private add-ons used in enterprise environments and signing

[Rory]

Hi,

With the mandatory addon signing from FF 41/42, what is the situation for private add-ons that are used in enterprise environments? Many enterprises don't use ESR so will be affected from Sept 22, or Nov 3 if disabling the signing requirment via preference.

I work with addons for corporate environments that are installed via the registry (https://developer.mozilla.org/en-US/docs/Adding_Extensions_using_the_Windows_Registry). The FAQ (https://wiki.mozilla.org/Addons/Extension_Signing) says "We haven't announced our plan for this case yet. Stay tuned." so I'm keen to find out things like:

1. Is there a way for enterprise addons to not need to be signed or not need to go through the review process? e.g. Chrome extensions get around the Store submission requirements by allowing GPO installation from non-Store URLs, but only on workstations joined to a windows domain.

2. If enterprise addons need to be submitted for review, what controls are in place around non-disclosure of source code? e.g. Who will have access to it and what agreements are in place to ensure this isn't made available to anybody else?

3. If enterprise addons need to be submitted for review, what review requirements does a registry-installed addon need to comply with? The AMO Policy agreement (https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Agreement) section (c)(i) says that Unlisted addons need only comply with the Security criteria, is that correct?

many thanks!

Rory

[Jorge Villalobos]

On 8/24/15 10:45 AM, Rory wrote:
> Hi,
>
> With the mandatory addon signing from FF 41/42, what is the situation for private add-ons that are used in enterprise environments? Many enterprises don't use ESR so will be affected from Sept 22, or Nov 3 if disabling the signing requirment via preference.
>
> I work with addons for corporate environments that are installed via the registry (https://developer.mozilla.org/en-US/docs/Adding_Extensions_using_the_Windows_Registry). The FAQ (https://wiki.mozilla.org/Addons/Extension_Signing) says "We haven't announced our plan for this case yet. Stay tuned." so I'm keen to find out things like:
>
> 1. Is there a way for enterprise addons to not need to be signed or not need to go through the review process? e.g. Chrome extensions get around the Store submission requirements by allowing GPO installation from non-Store URLs, but only on workstations joined to a windows domain.

Like it's mentioned in the wiki page, ESR will probably continue to
support the preference to disable signature enforcement. Enterprises
that use the regular release version of Firefox will have to have their
extensions reviewed signed or use one of the alternatives (Dev Edition,
Nightly, or unbranded builds).

I'm not familiar with the GPO solution, but if it were implemented it
would probably be exclusive to ESR.

> 2. If enterprise addons need to be submitted for review, what controls are in place around non-disclosure of source code? e.g. Who will have access to it and what agreements are in place to ensure this isn't made available to anybody else?

Assuming the add-on is submitted with obfuscated or compiled code (very
likely if you want to protect your code), this policy applies:
https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews#Binary_Components_Obfuscated_Code.
Essentially, only a small group within Mozilla will have access to the
sources (which we will request) and it will not be shared outside of
that group. For unlisted submissions, there are some exceptional cases
where we can allow add-ons to be reviewed without sources.

> 3. If enterprise addons need to be submitted for review, what review requirements does a registry-installed addon need to comply with? The AMO Policy agreement (https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Agreement) section (c)(i) says that Unlisted addons need only comply with the Security criteria, is that correct?

We you submit an unlisted add-on (that is, and add-on that won't be
listed on addons.mozilla.org), you should see an option to request
side-loading. This is necessary for the add-on to be allowed to install
via the registry. Selecting this option means the review is not
automatic (it takes a couple of days), but it's still aimed at verifying
that the add-on meets our security standards.

>
> many thanks!
>
> Rory
>

[Philipp Kewisch]

On 8/26/15 12:02 AM, Jorge Villalobos wrote:
>> 1. Is there a way for enterprise addons to not need to be signed or not need to go through the review process? e.g. Chrome extensions get around the Store submission requirements by allowing GPO installation from non-Store URLs, but only on workstations joined to a windows domain.
> Like it's mentioned in the wiki page, ESR will probably continue to
> support the preference to disable signature enforcement. Enterprises
> that use the regular release version of Firefox will have to have their
> extensions reviewed signed or use one of the alternatives (Dev Edition,
> Nightly, or unbranded builds).

Sorry if I missed the announcement, but is this the definitive solution
for enterprises that has been said to be coming soon all along? Or is
something else planned, like the possibility for enterprises to use
their own signing certificate?

Philipp

[Jorge Villalobos]

There's no definitive solution announced for ESR yet. We're focusing on
getting things working on mainline Firefox first.

Jorge

[chuckleb...@gmail.com]

Has there been any further thought on this? I think many organisations won't be pleased to have to submit internal extensions for signing by Mozilla.

[Kev Needham]

Yes. An overview was posted on the ESR mailing list, and the Wiki has
been updated as well. See the timeline and faq. Signing enforcement will
be on by default, but can be disabled in the ESR using the pref that's
currently available.

https://wiki.mozilla.org/Addons/Extension_Signing

kev