Reproducible webextensions
23.8.2019
Reproducible builds is a process of enabling users to verify that a package or a binary they have, has been built from a known source code. You can do the same thing with webextensions if the source code is available and building the XPI is reproducible. Verifying is easy, here's how you can do it. I have done this only on Linux.
Requirements
- diff
- unzip
The process
- Build the XPI from source code.
- Create a directory for the uncompressed installed webextension. (mkdir install)
- Unzip the installed XPI to the directory. (unzip -qqd install path_to_installed_webextension.xpi)
- Delete meta files Mozilla adds to all webextensions in AMO. (rm -rf install/META-INF)
- Create a directory for the uncompressed webextension you just built. (mkdir source)
- Unzip the XPI you built to the directory. (unzip -qqd source path_to_webextension_you_built.xpi)
- Compare all the files in both directories. (diff -r install source)
diff informs you if any of the files differ. Don't jump to conclusions if they differ, it's probably not anything malicious. Maybe you downloaded a wrong version of the source code or if the webextension has dependencies and their versions aren't specified exactly and npm downloaded newer modules, the files can differ, or something else.
Here's a script to verify the XPIs on Linux. Note the order of XPIs.
#!/usr/bin/env bash
set -e
amo_xpi=/tmp/amo_xpi
built_xpi=/tmp/built_xpi
if [[ $# -ne 2 ]]; then
echo "Usage: $(basename $0) AMO_XPI BUILT_XPI" >&2
exit 2
fi
mkdir "$amo_xpi"
unzip -qqd "$amo_xpi" "$1"
rm -rf "${amo_xpi}/META-INF"
mkdir "$built_xpi"
unzip -qqd "$built_xpi" "$2"
diff -r "$amo_xpi" "$built_xpi"
rm -rf "$amo_xpi" "$built_xpi"
If you are an author of an open source webextension, perhaps you can add this or similar script to your repository. I'm using Makefiles, here's an example of how I have added the feature.