How do you do this without leaking your code to mozilla?

Out of curiosity, under what circumstances would you consider distributing an extension bundle to be leaking its code? Unless I'm misunderstanding, isn't this the same file you'll be distributing to your users? At first bluff it seems similar to worrying about leaking your website's frontend (I've got news for you...).

It could be a private extension developed by a company internally, and only distributed to internal users.

If it's for an entire company, then it's easy enough to compile your own copy of firefox that accepts extensions signed with the company signature rather than mozilla.

It's really not. Small businesses exist.

If you have the resources to develop an internal company addon, you have the resources to build a firefox that accepts a different signature.

Respectfully disagree - having to rebuild each time patches come out, on multiple OSes and versions, which have a patch to allow unsigned extensions is a massively more time expensive than developing a browser extension, and requires extra knowledge on the behalf of the persons responsible

Luckily it's not necessary: you can still enable a flag in ESR releases that allow installation of unsigned add-ons, so that solves it for company-internal tools.

off-topic: the phrase is, "at first blush"

I don't think you can have Mozilla sign it without letting them see the code.

They are referring to an internal company tool

"Leaking your code to mozilla"? What do you think they are going to do with it?

Doesn't matter. When developing an internal company tool, it can become a blocker due to policy or legal reasons.

Luckily,when it's internal you can use the ESR release and set a policy that allows it to be installed anyway.