I'm using the Mozilla API to upload an add-on and signing it (following this guide).
After uploading the add-on, I receive the first answer from the api as a json, that looks like that. From that response, I'm taking the url field and accessing it (result), that way I can see the status of my add-on signing.
The thing that I don't get, is why although the add-on is marked as signed for my understanding (active, passed_review, processed, reviewd, valid are all set to true), the xpi file (result.files[0].download_url) is marked as signed=false.
Does anyone knows why is that? How can I get my xpi signed and download it? Maybe it has to do with the warnings I have on the add-on? (although they're marked as fine).
The curl commands I'm executing.
Thanks, Ariel.
P.S - Can't use jpm cause It's not the add-ons format we currently have.
I believe that behavior resulted from a bad install.rdf configuration. I had a wrong targetApplication id (firefox, thunderbird, etc..), and when I fixed that and tried again it worked, and I got signed=true.
I also opened an issue about it in the github project of https://addons.mozilla.org
P.S - From jpm v1.0.5 it is possible to sign a non-SDK (Xul, WebExtensions) add-on with the jpm tool (github):
jpm sign --api-key <key> --api-secret <secret> --xpi <filePath.xpi> (works great!)