Anyway, I will keep the promise I made to the updoot faggot in that one /g/ thread and post a guide on how to deal with this issue on branded (not ESR) Firefox. For ESR xpinstall.signatures.required being set to false should be enough.
Disabling add-on signing requirement in branded firefox:
I've tested this on FireFox 96, even though I don't really use this one very much, but beware this one can leak through the proxy settings (if proxy is set to localhost) and will need some extra about:config options, look into that and the bug reports related to that.
First you need an archiver capable of unpacking zips, 7-zip is fine. You will also need one capable of packing zips, but mozilla's zips are kind of special and don't support all options, so if you're on a nix, you should use Info-zip's version, on windows get https://www.willus.com/archive/zip64/infozip_binaries_win32.zip or get info-zip's version from sourceforge.
Go to where you installed Firefox, like C:\Program Files\Mozilla Firefox, rename omni.ja in this folder (there's a second one in browser, do not touch that). to omni.ja.original or omni.ja.bak, to keep a backup in case something goes wrong (it might), use that to restore if something breaks.
Unpack this omni.ja.bak in your unpacker to some directory. Inside it we'll have modules\AppConstants.jsm and modules\addons*.jsm, AppConstants are the settings, and addons are the loading and validation code.
In AppConstants.jsm, I've changed from true
MOZ_REQUIRE_SIGNING:
//@line 287 "$SRCDIR/toolkit/modules/AppConstants.jsm"
false,
//@line 291 "$SRCDIR/toolkit/modules/AppConstants.jsm"
to false,
MOZ_ALLOW_ADDON_SIDELOAD: to true
in modules\addons\XPIDatabase.json:
/**
* Returns true if signing is required for the given add-on type.
*
* @param {string} aType
* The add-on type to check.
* @returns {boolean}
*/
mustSign(aType) {
return false;
I just place a return false before the rest of the code, disabling all signing checks. For obvious reasons you should disable addon autoupdate and audit the code yourself if you disable signing, I'm not responsible for your shit getting compromised. There probably is a way to update the add-on CA, but I haven't looked into it yet.
Once done, you have to repack this unpacked archive, you can unpack the zip from earliear and put zip.exe into that directory as the unpacked omni.ja and execute:
zip -0DXqr omni.ja * -x "zip.exe"
Running it with the directory like "zip -0DXqr omni.ja <file(s)/dir(s) to pack>" should work, but you need another command to strip the prefix path. Maybe 7-zip could pack it too, but I haven't tried, Firefox's zip implementation is incomplete.
Once done, move the omni.ja from this directory to where you have installed firefox. Run it, it might say it wants to go in safe mode, can run it once, and restart it again.
Go to your addons, some might be disabled, in that case, go to your profile directory C:\Users\youruser\Application Data\Mozilla\Firefox\Profiles\yourrecentprofile.default-release\extensions
and drop the disabled xpis into firefox's addon manager, it should let you install it. I think you could force enable them by changing some file like .\extensions.jsonor extension-settings.json, the latter seems to have a "enabled":true/false setting and likely would fix it, but I didn't try, I don't use this FireFox install that often anyway, so I didn't care to look more into it.
Make sure to enable the extensions you need and that should be it.
After some quick searching I've seen people write similar guides like:
https://ptrcnull.me/posts/firefox-stable-unsigned-addons/ with omni.ja mods
https://stackoverflow.com/questions/32038251/how-to-correctly-repack-omni-ja-in-firefox omni.ja repacking settings
https://stackoverflow.com/questions/31952727/how-can-i-disable-signature-checking-for-firefox-add-ons without omni.ja mods, but more complicated setup to override the constants
omni.ja seems signed in this firefox, but the signing doesn't seem to be enforced. if they ever start enforcing, you'd probably also have to patch xul.dll for it, I could provide that as well, but really, this is more work than I'd do for a copy of firefox I rarely use, but it had to be done, so it's done now.
Do not bother reading past this unless you care about patching this on FF 115 or failed to patch it, or care about Mozilla signing internals (detailed in a rentry at the end)
One anon was using Firefox 115.3 and having trouble with this guide. I only had a slightly newer version of 115 ESR installed, so it's slightly hard to test, but here's the modifications anyway:
Unpack the same omni.ja in the same directory where firefox.exe/xul.dll or your binaries are.
Look at the file: modules\AppConstants.sys.mjs
You'll see various useful constants like IS_ESR, MOZILLA_OFFICIAL, MOZ_OFFICIAL_BRANDING, MOZ_CRASHREPORTER, MOZ_REQUIRE_SIGNING.
Turn what you want on/off (true/false), but in particular MOZ_REQUIRE_SIGNING should be set to false.
In modules\addons\ you'll find all the addon code, and there are many places you could patch if you wanted, but the earlier patch should work:
In modules\addons\XPIDatabase.jsm find:
and modify it so that the first line of the function is a return false:
That's mostly it? Pack up your omni.ja as explained above, run firefox, go to about:config and set xpinstall.signatures.required to false, and try dropping your xpi in the add-on manage and installing it, it will warn, but should work.
Of course there's many places that can be patched besides this, but you don't need to:
For example, look at cross-references to mustSign
Obviously this could be patched if you wanted, in fact you could also patch isDisabledLegacy if you wanted to use APIs mozilla doesn't want you to use or whatever else for developmental purposes.
If you're doing that, you wouldn't need me to hand-hold you through this.
In my tests, I took ubo's xpi and corrupted the signature with a hex editor and that installed fine in this firefox with just the mustSign patch.
You may have to reinstall pre-existing addons if they still stay disabled, note that isUsableAddon up there decides if it's disabled or not, if you really wanted you could make it return true, but there may be cases where it should return false - there's ways it can fail that have nothing to do with signing.
Also to that FF 115.3 anon - that FF had a certain (RCE) vulnerability and the ESR for it is just a minor update, you'd probably be quite fine updating - the version I have has the updated certificate already.
In XPIInstall.jsm you can also see near the end of:
async loadManifest(file) {
these lines:
This is likely what sets the state to corrupted, but if mustSign is patched, this should not happen
I've decided to spend some time studying and figuring out exactly how the add-on signing cert works and how it could be replaced, but due to complexity and probably low demand I will not be making a tool for this, you can read my hour of wasted time figuring out these details at:
https://rentry.org/mozillacertautism