Anything and everything about Extension Signing

Like it or not, Extension Signing starts with Firefox 40 (coming August 2015). The Mozilla Wiki has quite a bit of information about extension signing.

Signing will be done through addons.mozilla.org (AMO) and will be mandatory for all extensions, regardless of where they are hosted.

Here is a timeline of when and how Extension Signing is going to be enforced:

  • Firefox 40: Firefox warns about signatures but doesn’t enforce them.
  • Firefox 41: Firefox will have a preference that allows signature enforcement to be disabled.
  • Firefox 42: Release and Beta versions of Firefox will not allow unsigned extensions to be installed, with no override.

If implemented on ESR, the first version to support signing would be Firefox ESR 45. The current plan is to have ESR work like 40, with a preference that can turn off enforcement, but that may change in the future.

November 3rd, 2015 is when Firefox 42 is planned to be released. This will be the day many Firefox users are going to discover some their extensions which were not hosted on addons.mozilla.org (AMO) no longer work and there is nothing they can do about it. The likely reasons could include the developer doesn’t want to jump through Mozilla’s hoops to get the extension signed, or they no longer update the extension (but it still works). While I do support Extension Signing, I still say it is bad thing to make it so the user can not overrride if they so choose.

In regards to the Firefox ESR, I understand Mozilla’s thoughts on this. Firefox ESR is designed for organizations and corporations, which likely already have strict IT Department/Security/Company policies in regards to extensions. However, some of these may have their own proprietary extensions which of course would not be hosted on AMO. Hence that would be the reason for allowing “a preference that can turn off enforcement”.

A couple closing thoughts…Firefox ESR can be used by anyone who downloads and installs the builds. So, that is one way users could get around the mandatory enforcement. Alternatively, since they are going to have install a different browser anyway, could go with Pale Moon. Finally, according to the FAQ: Signed Extensions on mozillaZine

Note that known search hijackers which are currently hosted at AMO will also be automatically signed.

WTF! The whole purpose marketing of Extension Signing was this would prevent those types of add-ons from being installed without the user’s knowledge. I am under here the impression that the extension does not need to be installed through AMO, rather as long as the extension is hosted on AMO (or has been signed/approved by Mozilla) it can be installed. I suppose this will prevent future search hijacker extensions from being installed, but not current.