Mozilla Firefox Add-on Signing has started

Martin Brinkmann
Apr 26, 2015
Updated • Apr 26, 2015
Firefox
|
27

Mozilla announced in February 2015 that it would require add-ons to be signed in the near future to improve security and privacy for users of the browser.

The idea here was to reduce the number of malicious extensions released for the browser and here especially those not distributed via Mozilla's website through the verification of signatures.

The only option Mozilla has to block malicious add-ons currently is to add them to the global blocklist, but that requires that Mozilla knows about the extension and that's usually when harm is already done.

Add-on signing impacts users and developers to varying degrees. Add-on developers for instance need to submit their add-ons to Mozilla regardless of whether they plan to release it on Mozilla AMO or not.

While it is theoretically possible to skip the submission, it would mean that only Dev and Nightly users can install the add-on as those are the two only channels for which signing is not mandatory.

Unsigned add-ons will be blocked in Stable, Beta and ESR versions of Firefox once the feature lands with no option to override the feature in the browser's preferences or on the about:config page.

This includes all existing add-ons installed in the browser that are not signed and also all extensions with custom modifications (which according to Mozilla need to be submitted then for signing).

The most recent version of add-ons currently hosted on AMO and any new version uploaded to it by developers will be signed automatically. Mozilla mentioned already that this won't be the case for old versions.

Developers who have not uploaded their extensions to AMO yet, HTTPS Everywhere is a prime example, need to do so if they want their add-ons to remain available to Stable, Beta and ESR users.

If you are running the stable version of Firefox you may have noticed that add-on signing has already begun.

firefox add-on signing

When you open the add-ons manager in the browser, by loading about:addons for example, you may already see some signed add-ons listed there.

I checked Firefox Stable, Dev and Nightly but only the stable version of the browser listed the NoScript add-on as signed.

Signing has no impact currently as it is not enforced.

Pale Moon users on the other hand were affected negatively by this as crashes were caused by extensions with improperly formatted signatures or manifest files. Today's update to Pale Moon 25.3.2 fixes the issue.

The developers of the third-party browser already mentioned that they won't implement add-on signing in the browser.

Originally planed to be released in Firefox 39 add-on signing is now on track to be released with Firefox 40.

Additional information are available on Mozilla's Wiki website and the main tracking bug.

Summary
Mozilla Firefox Add-on Signing has begun
Article Name
Mozilla Firefox Add-on Signing has begun
Description
Mozilla has started to sign Firefox add-ons. Find out what that means for your version of the Firefox web browser.
Author
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Peter said on August 29, 2015 at 12:05 pm
    Reply

    I am stopping with mozilla… I had a stable mozilla running with a USB password manager but now with this signing policy I can’t use this usb key anymore. I refuse to buy other hardware just to satisfy mozilla

  2. ASIT said on April 28, 2015 at 1:39 pm
    Reply

    though it may be enough for some, power users tend to feel frustrated due to the lack of features. but seems to be really good.

  3. RodsMine said on April 28, 2015 at 2:26 am
    Reply

    Request Clarification
    “Unsigned add-ons will be blocked… This includes all existing add-ons installed in the browser that are not signed ”

    They are not going to block only installation of unsigned add-ons, but they will also prevent already installed add-ons from running if they are not signed?

    Meaning, the add-ons I installed back in 2005 which are still working fine even though they have not been supported for more than 5 years now will suddenly stop working?

    1. Martin Brinkmann said on April 28, 2015 at 6:32 am
      Reply

      That’s the plan as far as I know it.

    2. nik said on April 28, 2015 at 6:12 am
      Reply

      IIUC, they’re going to automatically sign the top versions of all compatible addons which will pass their tests. And even if they don’t, you can change the ID of an addon and submit it for signing youself.

  4. webfork said on April 27, 2015 at 8:14 pm
    Reply

    Features and security are always in conflict. Many of the most secure software out there doesn’t do a great deal. Browsers especially are in the unenviable position of needing to have both cutting edge and secure software. I’ve never had serious issues but as a longtime FIrefox user, I hope the signing process is a short stepping stone to a better experience for everyone.

