A few notes to anons interested in what that CA is, I will just log myself trying to figure it out:

A few notes to anons interested in what that CA is, I will just log myself trying to figure it out:
In XPIInstall.jsm, we can see:

⎗
✓
async verifySignedState(addonId, addonType, addonLocation) {
  if (!shouldVerifySignedState(addonType, addonLocation)) {
    return {
      signedState: AddonManager.SIGNEDSTATE_NOT_REQUIRED,
      cert: null,
    };
  }

  let root = Ci.nsIX509CertDB.AddonsPublicRoot;
  if (
    !AppConstants.MOZ_REQUIRE_SIGNING &&
    Services.prefs.getBoolPref(PREF_XPI_SIGNATURES_DEV_ROOT, false)
  ) {
    root = Ci.nsIX509CertDB.AddonsStageRoot;
  }

  return this.verifySignedStateForRoot(addonId, root);

Ci.nsIX509CertDB.AddonsPublicRoot might be the public root in question. This root is baked inside xul.dll, but the binary could either be patched or the references inside omni.ja could be patched to use the new one.
Given how some people seem to have trouble with just this and how this could be firefox binary build specific, I don't really feel like going into that, but you'd basicall be running the old firefox, checking the x509 root cert, searching the bytes with a hex editor for the old one, and then the new one (have to run both), then patching it. In the event the length is different, you may have to find a place for a new copy of it, or add a new section to the executable, then insert the code thre and replace the references.
I could do this for a specific binary, but I don't want to hold people's hands for that, just disable addon signing entirely since it's far more convenient anyway.

Also you can debug this, for example, in Firefox's Browser console, you can see:
addons.xpi-utils WARN Add-on uBlock0@raymondhill.net is not correctly signed.
addons.xpi WARN Invalid XPI: signature verification failed
Once I corrupted the signature to test it, it still installed fine!
Setting about:config devtools.chrome.enabled to true, enables evaluating in the browser console, following by reopening it (Ctrl+Shift+J)
Ci.nsIX509CertDB.AddonsPublicRoot has the value 7 here, so it must be an index into some internal certs?

Let's see what the actual class looks like:
let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService()

XPCWrappedNative_NoHelper { openSignedAppFileAsync: openSignedAppFileAsync(), getCerts: getCerts(), QueryInterface: QueryInterface(), findCertByDBKey: findCertByDBKey(), importCertificates: importCertificates(), importEmailCertificate: importEmailCertificate(), importUserCertificate: importUserCertificate(), deleteCertificate: deleteCertificate(), setCertTrust: setCertTrust(), setCertTrustFromString: setCertTrustFromString(), ... }

certDB.QueryInterface(Ci["nsIX509CertDB"])

Now how about those certs?

certDB.QueryInterface(Ci["nsIX509CertDB"]).getCerts()
gives an array of 198 certs. Are these actually managed by NSS' code? So much for supposedly being unreplaceable, because those can be changed, so our index was 7 ( Ci.nsIX509CertDB.AddonsPublicRoot )
so let's try
let somecert = certDB.QueryInterface(Ci["nsIX509CertDB"]).getCerts()[Ci.nsIX509CertDB.AddonsPublicRoot]
Which turned out to be a regular cert, so it's certainly not the right one, so it's time to see what the actual code does:
The actual code calls on the certDB openSignedAppFileAsync to validate the signatures.
Let's see what the C++ code does:
https://searchfox.org/mozilla-central/source/security/manager/ssl/AppSignatureVerification.cpp around line 1263
(other related files https://searchfox.org/mozilla-central/source/security/manager/ssl/nsNSSCertificateDB.h https://searchfox.org/mozilla-central/source/security/manager/ssl/nsIX509CertDB.idl )
There's 2 calls to VerifyPK7Signature and VerifyCoseSignature

On line 1212 we see:

⎗
✓
rv = VerifySignature(aTrustedRoot, sigBuffer, sfCalculatedSHA1Digest,
                       sfCalculatedSHA256Digest, digestToUse, aSignerCert);

defined in https://searchfox.org/mozilla-central/source/security/manager/ssl/AppSignatureVerification.cpp#750
which calls VerifyCertificate, which loads the certs from https://searchfox.org/mozilla-central/source/security/manager/ssl/AppTrustDomain.cpp#54

