Thursday, January 14, 2016

Firefox and Chrome Extensions and Automatic Updates,_Update_and_Compatibility


To digitally sign the Firefox extension, you will need to get some Firefox credentials: JWT issuer, JWT secret.  These can be received after signing up by... Tools->Manage API Keys->Generate New Credentials (JWT issuer, JWT secret)

 To create the .xpi file (extension file), you can do so with the jpm tool.  You should first download NPM, which you can use in Git Bash (needs to be downloaded too).

STEP 1: Then, you can run 'npm install jpm --global' in Git Bash.

STEP 2: After, you may create a package.json file using 'jpm init'.  After this is created, you should add additional fields beyond title, name, etc.  I added an id (@my_izu_extension), homepage, icon and main (picked a random js file in my content folder).

ERROR 1: I had an error with "Using existing install.rdf", since I had manually created this.  I just moved this into a backup folder after copying its contents to the package.json file, in the appropriate format.

ERROR 2: I had an Invalid addon ID.  You can use a GUID or any string with '@'.  I chose the later and used the ID '@my_izu_extension'.

STEP 3: Run 'jpm sign --api-key ${JWTissuer} --api-secret ${JWT secret}'.

Note: Here replace the ${xxx} with the credentials from the Firefox site (


STEP 1: Firefox Updates over http.  Download McCoy from  Keys->Create New Key.  Right Click New Key->Copy Public Key.

STEP 2: This goes into the Firefox install.rdf file as updateKey. (put this in package JSON as updateKey, right along with id, title, name, etc).

Note: If using an install.rdf file, this can be done automatically with Extension->Add Key to Install Manifest and finding install.rdf file.


To create an FirefoxUpdates.rdf file by copying it from here:,_Update_and_Compatibility

Delete the first <RDF:li> tag since you will use the second one which since the updateLink will be over http.  Change the id to match yours (mine was '@my_izu_extension').

Add an updateLink and updateInfoURL (these will need to be hosted somewhere).

You can generate the updateHash with openssl as follows 'openssl dgst -sha256 @my_izu_extension.xpi > updateHash.txt'


This will run openssl and create a hash in the file updateHash.txt.  Something like this...

SHA256(my_izu_extension.xpi)= 2aefcd04c56f060bcfc53acfe96a87af120ed05933ab7969c91642847aa445df

Copy the hash and add it to the updateHash field but add the prefix 'sha256:'.  Something like this...


STEP 5: Then, add the updateHash into the FirefoxUpdates.rdf file by Update->Sign Update Manifest.

STEP 6: Upload the new @my_izu_extension.xpi file and FirefoxUpdates.rdf file appropriately.

RECAP.  Here's my setup.  I have a package.json with a my updateURL (pointing to where I will store the FirefoxUpdates.rdf file) and updateKey (generated by McCoy).  After adding these, I use jpm to create the @my_izu_extension.xpi file.

I create/modify the update.rdf file to include updateLink (pointing to where I will store the .xpi file).  I create a hash of the @my_izu_extension.xpi file (using openssl), then modify the updateHash field in FirefoxUpdates.rdf.  Finally, I digitally sign the FirefoxUpdates.rdf file using McCoy which adds the digital signature.

Last, I upload both the @my_izu_extension.xpi file and the FirefoxUpdates.rdf file to their appropriate locations.  I host them both in the same folder, both hosted by a Tomcat Server.


STEP 1: Modify the manifest.json file to add an update_url field right along side the name, description, etc.

STEP 2: Create an update.xml file like the one shown here:

I get the app id by using the chrome://extensions page, with Developer mode checked and use 'Load unpacked extension' which loads the extension and gives me the ID (aka appID).

STEP 3: Upload the update.xml file to where the update_url points.

No comments:

Post a Comment