First, I went to toolbar.google.com and attempted to "Agree & Install" the toolbar. The Extensions manager opened and then told me that it was an Incompatible Extension and thus could not be installed. Logic told me that there must be something in the XPI file that tells the Extensions manager what versions are acceptable. I immediately had some intangible flashback feeling that I eventually related to memories of editing setup.ins (or something like that) to force game installers (such as oh what was it, DeICE? I digress..) to install on my under-RAM'd, under-disk'd 386. That gave me a feel for what I was going to need to do here.
In any case, viewing source of http://toolbar.google.com/firefox/install.html to get the URL for the XPI yielded our starting point. I pasted this into the location bar to find that I wasn't given an option to "Save As" with this type of file. Rather than muck with figuring out how to change that, or digging through disk cache, or making an html page I could right-click save as from, I opted to paste that URL to wget on the command-line. (Note to self, let's use this same technique to make the lget extension work with 1.5 beta; lget allows for a new protocol handler so you can save files rather than render them when loading an URL from the location bar.) Whatever the method, save the google-toolbar.xpi to local disk. (you can right click and save "our starting point" link above.)
In the spirit of modifying DOS game install floppies to work on my shitty pc, I also had a hunch that the XPI file was a common archive format, such as ZIP, so I proceeded to open the google-toolbar.xpi in WinRAR. As expected, it opened like any tar/zip/etc should. Intuition told me that the install.rdf file was a good place to start in my hunt for the version parameters. After opening install.rdf for editing, I saw
<em:targetApplication>
<Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:minVersion>1.0</em:minVersion>
<em:maxVersion>1.0+</em:maxVersion>
</Description>
</em:targetApplication>
My first thought was that that should work since 1.4 seems like something that would match the "plus" criteria in "1.0+" but since I have no idea what sort of regex or other sort of conditional that may be, I decided maybe "1.0+" means something like "1.0 and any sub-minor (or whatever you'd call that) revision higher than that" which meant for my purposes, I should change "1.0+" to read "1.4+" (since I am running Firefox 1.4beta) then save the modified file and replace the install.rdf in the google-toolbar.xpi archive with the new version.
So of course I then dragged the modified google-toolbar.xpi into my firefox window which loaded the Extensions manager blah blah, error. "Because: Signing could not be verified." hrmm.. I confess, it was at this point I realized that I don't normally pay attention to whether my Firefox extensions are signed or not... rather I have just been lazy, relying on the "oh, it's from a known source" (flawed) logic as if I've never seen a software package compromised on the official distribution site before. Writing this just now probably will change that habit for me... I mean, if it was an IE ActiveX object, I certainly would have paid attention to who it was signed by. Again I digress...
"Signing, huh?" I thought to myself. I attempted to install the same xpi once more and this time noticed while the Extensions manager countdown ticked that instead of the red "unsigned" I usually ignored, it said something about "Goo" (and then the window cut off the text and I assume it probably said Google, Inc. or something along those lines.) Hrmm.. signing. Back to WinRAR we go. I open some other random files, and then look in the META-INF/ directory. I open the manifest.mf file and see:
Manifest-Version: 1.0 Created-By: Signtool (signtool 3.10) Comments: PLEASE DO NOT EDIT THIS FILE. YOU WILL BREAK IT.followed by a list of files and MD5 and SHA1 hashes. Clearly this has something to do with it. Also in that directory are files called zigbert.sf and zigbert.rsa which is pretty obviously gonna be a cert file. Glancing at it, yeah, it's a cert from Verisign. OK well again, without wanting to dig and learn, I fall back to the one of the first "hacking" techniques I developed as a 7-yr old trying to teach myself BASIC by listing every file I could copy onto a C-60 casette while the salesman at the Radio Shack wasn't looking: "change it/remove it and see what happens." Quickest thing to mind was to remove the META-INF/ directory and it's contents from the already-modified google-toolbar.xpi archive and see what happens.
Dragging the newly saved google-toolbar.xpi into firefox, the Extensions manager was more encouraging. This time the familiar "unsigned" was on screen as the countdown finished, allowing me to click "Install Now" and see it tell me "Google Toolbar for Firefox will be upgraded when Firefox is restarted." Cool.
I restart Firefox and pow! There's my beloved Google Toolbar. yay.