⎗
✓
nsresult AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot) {
  if (!mTrustedRoots.IsEmpty()) {
    return NS_ERROR_ALREADY_INITIALIZED;
  }
  switch (trustedRoot) {
    case nsIX509CertDB::AppXPCShellRoot:
      mTrustedRoots.AppendElements(xpcshellRoots, std::size(xpcshellRoots));
      break;

    case nsIX509CertDB::AddonsPublicRoot:
      mTrustedRoots.AppendElements(addonsPublicRoots,
                                   std::size(addonsPublicRoots));
      break;

    case nsIX509CertDB::AddonsStageRoot:
      mTrustedRoots.AppendElements(addonsStageRoots,
                                   std::size(addonsStageRoots));
      break;

    case nsIContentSignatureVerifier::ContentSignatureLocalRoot:
      mTrustedRoots.AppendElements(contentSignatureLocalRoots,
                                   std::size(contentSignatureLocalRoots));
      break;

    case nsIContentSignatureVerifier::ContentSignatureProdRoot:
      mTrustedRoots.AppendElements(contentSignatureProdRoots,
                                   std::size(contentSignatureProdRoots));
      break;

    case nsIContentSignatureVerifier::ContentSignatureStageRoot:
      mTrustedRoots.AppendElements(contentSignatureStageRoots,
                                   std::size(contentSignatureStageRoots));
      break;

    case nsIContentSignatureVerifier::ContentSignatureDevRoot:
      mTrustedRoots.AppendElements(contentSignatureDevRoots,
                                   std::size(contentSignatureDevRoots));

let's see what addonsPublicRoots actually is?

⎗

1	https://searchfox.org/mozilla-central/source/__GENERATED__/security/manager/ssl/addons-public.inc#153

we have a DER blob here:

