I'm transforming my SDK-based Firefox extension to WebExtensions and I've come to the issue of updating the extension. The current extension is hosted on my own domain (which is an HTTP domain), along with the update.rdf file.

Now, for SDK-based add-ons, updates were possible via HTTP as long as the update manifest was signed using the McCoy tool and the valid hash of the update file was provided in the manifest. In addition to that, install.rdf would hold the public key portion of the key used to sign the update.rdf.

There seem to be no options to do this using the web extensions ( no manifest entry for public key, and no update manifest (.json) entry for the signature).

Does this mean Firefox will only allow self-hosted extensions to update via HTTPS? How will this affect SDK-based extensions currently hosted on HTTP domains? Will they be able to receive (at least one) update?

As you appear to have determined, the update.rdf for WebExtensions based add-ons must be served over HTTPS, not HTTP. The URL for the update.rdf file must be HTTPS. The documentation for the update_url property in the manifest.json applications key is explicit on this point:

• update_url is a link to an add-on update manifest. Note that the link must begin with "https". This key is for managing extension updates yourself (i.e. not through AMO).

There is no way to use the alternate security method, which is available to other types of add-ons, of providing an updateKey (and signing the update.rdf) in an install.rdf file included with the extension.

Add-on SDK based extensions, and other types of non-WebExtensions add-ons, will continue to be able to receive their update.rdf over HTTP in the same manner which they have been doing.

If your issue is transitioning an add-on from being an Add-on SDK based add-on to being a WebExtensions based add-on, then you will need to have an update to that extension which changes the URL from which updates are served. This can either be in some version before transitioning to WebExtensions, or at the same time. Either way, it is just a new version of the add-on (indicated with the update.rdf served via HTTP and appropriately signed). That new version will then have an update_url (WebExtensions) or updateURL (all other types) where the URL is using the HTTPS scheme. All subsequent update.rdf files will then be served over HTTPS.