===============
= ptrcnull.me =
===============
writeups and other stuff

Installing unsigned addons in Firefox stable

When developing a private addon, you don’t always want to use Mozilla services - it’s your browser, why should they care about your addons? Unfortunately, when looking at the documentation and forum posts, it doesn’t seem like you can install them on the stable version of Firefox… or can you?

Pop-up in Firefox - This addon could not be installed because it has not been verified

(before you proceed, make sure your addon has the browser_specific_settings section; otherwise, it’s gonna show as corrupted to Firefox)

To achieve this, we’re gonna need a text editor and write access to your browser files (usually root/Administrator). These instructions are gonna target Linux with Firefox installed from your system package manager (so excluding Flatpak or Snap), but it should be possible to do this anywhere, as long as you can edit these files.

Firstly, locate the omni.ja file in the browser files (usually /usr/lib/firefox). There’s two of them, one in the browser/ subdirectory - we’re gonna focus on the other one.

There are three things we need to patch:

--- a/modules/AppConstants.jsm
+++ b/modules/AppConstants.jsm
@@ -203,3 +203,3 @@
   MOZ_REQUIRE_SIGNING:
 //@line 290 "$SRCDIR/toolkit/modules/AppConstants.jsm"
-  true,
+  0000,
--- a/modules/addons/XPIDatabase.jsm
+++ b/modules/addons/XPIDatabase.jsm
@@ -2366,7 +2366,7 @@
     if (this.mustSign(aAddon.type) && !aAddon.isCorrectlySigned) {
       logger.warn(`Add-on ${aAddon.id} is not correctly signed.`);
       if (Services.prefs.getBoolPref(PREF_XPI_SIGNATURES_DEV_ROOT, false)) {
         logger.warn(`Preference ${PREF_XPI_SIGNATURES_DEV_ROOT} is set.`);
       }
-      return false;
+    //return false;
     }
--- a/modules/addons/XPIInstall.jsm
+++ b/modules/addons/XPIInstall.jsm
@@ -1609,4 +1609,4 @@
-      if (lazy.XPIDatabase.mustSign(this.addon.type)) {
+      if (false /*Database.mustSign(this.addon.typ*/) {
         if (this.addon.signedState <= AddonManager.SIGNEDSTATE_MISSING) {
           // This add-on isn't properly signed by a signature that chains to the
           // trusted root.

As the omni.ja file is just a zip file, you can unpack it:

$ mkdir omni && cd omni
$ unzip ../omni.ja
Archive:  ../omni.ja
warning [../omni.ja]:  29257828 extra bytes at beginning or within zipfile
  (attempting to process anyway)
error [../omni.ja]:  reported length of central directory is
  -29257828 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
  zipfile?).  Compensating...
 extracting: greprefs.js
 extracting: chrome.manifest
 extracting: chrome/chrome.manifest
...

It seems to complain about some stuff, but that doesn’t seem to be too much of an issue.
After editing, just repack:

$ zip -r -0 -FS omni.ja *
  adding: actors/ (stored 0%)
  adding: actors/WebChannelParent.jsm (stored 0%)
  adding: actors/WebChannelChild.jsm (stored 0%)
  adding: actors/ViewSourcePageParent.jsm (stored 0%)
...

and replace the original file with the modified one.

With all that done, restart Firefox, go to about:addons and load your addon. Depite the big red warning, the extension should now be loaded and usable.

Snippet of Firefox addons page, with addon named demo addon and warning that it has not been verified for use in Firefox