⎗
✓
const uint8_t addonsPublicRoots0[] = {
    0x30, 0x82, 0x06, 0x65, 0x30, 0x82, 0x04, 0x4d, 0xa0, 0x03, 0x02,
    0x01, 0x02, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
    0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00, 0x30, 0x7d,
    0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
    0x55, 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x0a,
    0x13, 0x13, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x20, 0x43,
    0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
    0x2f, 0x30, 0x2d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x26, 0x4d,
    0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x20, 0x41, 0x4d, 0x4f, 0x20,
    0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
    0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x53, 0x65, 0x72,
    0x76, 0x69, 0x63, 0x65, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55,
    0x04, 0x03, 0x13, 0x16, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x63, 0x61,
    0x2d, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e,
    0x2d, 0x61, 0x6d, 0x6f, 0x30, 0x22, 0x18, 0x0f, 0x32, 0x30, 0x32,
    0x34, 0x30, 0x32, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
    0x5a, 0x18, 0x0f, 0x32, 0x32, 0x30, 0x30, 0x31, 0x32, 0x30, 0x33,
    0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x7d, 0x31, 0x0b,
    0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
    0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x13,
    0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x20, 0x43, 0x6f, 0x72,
    0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2f, 0x30,
    0x2d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x26, 0x4d, 0x6f, 0x7a,
    0x69, 0x6c, 0x6c, 0x61, 0x20, 0x41, 0x4d, 0x4f, 0x20, 0x50, 0x72,
    0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x53, 0x69,
    0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x53, 0x65, 0x72, 0x76, 0x69,
    0x63, 0x65, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03,
    0x13, 0x16, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x63, 0x61, 0x2d, 0x70,
    0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x2d, 0x61,
    0x6d, 0x6f, 0x30, 0x82, 0x02, 0x20, 0x30, 0x0d, 0x06, 0x09, 0x2a,
    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
    0x82, 0x02, 0x0d, 0x00, 0x30, 0x82, 0x02, 0x08, 0x02, 0x82, 0x02,
    0x01, 0x00, 0xb4, 0xbb, 0x61, 0xd7, 0x5d, 0xba, 0xf0, 0xcb, 0x7e,
    0xbe, 0x30, 0xf7, 0x8a, 0x7f, 0x98, 0xe0, 0xa0, 0x04, 0x8c, 0x7c,
    0xc3, 0x73, 0xee, 0x62, 0x56, 0x05, 0xe7, 0x09, 0x82, 0xf9, 0x53,
    0x7f, 0x88, 0x47, 0x25, 0xb2, 0xf3, 0x30, 0xfb, 0x08, 0x51, 0xab,
    0xb3, 0x23, 0xd1, 0x84, 0xa4, 0xb7, 0xc7, 0x75, 0x9e, 0xb0, 0xcd,
