Mozilla Firefox Add-on Signing has started

 

Mozilla announced in February 2015 that it would require add-ons to be signed in the near future to improve security and privacy for users of the browser.

 

The idea here was to reduce the number of malicious extensions released for the browser and here especially those not distributed via Mozilla's website through the verification of signatures.

The only option Mozilla has to block malicious add-ons currently is to add them to the global blocklist, but that requires that Mozilla knows about the extension and that's usually when harm is already done.

Add-on signing impacts users and developers to varying degrees. Add-on developers for instance need to submit their add-ons to Mozilla regardless of whether they plan to release it on Mozilla AMO or not.

While it is theoretically possible to skip the submission, it would mean that only Dev and Nightly users can install the add-on as those are the two only channels for which signing is not mandatory.

Unsigned add-ons will be blocked in Stable, Beta and ESR versions of Firefox once the feature lands with no option to override the feature in the browser's preferences or on the about:config page.

This includes all existing add-ons installed in the browser that are not signed and also all extensions with custom modifications (which according to Mozilla need to be submitted then for signing).

The most recent version of add-ons currently hosted on AMO and any new version uploaded to it by developers will be signed automatically. Mozilla mentioned already that this won't be the case for old versions.

Developers who have not uploaded their extensions to AMO yet, HTTPS Everywhere is a prime example, need to do so if they want their add-ons to remain available to Stable, Beta and ESR users.

If you are running the stable version of Firefox you may have noticed that add-on signing has already begun.

When you open the add-ons manager in the browser, by loading about:addons for example, you may already see some signed add-ons listed there.

I checked Firefox Stable, Dev and Nightly but only the stable version of the browser listed the NoScript add-on as signed.

Signing has no impact currently as it is not enforced.

Pale Moon users on the other hand were affected negatively by this as crashes were caused by extensions with improperly formatted signatures or manifest files. Today's update to Pale Moon 25.3.2 fixes the issue.

The developers of the third-party browser already mentioned that they won't implement add-on signing in the browser.

Originally planed to be released in Firefox 39 add-on signing is now on track to be released with Firefox 40.

Additional information are available on Mozilla's Wiki website and the main tracking bug.