabled all of the unsigned addons, including pdf.js dev

[timvandermeij]

I agree with @automatedbugreportingfacility. I personally don't see fixing this issue as a feature, but rather as a requirement. I use the release and beta versions of Firefox on purpose, indeed for verifying problems or for determining the cause of an issue. Nightly can be unstable from time to time and even though I also use it for testing, I don't think it's good if we simply can't use the release/beta versions anymore for testing. It also does not make sense for new contributors that already use Firefox: they would need to install a separate copy of Firefox (developer edition/Nightly) just for working on PDF.js.

Bottom line I think is that if most versions of Firefox are blocking the add-on, we are significantly limiting not only our target audience but also the ability to verify issues across versions.

Note that I do think that signing add-ons is a good idea, but in its current form the process is a bit awkward. Not having an API to do the signing, but having to let everything go through AMO, has not been well thought through in my opinion.

[timvandermeij]

It appears that there is now an API for extension signing: https://olympia.readthedocs.org/en/latest/topics/api/signing.html. Hopefully someone can look into this.

[timvandermeij]

This is really becoming a problem now as of Firefox 43. The development add-on is now blocked. Marking as good beginner bug, hoping that someone can look into this soon.

/cc @yurydelendik @brendandahl as we might need authorization keys for the abovementioned API. Do you have an idea how this works yet?

[yurydelendik]

Botio shall perform async operation now: send add-on to signing service and wait for response to come back, then it can publish gh-pages

[yurydelendik]

See also https://github.com/mozilla/botio-files-pdfjs/blob/master/on_push.js#L22

[yurydelendik]

Fixed by mozilla/botio-files-pdfjs#15

Installation will only work if web page has reference to http://mzl.la/pdf-xpi -- typing this address into address bar will not.

[yurydelendik]

Forgot to mention, because the addon had to be changed, old versions of the addon must be installed to avoid two instances of the extension. Unsafe xpi install perf can be set to default now.

[yurydelendik]

Looks like AMO goes down sometimes and/or signing process takes longer than 5 minutes, so we might have some versions of pdf.js.xpi not signed.

[timvandermeij]

Works like a charm for me. Thank you for looking into this! I did indeed have to remove the old extension, but the new extension installed flawlessly.

[automatedbugreportingfacility]

Looks like AMO goes down sometimes and/or signing process takes longer than 5 minutes, so we might have some versions of pdf.js.xpi not signed.

Indeed. Updated to 1.3.124 through about:addons and it's unsigned again. Is there any way to resolve this problem except for waiting for another commit?

[yurydelendik]

Not sure, we probably shall not publish the extension in this case.

It's also weird error not listed at http://olympia.readthedocs.org/en/latest/topics/api/signing.html

[pal1000]

I noticed the extension is no longer signed for a very long time already. I think the last signed build was 1.4.10 or 1.4.13 don't remember exactly. Since then signing died completely. I think this is around 3 weeks or even more.

[timvandermeij]

@pal1000 Thank you for reporting this. I created #6970 to track the issue.