views:

321

answers:

2

I'm developing a site-specific Firefox extension. The official hosting/updating mechanism at addons.mozilla.org forces my users to login to download my plugin (until it get approved for public status), which isn't good for me, especially as my plugin is unlikely to be deemed useful to the web at large and will be stuck in the sandbox forever.

It seems like I'm forced to use McCoy (a GUI only program) to sign some of my artifacts and openssl to create a hash which I manually insert into update.rdf before signing it. I really want to have some tools I can stick in my automated build process that don't require manual steps from me each time. Is there an opensource tool that mimics the behavior of addons.mozilla.org that I can use for self hosting? Or a set of command line tools (that work on OS X) I can call from my build before I deploy?

Happy to have any experiences you have had in this process... how do you do it now? what have you tried? what worked, what didn't?

+1  A: 

You can follow the directions here on how to sign an XPI file. You can easily bundle the steps up into a script that will run as part of your build.

dj2
That requires a fairly expensive cert, doesn't it? not great for experimentation and hobbyists, but certainly an option.
danb
additionally, I am looking for an answer on OS X. this is a great step by step for windows development... probably some tweaks would make it good for other OSs.
danb
dj2
Sorry about the formatting mess...You can also self sign a cert. I'm not sure how that interacts with FireFox. If you need to import the root CA or if it just asks the user if they want to accept the cert from a unknown CA.
dj2
+1  A: 

Just biting the bullet and using an SSL cert is what I ended up doing... If your update.rdf is on a secure server, the update process and descriptors seems to work very easily.. and I don't have to do anything super fancy to my build process.

You still need the hash:

openssl sha1 plugin.xpi

the resulting hash needs to end up in upgrade.rdf

<em:updateHash>sha1:b100d1207b38bbbea1add4eb96947ee4ea4b7a3e</em:updateHash>

but there's no longer any need to deal with mccoy and all the signing stuff.

danb