Firefox 49 works with my signed WebDriver but it does not with Selenium's unsigned one

[andreicristianpetcu]

Please read the issue an not mark it as duplicate of #2559

Meta -

OS:
Ubuntu 16.04
Selenium Version:
2.53.1
Browser:
Firefox

Browser Version:
49.0 (64-bit)

Expected Behavior -

Firefox 48+ should work with Selenium's WebDriver just as it works with my signed WebDriver

Actual Behavior -

Selenium replaces my WebDriver which works with v49 with the unsigned one which does not work with Firefox v48+

Steps to reproduce -

Install my signed web driver and start Protractor or Selenium.

[andreicristianpetcu]

Please read this comment it explains how to sign your webdriver without passing Mozilla's code review.

Sorry for making another bug since I think that people don't look at closed issues.

[lukeis]

@andreicristianpetcu if you replace the webdriver.xpi in the standalone.jar (it's basically a zip file, you can unpack and re-zip up). You'll be able to run with your own customized extension instead.

@AutomatedTester @andreastt @davehunt is this an acceptable method to bypass mozilla's extension signing and do it ourselves?

from the other issue comment:

You don't need Mozilla's review in order to get the addon signed. Change the UUID in install.rdf of the addon to a new generated value and run JPM sign like so.

  <Description RDF:about="urn:mozilla:install-manifest" em:id="{681B9050-93CA-11E6-827B-DB5CC7AD2208}"

jpm sign --api-key $MY_AMO_API_KEY_COPIED_FROM_AMO --api-secret $MY_AMO_API_SECRET_COPIED_FROM_AMO --xpi firefox-driver.xpi

[davehunt]

I'll leave others to comment of if we should do this, but I doubt there will be any support from Mozilla or Selenium if the legacy FirefoxDriver is broken by changes in Firefox releases. All effort is now going into Marionette and GeckoDriver.

[andreicristianpetcu]

@lukeis replacing it does not work :( If I delete webdriver.xpi I get no error and each new run will still have it. It must be somewhere in some cache, profile or something. If I delete the file from node-modules I should get an error but I don't.

@davehunt I know time working on Free Software projects is very little and should not be wasted but this is a popular issue (it's put in the template of all the new issues) and it can be fixed in 10 minutes. This is not an API change. The file only needs to get signed, it's a trivial operation. From what I understand FirefoxDriver is the stable and GeckoDriver is the beta. Lots of people are using FirefoxDriver still.

This is not bypassing Mozilla's addons signature, it's using Mozilla's addon signature. This is not a trick or a hack. Mozilla supports unlisted addons for quite some time now. There are APIs for this. Mozilla cares only about addon integrity for unlisted addons. You can do whatever you want in the addon if it unlisted, you only need to sign it. It's a small requirement.

[AutomatedTester]

If its using jpm then it should be fine to do.

I want to make something explicitly clear on this though, since Mozilla has put a lot of effort into the specification and getting GeckoDriver up to speed, that if we do this and FirefoxDriver stops working, which could happen at the release of 50, Mozilla won't be putting any effort into fixing it and neither will the Selenium project. This will have to be wholly community driven.

[lukeis]

@andreicristianpetcu so... it's not working for me... getting a weird error:

jpm sign --api-key $AMO_API_KEY --api-secret $AMO_API_SECRET --xpi build/javascript/firefox-driver/webdriver.xpi
JPM [error] FAIL
Error: EACCES, stat '/var/folders/r8/3v1w2db52gx3gjbs393990_910gc7h/T/tmp-extracted-xpi-32363vS8JAAYJcWCq/platform/WINNT_x86-msvc'
at Error (native)

that temp folder doesn't exist... no idea where it's going wrong.

[andreicristianpetcu]

strange...... jpm is a nodejs tool..... try running it with node-debug or node-inspector. For me it worked fine. I signed several unmaintained addons this way

[lukeis]

i tried a few steps in with node debug... and I'm not familiar enough with jpm to understand where to step into. So, I logged a bug with them and hopefully someone there knows more. I'm hoping for some simple user error on my part :)

mozilla-jetpack/jpm#600

[andreicristianpetcu]

@lukeis Are you trying to sign v3.0.0? Why not try v2.53.x? I signed v2.53.0 I think and it worked....

[lukeis]

Why would I try signing the old version? Also there should be much / anything different with the one in 3.0

[andreicristianpetcu]

The current stable works with 2.53.0 right? 3.0 is beta. Am I wrong? This is a bug with the current issue, not a feature request.

[lukeis]

3.0 is not beta anymore , we released 3.0.0 (and 3.0.1)

[andreicristianpetcu]

I signed this new extension and here is how I did it.

