[arp242]

You can already use web-ext to sign it; it doesn't need to be published (you can keep the extension private). It's just that you need to be logged in to download it and can't really provide a "share link" (but you can of course upload/send that .xpi to anyone).

I have a few private extensions like this (e.g. for HN, GOG, my own new tab page, etc.). I don't have the exact steps for this at the handy, been meaning to do a write-up at some point, but my mk script is just "$webext sign --channel unlisted --api-key $jwt_issue --api-secret $jwt_secret" – I don't recall if you need to create it the extension in the Mozilla web UI first, but I don't think so(?)

[sdovan1]

Thanks! I thought this was impossible. Gonna try it out today.

Edit: I successfully signed the key on AMO. Here are the steps:

    Get an access token from https://addons.mozilla.org/developers/addon/api/key/
    In manifest.json, add browser_specific_settings.gecko.id and set it to something like "myext@example.com"
    Run command: web-ext sign --api-key=<jwt-issuer> --api-secret=<jwt-secret> --channel=unlisted
    That command will upload your extension to AMO. After an automatic review, you can download the .xpi file from AMO.

That said, it's not ideal for me since I make extensions for work. Looks like a human reviewer can check your code at any time.

[arp242]

> Looks like a human reviewer can check your code at any time.

Yeah, not entirely sure how this works. I've been doing this for a few years with a bunch of extensions, and thus far it's always just been automatically approved (although that does take a few minutes).