This guide details the steps required to publish the WebAuthnLinux extension to the Chrome Web Store and the Mozilla Add-ons (AMO) store, following the 2026 standards.
Ensure you have the following icon sizes in the extension/icons/ folder:
19x19(Action icon)48x48(Extension management page)128x128(Store listing)
Update the "version" field in extension/manifest.json before every release (e.g., 1.0.0, 1.0.1).
- Important: Mozilla requires the version to be a string of 1 to 4 numbers separated by dots (e.g.,
0.1.2.3). Letters and leading zeros are not allowed.
Use the provided Makefile to package the extension into a ZIP/XPI archive:
make buildThis creates WebAuthnLinux-Extension.xpi in the root directory.
- Sign up at the Chrome Web Store Developer Dashboard.
- Pay the one-time developer registration fee.
- Enable Two-Factor Authentication (2FA).
- Upload: Click "New Item" and upload the
WebAuthnLinux-Extension.xpi(rename to.zipif required). - Listing Details:
- Provide a concise description.
- Upload at least one screenshot (1280x800 or 640x400).
- Provide a link to your Privacy Policy.
- Privacy & Permissions:
nativeMessaging: Justify this as required for communicating with the local Linux host for biometric (fingerprint) authentication.<all_urls>: Justify this as required to inject the WebAuthn polyfill into any website the user visits.
- Review: Chrome uses Manifest V3. Since this extension contains no remotely hosted code and uses service workers (standard for MV3), the review process typically takes 1-7 days.
- Create an account at addons.mozilla.org (AMO).
- Agree to the Developer Agreement.
-
Upload: Submit the
WebAuthnLinux-Extension.xpifile. -
Listing Details: Fill in the name, summary, and description.
-
Source Code Disclosure (Crucial):
- Since 2025, Mozilla requires the submission of the full source code if the extension is obfuscated or uses a build process.
- Even for non-obfuscated code, it is recommended to provide a link to the GitHub repository (WebAuthnLinux) or upload the source ZIP to ensure transparency.
-
Permission Justification: Similar to Chrome, justify
nativeMessagingand host permissions. -
Signing: Mozilla will digitally sign your extension. For self-distribution (outside the store), you can choose "On your own," but for the public store, choose "On this site."
-
Security Audit: Mozilla's automated scanner checks for unsafe code patterns. Specifically:
- Avoid using
innerHTMLwith dynamic values; usetextContentorcreateElement/appendChildinstead. - Ensure all dependencies are included in the source package if choosing the "full source code" submission option.
- Avoid using
Both stores require a Privacy Policy since the extension requests sensitive permissions (nativeMessaging, storage).
Mozilla requires a specific field in the manifest to declare fallback data collection behavior. Ensure extension/manifest.json includes:
"browser_specific_settings": {
"gecko": {
"id": "webauthnlinux@samveen.github.io",
"data_collection_permissions": {
"required": ["none"],
"optional": []
}
}
}Setting required to ["none"] indicates the extension does not collect any data.
Your policy should state:
- Data Collection: No personal data is collected or sent to external servers.
- Native Messaging: Used only to interact with the local
fprintdservice for user authentication. - Local Storage: Used only to store the encrypted virtual credentials locally on the user's machine.
| Requirement | Chrome Web Store | Mozilla Add-ons (AMO) |
|---|---|---|
| Manifest Version | Manifest V3 (Mandatory) | Manifest V3 (Supported) / V2 |
| Review Time | ~1-7 days | ~1-24 hours (Automated/Manual) |
| Fee | One-time $5 USD | Free |
| Source Disclosure | Code must be reviewable | Mandatory for build/obfuscation |
| Signing | Handled by Google | Handled by Mozilla |