[andreicristianpetcu]

@lukeis if you manage to sign the extenssion, please put em:maxVersion="*". You initially put v51 as maximum which makes it incompatible with my daily browser: Firefox Nightly v52. In November it would stop working with Firefox DevEdition also.

[andreicristianpetcu]

@lukeis I'm replying you here for this comment. Please create the initial xpi file with another tool. Or unzip it and rezip it again with something else. This worked for me. What zipping tool are you using? What OS?

It's obvious that decompress-zip works with some zips and not with all. Maybe it is a compression leve thing issue.

[lukeis]

we are using java :) (well 'jar')

https://github.com/SeleniumHQ/selenium/blob/master/rake-tasks/zip.rb#L42

[lukeis]

oops, wrong one.. this is the one that's used for xpi's

https://github.com/SeleniumHQ/selenium/blob/master/rake-tasks/crazy_fun/mappings/common.rb#L195

[andreicristianpetcu]

Should I guess the OS that are you using? :)

What JDK, architecture?

[lukeis]

mozilla-jetpack/jpm#600 (comment)

https://github.com/SeleniumHQ/selenium#requirements

[andreicristianpetcu]

So you are using rake, to call jar, to make a zip.
Why not make the zip with rake? You will not need an external dependency.

I will investigate this when I have time. I'm no guru in rake :)

[lukeis]

the build system is called crazy-fun :) which happens to be the former and much less the latter.

[andreicristianpetcu]

Is there any documentation on building the extension with the current rake build system? I want to try a ruby-native zipping instead of jar.

[andreicristianpetcu]

I created a rakefile that zips the contents of the folder using pure ruby. It's still a work in progress but I hope that I will be able to get rid of the jar dependency and have a working, signable archive.

require 'rake/packagetask'
require 'zip/zip'
namespace :my_namespace do
  def zip(src, dest)
    path = src

    path.sub!(%r[/$],'')
    archive = File.join(path,File.basename(path))+'.zip'
    archive = dest
    FileUtils.rm archive, :force=>true

    puts "Making archive " + archive
    Zip::ZipFile.open(archive, 'w') do |zipfile|
      Dir["#{path}/**/**"].reject{|f|f==archive}.each do |file|
        zipfile.add(file.sub(path+'/',''),file)
      end
    end
  end
  desc "Make xpi"
  task :make_xpi do
    puts "Making a Firefox extension file"
    zip("firefox_webdriver-3.0.0-fx.xpi_FILES", "firefox_webdriver-3.0.0-fx.xpi")
  end
end

Right now signing fails with this error:

$jpm sign --api-key $AMO_API_KEY --api-secret $AMO_API_SECRET --xpi firefox_webdriver-3.0.0-fx.xpi
JPM [info] Signing XPI: firefox_webdriver-3.0.0-fx.xpi
Server response: Invalid archive. (status: 400)
JPM [info] FAIL

[andreicristianpetcu]

I'm giving up. I see very little effort from Selenium devs to fix this. Your build process is too complicated for me. I signed 2 addons of yours to show you how and you can sign each new release manually. It takes 1 minute. It does not need to be part of the build system. Selenium devs have little interest for their Firefox users. I know, I know future versions will work with marionette or geckodriver or whatever but until then latest stable Firefox does not work with latest stable Selenium and it's a 1 minute manual job for each release in order for this to work. It has been so since August and there was very little effort to fix this. I know working on Free Software projects is hard and everybody wants you do implement their "very important" feature but I think this was quite important for a lot of people.

You can close this ticket if you want. Sorry I don't have more time to invest in this.

[davehunt]

@andreicristianpetcu following your lead I was able to get this working.

The patch for creating the XPI is:

diff --git a/rake-tasks/crazy_fun/mappings/common.rb b/rake-tasks/crazy_fun/mappings/common.rb
index 523d8e7..f267c22 100644
--- a/rake-tasks/crazy_fun/mappings/common.rb
+++ b/rake-tasks/crazy_fun/mappings/common.rb
@@ -1,4 +1,3 @@
-
 # Modify String to add start_with and end_with methods
 if (!"".methods.include? :start_with)
   class String
@@ -187,14 +186,20 @@ class Tasks
     end
   end