    0x2c, 0x85, 0x39, 0xbe, 0x00, 0x33, 0xe0, 0xf5, 0x9b, 0x10, 0x16,
    0x86, 0xe6, 0x49, 0xdc, 0xc0, 0xc0, 0x24, 0xe7, 0xf7, 0x07, 0x54,
    0x6c, 0xe9, 0x0a, 0x2b, 0x1e, 0xb9, 0x7c, 0xaa, 0xa9, 0x4d, 0xb4,
    0xf1, 0xaa, 0x7a, 0x99, 0xe9, 0x34, 0x97, 0x0b, 0xa3, 0xb2, 0x6c,
    0x4a, 0xaa, 0x84, 0xdc, 0xd5, 0x26, 0xef, 0x63, 0x20, 0xa8, 0x81,
    0xd1, 0x81, 0x34, 0x6c, 0xa9, 0x4b, 0x3e, 0xec, 0xb2, 0x0f, 0x19,
    0xee, 0xf6, 0xeb, 0x65, 0x3e, 0x37, 0xf4, 0xf4, 0x2c, 0xf6, 0x15,
    0x2d, 0xee, 0x2b, 0x67, 0x64, 0x43, 0x1e, 0x86, 0x99, 0x85, 0x86,
    0x3b, 0x6b, 0xdf, 0xb8, 0xf6, 0x61, 0xce, 0x23, 0xf8, 0x36, 0x60,
    0x50, 0x7e, 0xf7, 0x26, 0x63, 0x13, 0xe5, 0xdd, 0xa6, 0x54, 0xf6,
    0x90, 0x18, 0x00, 0xe0, 0xff, 0x1d, 0x6f, 0xb8, 0xbb, 0x23, 0x4b,
    0x48, 0x8b, 0x86, 0xf4, 0x07, 0x43, 0x7a, 0xcb, 0xd3, 0x21, 0x2f,
    0xe0, 0x91, 0x64, 0x9c, 0xb1, 0x74, 0x57, 0xb6, 0xc0, 0x1c, 0xa4,
    0x25, 0x7d, 0x78, 0x2e, 0xc8, 0x5e, 0x2a, 0xc3, 0x35, 0x6b, 0x31,
    0xe3, 0x64, 0xee, 0x7a, 0x48, 0xa3, 0x6b, 0x5b, 0xc5, 0x40, 0x25,
    0x32, 0xe4, 0xa5, 0x1c, 0x42, 0x9a, 0xc8, 0x93, 0xaf, 0x4f, 0x1f,
    0x9c, 0xfc, 0x83, 0x2a, 0x66, 0x9e, 0x67, 0x40, 0x6d, 0xb2, 0xe8,
    0x22, 0x71, 0xd8, 0xa9, 0x71, 0x9a, 0x57, 0xae, 0x22, 0x06, 0x9a,
    0xc6, 0x5b, 0x23, 0x5d, 0xaa, 0xe7, 0x2b, 0xb0, 0x8d, 0x21, 0x0b,
    0x76, 0x40, 0xd5, 0xe9, 0x46, 0xa3, 0xa3, 0x69, 0xfe, 0xdb, 0x0b,
    0x39, 0xb9, 0x7a, 0xcf, 0xdf, 0x8d, 0x97, 0xef, 0x55, 0xa2, 0x5a,
    0x10, 0xbf, 0x74, 0x5e, 0x5d, 0xcf, 0x52, 0xca, 0xb6, 0x30, 0x5d,
    0x99, 0x49, 0x31, 0x69, 0x03, 0x0e, 0x3f, 0xfb, 0xa1, 0xb5, 0x71,
    0x0a, 0x06, 0xb6, 0x68, 0xd6, 0x8b, 0xa7, 0x0d, 0x14, 0x31, 0xd6,
    0x3e, 0xfe, 0x4a, 0x44, 0x38, 0x04, 0x4c, 0x23, 0x07, 0x74, 0x84,
    0xb6, 0xbe, 0xd7, 0x0d, 0x61, 0x8e, 0x70, 0xe2, 0x24, 0xa0, 0x96,
    0x56, 0x3c, 0x00, 0x9f, 0x04, 0xb0, 0xb7, 0x3c, 0x90, 0x81, 0x5a,
    0x34, 0xc0, 0xc8, 0x19, 0x6e, 0x77, 0x40, 0xb9, 0x9f, 0x70, 0xb2,
    0xf6, 0xb7, 0xa0, 0x00, 0x09, 0xce, 0x22, 0xa2, 0x35, 0xb7, 0x5e,
    0x86, 0x53, 0x69, 0x5a, 0x46, 0x1e, 0xde, 0x94, 0x9e, 0xe0, 0x3d,
    0x13, 0x60, 0x42, 0x0c, 0x0b, 0x5d, 0xe6, 0x5c, 0x17, 0x1c, 0x3a,
    0xc2, 0xfc, 0xa2, 0x11, 0xc9, 0x82, 0x8c, 0xe1, 0x10, 0xe8, 0xf3,
    0x3c, 0x51, 0x08, 0xed, 0x84, 0xeb, 0x0a, 0x96, 0xcc, 0xcc, 0x86,
    0x52, 0xb0, 0xbe, 0x3c, 0x8e, 0x18, 0x3a, 0x33, 0xb6, 0x4a, 0x92,
    0x07, 0x2f, 0xef, 0xf8, 0x0b, 0x31, 0xec, 0xe5, 0xb6, 0x43, 0xba,
    0xe5, 0x55, 0xf2, 0x9a, 0xac, 0xbd, 0x26, 0x44, 0x46, 0x5d, 0x48,
    0xc7, 0xe8, 0xcb, 0x7c, 0xd3, 0x82, 0xd3, 0x15, 0x08, 0xcd, 0x2f,
    0x84, 0xd9, 0x7a, 0xcd, 0xcb, 0xdf, 0xe4, 0x73, 0x4d, 0xa2, 0x9a,