  5. intelligencia said on April 27, 2015 at 1:48 pm
    Reply

    I really hope that Mozilla Firefox’ days are NOT numbered!!!
    (I have Strong Feelings about the health of Firefox)

    I don’t understand all the technical jargon of what goes on behind the scenes to keep this Wonderful browser afloat . . . BUT at least I know one thing: FIREFOX is the Only Internet Portal that WORKS FOR ME!!!

    i

  6. Ñ said on April 27, 2015 at 10:38 am
    Reply

    Huh? but tell me, which browser? opera? those guys are the nordic counterpart of these “wise” men, so don´t expect too much from them (they didn’t listen to their base core users and dropped presto in favor of webkit creating a #%&! “new browser”) I.E.? gotta be kidding here, the old fat donkey has lost some weight but still it is not a match for chrome or firefox, too many security holes and overall a very boring experience, though it may be enough for some, power users tend to feel frustrated due to the lack of features. so nope, it isn´t a choice. Safari? same like i.e. but cooler XD. Maxthon? mmm well, the chinese don’t trust us, so i don’t trust them too. Now let me guess “chrome is the obviously choice” you might think, but let me ask you something: Wasn’t chrome itself the reason why you are USING firefox???? So as you might have already notice, i am a bit skeptical about real alternatives. Firefox was used to be very good, a ram hog, but at least they cared about our opinion, but those days are long gone and im sick of the “we know better” attitude towards users so i understand how you feel right now but there is nothing we can do but using tons and tons of add-ons to make firefox cool again. Sadly, firefox is bound to destroy itself by becoming netscape v2 and i fear the day i would be the only firefox user is not that far….

  7. frankT said on April 27, 2015 at 8:46 am
    Reply

    Regardless the effect of signing requirements… signed or not, many existing extensions will be incompatible with the forthcoming multi-process version of Firefox (aka “e10S” or “electrolysis”). Sigh, I expect we’re approaching the end of the firefox era.

  8. Max said on April 27, 2015 at 8:43 am
    Reply

    Doom and gloom Firefox trolls make me sick. Always starts with “I’m a Firefox user, Computerworld says it’s user share is rock bottom, jump ship!”. Disingenuously combine mobile, desktop, puts Firefox in bad light.

    Before we get our knickers in a twist, adopt “wait and see” approach. Mozilla knows too well, breaking addons will cause them more trouble.

    Boneheaded signing is too restrictive, Mozilla’s loss.

  9. GiddyUpGo said on April 27, 2015 at 3:38 am
    Reply

    The brains of Firefox will not admit that Firefox will soon be no more. The shares are going down like a falling rock. Other browsers are taking shares from Firefox.
    I still use Firefox, but have been thinking that it is time to change to a different browser. To one that sometimes listens to it’s users and does not keep taking away extensions and options that made it the Browser to have.

  10. Maou said on April 27, 2015 at 2:35 am
    Reply

    Way to go Mozilla, keep working hard to piss off your users.

  11. imu said on April 27, 2015 at 2:03 am
    Reply

    This php script is checking your IP, the Remote Port, your Browser and your Referrer.
    It is a good way to check your IP fast and see for example if a proxy you setup is
    working fine or spilling your IP.

    setup = noun
    set up = verb
    cheers ;)

  12. insanelyapple said on April 27, 2015 at 1:08 am
    Reply

    I never had security or privacy related problems with extensions in Mozilla products. I had only problems with devs shitty decisions about browser UI.

  13. firefoxlover said on April 27, 2015 at 12:59 am
    Reply

    Karl, indeed. I was smitten with Firefox since Nov 2004. Now, not so much and use Pale Moon browser mostly.

    BTW, Pale Moon didn’t crash when updating extensions, it showed the same stupid error message as Fx. So Moonchild came up with an update for PM fast! I tried Chrome years ago and found it horribly restrictive. When I uninstalled Chrome, it left hundreds of keys behind which I had to remove one by one. Fx is on its way to become a second hand Chrome.

    1. interstellar said on April 27, 2015 at 11:14 pm
      Reply

      Updated to Pale Moon 25.3.2.

      All my 50+ FF addons
      running just fine in the Pale Moon browser.