-  def zip(src, dest)
-    out = Platform.path_for(File.expand_path(dest))
-    Dir.chdir(src) {
-      # TODO(jari): something very weird going on here on windows
-      # the 2>&1 is needed for some reason
-      ok = system(%{jar cMf "#{out}" * 2>&1})
-      ok or raise "could not zip #{src} => #{dest}"
-    }
+  def zip(path, dest)
+    gem 'rubyzip'
+    require 'zip/zip'
+    require 'zip/zipfilesystem'
+
+    path.sub!(%r[/$], '')
+    archive = Platform.path_for(File.expand_path(dest))
+    FileUtils.rm archive, :force=>true
+
+    Zip::ZipFile.open(archive, 'w') do |zipfile|
+      Dir["#{path}/**/**"].reject{|f|f==archive}.each do |file|
+        zipfile.add(file.sub(path+'/', ''), file)
+      end
+    end
   end

   def to_filelist(dir, src)

I generated a unique UUID and use my own AMO credentials to then sign the extension:

$ jpm sign --api-key <KEY> --api-secret <SECRET> --xpi build/javascript/firefox-driver/webdriver.xpi
JPM [info] Signing XPI: build/javascript/firefox-driver/webdriver.xpi
Validating add-on [...............................................................................................................................................................................]
Validation results: https://addons.mozilla.org/en-US/developers/upload/7a9a98e5699a477392d247dd5881877c
Downloading signed files: 100% 
Downloaded:
    ./firefox_webdriver-3.0.1-fx.xpi
JPM [info] SUCCESS

I think it would be great to get this into the next release. I do think we should make it clear that this is not the recommended approach, and that any issues encountered using Firefox 48+ without geckodriver would likely not be resolved.

So what remains is:

• We would need to update the build to sign the XPI and then package the signed version.
• We would need an AMO account with credentials to sign the XPI, and these will need to be encrypted for Travis. We can probably use personal accounts for this, and whoever gets there first can encrypt theirs for CI.
• We would want to add a py27-firefox job in Travis that installs latest release to alert us if/when this breaks. We may ultimately want to test Firefox pre-releases for more notice.

I'm happy to help, however I'm not sure how much time I can commit.

[andreicristianpetcu]

Thank you @davehunt I'm glad you are interested in this. What makes you think this is not a recommended way? Is geckodriver stable and fully functional? My understanding is that webdriver is stable and geckodriver is beta.

Lastpass is a popular Firefox addon that is signed but unlisted, just as I propose webdriver should be until geckodriver has all the features that webdriver has. Mozilla supports unlisted addons.

[phoenix384]

@andreicristianpetcu I just spotted this issue and immediately tried to get a signed 3.4 xpi myself. But that seems not to work anymore since it uses legacy API and is not a WebExtension. Is there still a way to get a signed 3.4 xpi that works with 53.0 or at least the latest ESR?

[andreicristianpetcu]

@phoenix384 You can't sign a new legacy addon. You can create a new WebExtension and "upgrade" it to a legacy addon :D. The most trivial webextension is a zipped manifest.json. It needs to have a new guuid. After you signed the webextension then upload a "new version" for signing that is the legacy one with the webextension's uuid and a different version.

If you have issues I can help. This is tested and it works.

[phoenix384]

That worked. Thank you

[andreicristianpetcu]

@phoenix384 Glad it worked :)
Do you happen to have a Selenium build that uses the signed addon? I managed to sign the addon but did not manage to use it inside Selenium.

[phoenix384]

Yes I do. I took the webdriver.xpi from the Java lib .jar, signed it and put it to a folder of the project and started Firefox with
FirefoxProfile profile = new FirefoxProfile();
profile.addExtension("webdriver", new FileExtension(new File(folder, "webdriver.xpi")));
DesiredCapabilities capabilities = DesiredCapabilities.firefox();
capabilities.setCapability(FirefoxDriver.MARIONETTE, false);
capabilities.setCapability(FirefoxDriver.PROFILE, profile);
FirefoxDriver driver = new FirefoxDriver(capabilities);
or with parameter -Dwebdriver.firefox.driver='/path/to/xpi' via Grid.

[masterseo2000]

Hello,
I just noticed the that there is a little bot that appears in the address bar that says: browser is under remote control (Firefox) on Firefox (chrome is automated by a software)
I was wondering what is this exactly (I got the bot thing) I mean by that:
Is that just a client site indicator?
Is that something that that the actual website detects
Would it go away when you define a user agent
Is there a way to remove it / Control it
Thanks a lot!!

[davehunt]

@masterseo2000 this is to conform with the suggestion in the WebDriver specification's security considerations:

It is also suggested that user agents make an effort to visually distinguish a user agent session that is under control of WebDriver from those used for normal browsing sessions. This can be done through a browser chrome element such as a “door hanger”, colorful decoration of the OS window, or some widget element that is prevalent in the window so that it easy to identify automation windows.