    0x04, 0x76, 0x0e, 0x72, 0xb9, 0x7a, 0x36, 0x72, 0x16, 0x75, 0xa7,
    0x52, 0x7e, 0xab, 0xce, 0x9b, 0xd0, 0x6e, 0x72, 0x25, 0x13, 0x1e,
    0x4f, 0x6f, 0xa2, 0x39, 0x56, 0x36, 0x11, 0x0d, 0xfb, 0xb4, 0x7a,
    0xea, 0x51, 0x44, 0x67, 0x70, 0x2c, 0xb8, 0xbb, 0x02, 0x01, 0x03,
    0xa3, 0x81, 0xed, 0x30, 0x81, 0xea, 0x30, 0x0c, 0x06, 0x03, 0x55,
    0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0e,
    0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03,
    0x02, 0x01, 0x06, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01,
    0x01, 0xff, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01,
    0x05, 0x05, 0x07, 0x03, 0x03, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
    0x0e, 0x04, 0x16, 0x04, 0x14, 0xb3, 0xbc, 0xea, 0x58, 0x74, 0xab,
    0xe1, 0x6e, 0x78, 0x2a, 0xb2, 0xab, 0x9c, 0x23, 0x1e, 0xa8, 0x63,
    0x2c, 0x97, 0xb7, 0x30, 0x81, 0x92, 0x06, 0x03, 0x55, 0x1d, 0x23,
    0x04, 0x81, 0x8a, 0x30, 0x81, 0x87, 0xa1, 0x81, 0x81, 0xa4, 0x7f,
    0x30, 0x7d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
    0x13, 0x02, 0x55, 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55,
    0x04, 0x0a, 0x13, 0x13, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61,
    0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
    0x6e, 0x31, 0x2f, 0x30, 0x2d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13,
    0x26, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x20, 0x41, 0x4d,
    0x4f, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f,
    0x6e, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x53,
    0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x31, 0x1f, 0x30, 0x1d, 0x06,
    0x03, 0x55, 0x04, 0x03, 0x13, 0x16, 0x72, 0x6f, 0x6f, 0x74, 0x2d,
    0x63, 0x61, 0x2d, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69,
    0x6f, 0x6e, 0x2d, 0x61, 0x6d, 0x6f, 0x82, 0x01, 0x01, 0x30, 0x0d,
    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0c,
    0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x00, 0x09, 0xb8, 0xdd,
    0xb7, 0xa8, 0x38, 0xb2, 0x01, 0x9f, 0x32, 0xf4, 0x38, 0x6a, 0x4d,
    0xf2, 0x1f, 0x75, 0x80, 0x57, 0x0b, 0xb8, 0xe0, 0x7f, 0xba, 0x79,
    0x0c, 0xd0, 0xa3, 0xea, 0x67, 0x1f, 0x2f, 0x10, 0x8c, 0x2e, 0xe4,
    0xaf, 0x2e, 0x58, 0xd8, 0x5a, 0x6d, 0x08, 0x7c, 0x76, 0x2c, 0xe5,
    0x6d, 0x25, 0x9d, 0x08, 0x26, 0xf3, 0xe3, 0x74, 0x9b, 0x74, 0x80,
    0x8d, 0x07, 0x75, 0xf0, 0x0c, 0xd6, 0x7d, 0x73, 0x64, 0x94, 0x58,
    0xd9, 0xd4, 0x47, 0x0f, 0xf0, 0xc4, 0x54, 0xfe, 0x47, 0x85, 0x12,
    0x4f, 0x52, 0x99, 0xe1, 0xd9, 0x84, 0xff, 0x75, 0xea, 0x34, 0x1f,
    0xa9, 0x0b, 0xc1, 0xe3, 0x9c, 0x38, 0x43, 0x03, 0xdc, 0x24, 0x6d,
    0x27, 0x3e, 0x45, 0xac, 0x63, 0x37, 0x1e, 0xa8, 0x3d, 0xee, 0x2f,
