How to find out if a Firefox add-on is signed

How do you know whether a Firefox add-on is signed or not? And what does it mean if it is signed?

One could say that you find out as soon as you try to install the add-on in a recent version of Firefox and that is certainly true, but it may sometimes be useful to know in advance.

For instance, how many of the add-ons that you have installed will be blocked by Firefox when add-on signing is enforced? Or, can you distribute the add-on that you found on a third-party site, or will Firefox refuse to install it on systems you want it deployed on?

Firefox indicates whether add-ons are signed or not. If you open the add-ons manager of the browser by loading about:addons in the address bar for instance, you will notice that unsigned add-ons are highlighted in it.

A yellow exclamation mark and warning "could not be verified.. proceed with caution" is displayed above the add-on name in the add-ons manager.

But how can you find out about the signing status of add-ons that you have not installed?

There is only one rule of thumb available right now, and that is that all recent versions of add-ons listed on Mozilla's AMO website are signed.

While that is helpful at times, it won't help you if you want to install or distribute an add-on offered on a third-party site. You could install that in Firefox and see if you get an error message trying to do so or not.

If you run Firefox Developer Edition or Nightly, you can flip a switch to allow the installation of unsigned add-ons in the browser, whereas Firefox Stable and Beta will refuse to install those add-ons right away once the enforcement version of the browser has been reached (Mozilla plans to enforce this when Firefox 44 is released to the stable channel).

There is another option, one that does not require that you run Firefox at all. You do need the .xpi file of the extension for that, or the extracted contents of the .xpi file.

Zip programs like Bandizip can unzip Firefox add-on files with the .xpi extension.

1. Extract the .xpi file using a zip program that supports the operation.
2. Open the META-INF folder in the root directory of the extracted package.

If you find a zigbert.rsa file in the META-INF directory, the add-on is signed. If you don't, then it is not.

Note: I have checked this with a good dozen signed and unsigned add-ons and it matched the assumption. I cannot vouch however that this is a 100% surefire way of telling if an add-on is signed or not. For now though, it seems to be an accurate method.

Now You: Are you affected by the upcoming add-on signing policy?