      – Pale Moon 25.3.2 and FF 37.0.2
      – Ubuntu Linux 12.04 (32-bit)
      – Samsung Tablet Galaxy Tab3 / Android 4.2.2

    2. MartinPC said on April 27, 2015 at 6:32 pm
      Reply

      @firefoxlover:

      “BTW, Pale Moon didn’t crash when updating extensions….”

      I wonder if it didn’t depend on when you tried.

      When Mozilla started serving signed extensions from “AMO” (addons.mozilla.org), around maybe 48 hours ago, its signature process apparently corrupted the extensions. In my Firefox (the latest stable release), attempting to update/install extensions would yield errors and installation would fail. In my Pale Moon (the latest stable x64 release), attempting to update/install extensions would crash Pale Moon each and every time the attempt was made.

      Within maybe 12 hours, I believe Pale Moon’s developers stopped forwarding extension update requests from Pale Moon’s addons site to AMO, as an emergency measure. Attempting to update extensions hosted at AMO simply returned a “no updates available” message (whether updates were available at AMO or not).

      Within maybe 24 hours, Mozilla apparently fixed their signing process, and updating/installing extensions started working again in Firefox.

      Within maybe 36 hours, Pale Moon released and pushed a Pale Moon update that would supposedly no longer crash when users or the browser attempted to install extensions corrupted by Mozilla’s initial extension-signing routine. I can’t personally vouch that that is the case, since I don’t have any corrupted extensions on hand to try it out with, but compatible AMO-hosted extensions signed with Mozilla’s new, non-corrupting signing routine do install just fine.

      Anyway, that’s the best I can figure out what happened. Pale Moon’s developers explain most of it in more detail here:

      Pale Moon forum • View topic – Warning: signed add-ons crash Pale Moon
      https://forum.palemoon.org/viewtopic.php?f=1&t=8047

      By the way, hats off to the Pale Moon team for their rapid and effective response to a crisis that was not of their making.

  14. Karl said on April 26, 2015 at 11:13 pm
    Reply

    Mozilla, in all my years using Firefox, I haven’t needed this kind of protection. Seems Mozilla just regulates more and more. One of these days, they’re going to push me too far, and I’ll end up using Chrome.

    1. john_rik said on April 27, 2015 at 4:24 pm
      Reply

      ha ha. You know that chrome extensions are more vulnerable than firefox addons? Plus all your browsing data will be in google hand if you use chrome, ready to be anylased by NSA. I trusrt open source browser than yours chrome. Good luck.

    2. Karl said on April 27, 2015 at 1:26 am
      Reply

      Instead of “regulate”, I should’ve said “dummies down” their browser more and more.

  15. pschroeter said on April 26, 2015 at 8:38 pm
    Reply

    Firefox development stories just give me ulcers anymore. I use Firefox mainly for the extensions and I’m waiting for the update that permanently breaks everything or I can’t work around the changes.

  16. Nebulus said on April 26, 2015 at 8:34 pm
    Reply

    So the day when I will have to modify Mozilla’s source code and recompile it in order to disable such idiotic “features” draws near… Oh well…

    1. David said on April 26, 2015 at 10:42 pm
      Reply

      Please can you upload instructions when you do? :-)

  17. abcdef said on April 26, 2015 at 8:25 pm
    Reply

    1 – “only Dev and Nightly users can install the add-on as those are the two only channels for which signing is not mandatory”

    Also the unbranded builds

    2 – “HTTPS Everywhere”

    It was reposted and is awaiting review

    https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/

    1. Martin Brinkmann said on April 26, 2015 at 8:56 pm
      Reply

      Ah yes, unbranded builds. Any news on those?

      1. abcdef said on April 26, 2015 at 9:35 pm
        Reply

        The info available so far is that they will be provided

        And as per the mailing list, more info to come soon

  18. CHEF-KOCH said on April 26, 2015 at 8:18 pm
    Reply

    I think that doesn’t stop malware, I already saw that the addons (which in fact is only a .zip with another extension name .xpi) can easily manipulated, just copy the cert and the keys into the infected apk and mozilla see this as “legit”. I already reported this, this also affects F-Droid under Android, since there is no hidden server side check if the addon is already installed.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.