    0x98, 0x36, 0x83, 0x82, 0x60, 0x82, 0x4f, 0x96, 0x61, 0x69, 0xad,
    0x13, 0x87, 0x9e, 0x33, 0x60, 0x57, 0xe9, 0xc4, 0xf4, 0x8a, 0xd3,
    0x04, 0xad, 0x82, 0x96, 0x7a, 0x2d, 0xd2, 0x17, 0x4f, 0x53, 0x76,
    0xb0, 0x97, 0xf9, 0x7a, 0x47, 0x32, 0x2c, 0x60, 0xe2, 0x79, 0xc3,
    0x76, 0xc1, 0x9e, 0xf7, 0x0c, 0x5c, 0xf0, 0x5f, 0xe8, 0x76, 0x24,
    0x38, 0xf1, 0xff, 0xfb, 0x01, 0x9a, 0x34, 0xea, 0x6a, 0x0c, 0xc9,
    0x9b, 0xc8, 0x1f, 0x83, 0xcf, 0x71, 0x5b, 0x74, 0xa2, 0xc0, 0x14,
    0xd7, 0xc7, 0xcb, 0x3b, 0x44, 0x6b, 0x54, 0x99, 0x2e, 0xa4, 0xca,
    0xda, 0xc5, 0xb3, 0x35, 0x5d, 0x72, 0xf5, 0x53, 0x02, 0x65, 0xc9,
    0x5f, 0xa9, 0x92, 0xf2, 0x6e, 0xb5, 0x7d, 0xb1, 0x04, 0x1d, 0x5f,
    0xd4, 0x10, 0x37, 0xc4, 0xf9, 0x77, 0x36, 0x54, 0x27, 0x79, 0xa2,
    0xc8, 0x9b, 0x72, 0x45, 0xb3, 0x0d, 0x2b, 0xee, 0xdd, 0x33, 0xd2,
    0x7d, 0x6c, 0x84, 0x2e, 0xb1, 0x0a, 0x2e, 0x3e, 0xb7, 0x71, 0x61,
    0xe9, 0x9d, 0xfc, 0x0a, 0x76, 0xd2, 0x5b, 0x00, 0x1e, 0xe6, 0xb0,
    0x36, 0x38, 0x24, 0x18, 0x32, 0x3b, 0x1e, 0x87, 0x14, 0x4a, 0xf4,
    0x18, 0x66, 0x0c, 0x21, 0xbc, 0x53, 0xae, 0x46, 0x55, 0xdf, 0x6d,
    0xf2, 0x75, 0x78, 0x88, 0x42, 0x45, 0x4e, 0xb8, 0xe7, 0xb4, 0x10,
    0xc4, 0x16, 0xd5, 0x43, 0xe6, 0xce, 0x10, 0x9e, 0x5c, 0xaf, 0x39,
    0x4a, 0xd6, 0x77, 0x67, 0x6e, 0xe1, 0xd2, 0xc2, 0xb3, 0xe5, 0x96,
    0xd8, 0x4e, 0xbe, 0x47, 0xb8, 0xd9, 0xb6, 0xbb, 0x08, 0xa8, 0x50,
    0xfa, 0xab, 0x00, 0x8b, 0xa9, 0xc8, 0x01, 0x80, 0x2f, 0x42, 0x33,
    0xd5, 0x20, 0x1d, 0xe5, 0x01, 0x3a, 0x2c, 0x66, 0x64, 0xb0, 0x4a,
    0x08, 0xd0, 0xc4, 0x37, 0x5b, 0x11, 0x92, 0x67, 0x15, 0xc1, 0x77,
    0x02, 0x97, 0x96, 0xed, 0x76, 0x05, 0x55, 0xab, 0xbe, 0x0c, 0x82,
    0xc7, 0x77, 0xf3, 0x1b, 0x26, 0x62, 0xe1, 0x68, 0x32, 0x2e, 0xa7,
    0x6c, 0x32, 0xe5, 0x96, 0x6e, 0x93, 0xda, 0xa9, 0x7c, 0x2d, 0x91,
    0x31, 0xc9, 0x7d, 0xa2, 0xfe, 0xfa, 0x34, 0xa7, 0x18, 0x44, 0x55,
    0x16, 0x85, 0xc2, 0x3d, 0x49, 0xd6, 0xbd, 0xd3, 0x44, 0xd5, 0xe4,
    0xb2, 0x37, 0x6a, 0x15, 0xc8, 0x29, 0x34, 0x23, 0x1f, 0xd8, 0x54,
    0x5b, 0x8c, 0x31, 0xad, 0x54, 0xb5, 0xd1, 0x54, 0x6d, 0x03, 0x08,
    0x21, 0x91, 0x6b, 0x28, 0xa0, 0x2a, 0x07, 0x47, 0xef, 0xca, 0x8c,
    0x1e, 0x97, 0x57, 0xad, 0xb6, 0x93, 0x0c, 0x5b, 0x1f, 0x30, 0xb4,
    0xc0, 0x32, 0x71, 0x85, 0x9e, 0xa3, 0x99, 0x32, 0xe3, 0x28, 0x6c,
    0xd2, 0x52, 0xe4, 0xce, 0xbf, 0xbe, 0xa7, 0x5e, 0xa6, 0x80, 0xbc,
    0x2f, 0xbc, 0x66, 0x23, 0x97, 0x50, 0x81, 0x6f, 0x18, 0x1b, 0x2c,
    0xa6, 0xaf, 0xc0, 0xcf, 0x81, 0xc8, 0x4c, 0xa1, 0xfd, 0x2d, 0xca,
    0x58, 0x27
};
const mozilla::Span<const uint8_t> addonsPublicRoots[] = { mozilla::Span(addonsPublicRoots0, sizeof(addonsPublicRoots0)) };

