Add-ons/InternalSigning

From MozillaWiki
Jump to: navigation, search

The document on Add-ons in Firefox 57 outlines a series of extensions called "Signed by Mozilla internally".

These are add-ons that are signed using a internal signing infrastructure to Mozilla. The signing infrastructure is not available to anyone other than Mozilla employees. Remaining documentation on how to sign add-ons and who to ask for permission are covered on Mana (page to be built).

Internal docs

See: https://mana.mozilla.org/wiki/display/FIREFOX/Internal+Extension+Signing and https://mana.mozilla.org/wiki/display/SVCOPS/Sign+a+Mozilla+Internal+Extension

What's this for

The primary use case for system add-ons. These are add-ons that aren't really add-ons, they are part of the Firefox infrastructure for delivering features to user without having to land in Firefox and ride the trains. These have been signed internally using a special key since they were created.

This is also used for Firefox features or experiments that want to distinguish themselves from other add-ons in some way. It's planning on being used by the following programs within Mozilla: Test Pilot, Dev Tools, Release Engineering and Shield Studies.

This can also be used to grant a WebExtension access to APIs that we can't (or just aren't yet ready to) expose to all WebExtensions. To use this capability, a WebExtension API is placed behind the "mozillaAddons" permission. A WebExtension that declares this permission in its manifest will only be granted that permission if it is signed using the process outlined in this document.

Can I get access to this?

Don't be upset, but the default answer is no. To pretty much everyone.

We are setting the bar high for this signing. If an add-on is going to be signed this way then it must conform to a few requirements:

  • Have a clear and important value to Mozilla and it's mission.
  • Supported and maintained by a known team within Mozilla.
  • Maintaining and executing a QA plan.
  • Regressions, bugs and issues are the responsiblity of the add-on author.
  • Conform to Mozilla security, privacy and data collection policies.
  • If the add-on is not a WebExtension, or has non-WebExtension parts it must:
    • Use APIs that will not be implemented in WebExtensions or have a roadmap to implementing the WebExtensions APIs.
    • And understanding that regressions, bugs and issues will occur regularly. These are outside of WebExtensions are not the add-ons team responsibility.

If any of those conditions change (for example the project is disbanded) then signing access will be withdrawn.

If you'd like to request this for your add-on, then please contact Amy Tsay, Andreas Bovens, Philipp Kewisch, and Jim Mathies.