Good afternoon, I am having an issue regarding signature validation of the files from my extension. I distribute my extension manually, i.e., I upload its package to the Mozilla developer center and get the files signed.
The problem is when I drop the extracted files from the package into the user’s file system. I thought that these files were verified by Firefox at each startup to check their integrity, and in case the files hashes didn’t match the ones stored in the mozilla.mf file, then the extension would be disabled for security reasons. But I manipulated the files in every way (edited them, removed some, included others), restarted Firefox and still the extension would be enabled.
The only condition that would force Firefox to verify the hashes was when I removed the manifest.json. In this case, Firefox would not find the extension and would remove it from the browser. Then, when I restored the manifest, Firefox would verify the integrity of the files and disable the extension.
Could someone tell me if this is a bug, bad configuration or if the integrity check should be done by the developers in another way?
Tested Firefox versions:
56.0
56.0.2
57.0b13