Let's see where this ends up in the binary? It should be in xul.dll, and I've confirmed it's the only copy of it:

Inside the binary we see (addresses are Virtual Addresses, not raw file offsets):

⎗
✓
.00000001`85D36BA0:  30 82 06 65-30 82 04 4D-A0 03 02 01-02 02 01 01  0é`e0éfMáe;:;;::
.00000001`85D36BB0:  30 0D 06 09-2A 86 48 86-F7 0D 01 01-0C 05 00 30  0j`Ë*åHåHj::@c 0
.00000001`85D36BC0:  7D 31 0B 30-09 06 03 55-04 06 13 02-55 53 31 1C  }1B0Ë`eUf`<;US1�
.00000001`85D36BD0:  30 1A 06 03-55 04 0A 13-13 4D 6F 7A-69 6C 6C 61  0’`eUfÙ<<Mozilla
.00000001`85D36BE0:  20 43 6F 72-70 6F 72 61-74 69 6F 6E-31 2F 30 2D   Corporation1/0-
.00000001`85D36BF0:  06 03 55 04-0B 13 26 4D-6F 7A 69 6C-6C 61 20 41  `eUfB<&Mozilla A
.00000001`85D36C00:  4D 4F 20 50-72 6F 64 75-63 74 69 6F-6E 20 53 69  MO Production Si
.00000001`85D36C10:  67 6E 69 6E-67 20 53 65-72 76 69 63-65 31 1F 30  gning Service1¼0
.00000001`85D36C20:  1D 06 03 55-04 03 13 16-72 6F 6F 74-2D 63 61 2D  ”`eUfe<¬root-ca-
.00000001`85D36C30:  70 72 6F 64-75 63 74 69-6F 6E 2D 61-6D 6F 30 22  production-amo0"
.00000001`85D36C40:  18 0F 32 30-32 34 30 32-30 31 30 30-30 30 30 30  ‘<20240201000000
.00000001`85D36C50:  5A 18 0F 32-32 30 30 31-32 30 33 30-30 30 30 30  Z‘<2200120300000
.00000001`85D36C60:  30 5A 30 7D-31 0B 30 09-06 03 55 04-06 13 02 55  0Z0}1B0Ë`eUf`<;U
.00000001`85D36C70:  53 31 1C 30-1A 06 03 55-04 0A 13 13-4D 6F 7A 69  S1�0’`eUfÙ<<Mozi
.00000001`85D36C80:  6C 6C 61 20-43 6F 72 70-6F 72 61 74-69 6F 6E 31  lla Corporation1
.00000001`85D36C90:  2F 30 2D 06-03 55 04 0B-13 26 4D 6F-7A 69 6C 6C  /0-`eUfB<&Mozill
.00000001`85D36CA0:  61 20 41 4D-4F 20 50 72-6F 64 75 63-74 69 6F 6E  a AMO Production
.00000001`85D36CB0:  20 53 69 67-6E 69 6E 67-20 53 65 72-76 69 63 65   Signing Service
.00000001`85D36CC0:  31 1F 30 1D-06 03 55 04-03 13 16 72-6F 6F 74 2D  1¼0”`eUfe<¬root-
.00000001`85D36CD0:  63 61 2D 70-72 6F 64 75-63 74 69 6F-6E 2D 61 6D  ca-production-am
.00000001`85D36CE0:  6F 30 82 02-20 30 0D 06-09 2A 86 48-86 F7 0D 01  o0é; 0j`Ë*åHåHj:
.00000001`85D36CF0:  01 01 05 00-03 82 02 0D-00 30 82 02-08 02 82 02  ::c eé;j 0é;Ø;é;
.00000001`85D36D00:  01 00 B4 BB-61 D7 5D BA-F0 CB 7E BE-30 F7 8A 7F  : $Wak]Qaf~[0Hè
.00000001`85D36D10:  98 E0 A0 04-8C 7C C3 73-EE 62 56 05-E7 09 82 F9  ÿ±áfî|�sµbVcÄËé�
.00000001`85D36D20:  53 7F 88 47-25 B2 F3 30-FB 08 51 AB-B3 23 D1 84  SêG%“d0�ØQ½#dä
.00000001`85D36D30:  A4 B7 C7 75-9E B0 CD 2C-85 39 BE 00-33 E0 F5 9B  ñV_u§‘P,à9[ 3±!¢
.00000001`85D36D40:  10 16 86 E6-49 DC C0 C0-24 E7 F7 07-54 6C E9 0A  º¬åµI„��$ÄH"Tl˜Ù
.00000001`85D36D50:  2B 1E B9 7C-AA A9 4D B4-F1 AA 7A 99-E9 34 97 0B  +²c|¬�M$±¬zÖ˜4ùB
.00000001`85D36D60:  A3 B2 6C 4A-AA 84 DC D5-26 EF 63 20-A8 81 D1 81  ú“lJ¬ä„R&)c ¿üdü
.00000001`85D36D70:  34 6C A9 4B-3E EC B2 0F-19 EE F6 EB-65 3E 37 F4  4l�K>�“<“µ÷´e>7 
.00000001`85D36D80:  F4 2C F6 15-2D EE 2B 67-64 43 1E 86-99 85 86 3B   ,÷§-µ+gdC²åÖàå;
.00000001`85D36D90:  6B DF B8 F6-61 CE 23 F8-36 60 50 7E-F7 26 63 13  k€U÷al#°6`P~H&c<
.00000001`85D36DA0:  E5 DD A6 54-F6 90 18 00-E0 FF 1D 6F-B8 BB 23 4B  ÃŒªT÷É‘ ± ”oUW#K...

... Which seems to be the right cert, ending about here:

⎗
✓
.00000001`85D371F0:  BC 2F BC 66-23 97 50 81-6F 18 1B 2C-A6 AF C0 CF  ]/]f#ùPüo‘,ª»�g
.00000001`85D37200:  81 C8 4C A1-FD 2D CA 58-27 00 00 00-00 00 00 00  üZLí²-iX'

But going by the layout in the generated source code, the pointer and size to the certificate should be after this included binary blob, however it's not there, likely the compiler optimized it away?
So I look for a cross-reference in the code:

⎗
✓
.00000001`812B066D: 0F8753FFFFFF                   ja          .00000001`812B05C6 --‘7
.00000001`812B0673: 488D05E6000000                 lea          rax,[00000001`812B0760] --“8 ; this is the switch jumptable
.00000001`812B067A: 48630C98                       movsxd       rcx,d,[rax][rbx]*4
.00000001`812B067E: 4801C1                         add          rcx,rax
.00000001`812B0681: FFE1                           jmp          rcx
.00000001`812B0683: 48C744246869060000             mov          q,[rsp][068],000000669 ; this must be the size of the cert, if you want to replace it, you MUST patch this too!
.00000001`812B068C: 488D050D65A804                 lea          rax,[00000001`85D36BA0] --“9 ; this is the pointer to the code, this is a relative offset, you must correctly adjust this too!
.00000001`812B0693: EB79                           jmps        .00000001`812B070E --“A
.00000001`812B0695: 83F808                         cmp          eax,8
.00000001`812B0698: 0F8428FFFFFF                   jz          .00000001`812B05C6 --‘7
.00000001`812B069E: 83F82D                         cmp          eax,02D ;'-'
.00000001`812B06A1: 0F841FFFFFFF                   jz          .00000001`812B05C6 --‘7
.00000001`812B06A7: 89C1                           mov          ecx,eax
.00000001`812B06A9: E8E2890100                     call        .00000001`812C9090 --“5
.00000001`812B06AE: 85C0                           test         eax,eax
.00000001`812B06B0: 75A2                           jnz         .00000001`812B0654 --‘B
.00000001`812B06B2: 488D052C3E1D05                 lea          rax,[00000001`864844E5] ;'MOZ_CRASH(Function failed without calling PR_GetError)' --“C
.00000001`812B06B9: 488B0D70A63105                 mov          rcx,gMozCrashReason --“D
.00000001`812B06C0: 488901                         mov          [rcx],rax
.00000001`812B06C3: E98B000000                     jmp         .00000001`812B0753 --“E
.00000001`812B06C8: 48C744246848060000             mov          q,[rsp][068],000000648 ;'  `H'
.00000001`812B06D1: 488D05386BA804                 lea          rax,[00000001`85D37210] --“F
.00000001`812B06D8: EB34                           jmps        .00000001`812B070E --“A
.00000001`812B06DA: 48C744246848060000             mov          q,[rsp][068],000000648 ;'  `H'
.00000001`812B06E3: 488D057671A804                 lea          rax,[00000001`85D37860] --“G
.00000001`812B06EA: EB22                           jmps        .00000001`812B070E --“A
.00000001`812B06EC: 48C74424682E020000             mov          q,[rsp][068],00000022E ;'  ;.'
.00000001`812B06F5: 488D057462A804                 lea          rax,[00000001`85D36970] --“H
.00000001`812B06FC: EB10                           jmps        .00000001`812B070E --“A
.00000001`812B06FE: 48C74424681A030000             mov          q,[rsp][068],00000031A
.00000001`812B0707: 488D058252A804                 lea          rax,[00000001`85D35990] --“I
.00000001`812B070E: 4889442470                    Amov          [rsp][070],rax
.00000001`812B0713: E93CFEFFFF                     jmp         .00000001`812B0554 --‘J
.00000001`812B0718: 48C744246848060000             mov          q,[rsp][068],000000648 ;'  `H'
.00000001`812B0721: 488D05F85BA804                 lea          rax,[00000001`85D36320] --“K
.00000001`812B0728: 4889442470                     mov          [rsp][070],rax
.00000001`812B072D: 48C744247806070000             mov          q,[rsp][078],000000706
.00000001`812B0736: 488D05B37EA804                 lea          rax,[00000001`85D385F0] --“L
.00000001`812B073D: E90AFEFFFF                     jmp         .00000001`812B054C --‘M
.00000001`812B0742: 488D059C3D1D05                6lea          rax,[00000001`864844E5] ;'MOZ_CRASH(Function failed without calling PR_GetError)' --“C
.00000001`812B0749: 488B0DE0A53105                 mov          rcx,gMozCrashReason --“D
.00000001`812B0750: 488901                         mov          [rcx],rax
.00000001`812B0753: CC                            Eint          3

So if you wanted to patch it, you'd need to patch:

⎗
✓
.00000001`812B0683: 48C744246869060000             mov          q,[rsp][068],000000669 ; this must be the size of the cert, if you want to replace it, you MUST patch this too!
.00000001`812B068C: 488D050D65A804                 lea          rax,[00000001`85D36BA0] --“9 ; this is the pointer to the code, this is a relative offset, you must correctly adjust this too!

You can probably guess that I have a very low appetite toward making a patcher for this when it'd be very specific to firefox binaries, but you might be able to replace the old cert in memory if the size matches, or are willing to write some dynamic x-ref location logic (might not be reliable).
However, if there is some demand from some anons, I could write some code.
I'd also like to note that patching xul.dll directly will break the EME video DRM as they check file signatures (the .sig file), if you want to patch without breaking support for that, this must be done at runtime with OpenProcess and WriteProcessMemory, or at least, if you don't want to do that, patching the file while retaining DRM capability would be a more involved process that I do not want to go into here.