Firefox Add-on Manager update introduces signing information

Martin Brinkmann
May 2, 2015
Updated • May 2, 2015
Firefox
|
17

If you have installed the most recent version of Firefox Nightly, you may have noticed changes in the add-on manager that comes with every version of Firefox.

The add-on manager highlights the signing state of every add-on installed in Firefox. As you may know, Mozilla will introduce add-on signing in Firefox 42 which means that add-ons need to be submitted to Mozilla so that they can be signed by the organization.

While it is theoretically possible to keep add-ons unsigned, it will exclude Stable and Beta users of the browser from installing them once Firefox 42 Stable is released.

This leaves Nightly and Developer editions of the browser as well as so-called unbranded builds of which we don't know anything yet except for that fact.

The redesigned add-on manager highlights the verification state of add-ons. Add-ons that are not signed are highlighted in the add-on manager which -- currently -- means lots of wasted space as most add-ons will show the warning message.

add-on signing

It reads: [Add-on name] could not be verified for use in Nightly. Proceed with caution.

There is a more information link which links to the Addons signing page on Mozilla Wiki currently. It is likely that this is changed to a support page in the future.

The same warning is displayed when you click on an add-on's more link.

add-on verification message

There appears to be no option to disable the warning. It is unclear if Mozilla will add an option to do so. If the organization does that, it is likely going to be added as a new parameter that you can control on the about:config page of the browser.

For now, there is no way around the notification in Firefox. Extensions like Slim Add-ons Manager display the notification as well currently. It is probably only a matter of time before add-on updates are made available that take the new notification into account.

Notifications will become less of an issue with time in most cases as most add-ons will be signed eventually. This is for instance the case for the most recent version of all add-ons currently offered on Mozilla's Web Store.

Still, some add-ons will never be signed. This is for instance the case for user-modified add-ons which is frequently used to enforce compatibility of classic add-ons abandoned by their original developer.

Summary
Firefox Add-on Manager update introduces signing information
Article Name
Firefox Add-on Manager update introduces signing information
Description
Today's Firefox Nightly update introduces a redesigned add-on manager that displays extension signing information.
Author
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. fokka said on May 4, 2015 at 5:15 pm
    Reply

    i’m all for verifying and signing addons, if that means less malicious addons, but if they really ban non-signed addons from stable and even beta builds, mozilla has to sign addons and updates in a timely manner – something they simply can’t provide right now.

    i think, even in the stable version, a user should still have a choice in regards to signed addons and a simple about:config switch would enable advanced users to stay in control, while the average user will be safe from bad addons.

    firefox’ market share rose and declined with mozilla’s liberal stance regarding addons. with more and more users switching to chrome and maybe new contenders like spartan and vivaldi, restricting the remaining hard core of firefox users from using their beloved browser as they chose will only drive away people – the last thing that our browser needs right now.

  2. Uhtred said on May 3, 2015 at 11:10 pm
    Reply

    if verified and unverified remain and choice up to user then thats generally good imo

    interface could be tidied … auto grouped into sections rather than the way it is presented in image

    top section – Verifed safe

    Lower Section – Unverified Use with caution

    and a single line of intro text to describe each boxed group,
    and to emphasise maybe keeping a red green button indicator similar to when check addons out of date

    1. gh said on May 4, 2015 at 9:17 am
      Reply

      “and choice up to user”
      No, that’s already been decided. The mozilla blog posts have been clear: release channel firefox will REFUSE to install unsigned extensions. No user choice, no preference/setting available to override the behavior.

      1. Uhtred said on May 4, 2015 at 2:25 pm
        Reply

        ah I see, that is a shame… the verified / unverified made me think they had perhaps changed their mind on that. A real shame it isn’t so

  3. Dwight Stegall said on May 3, 2015 at 8:22 pm
    Reply

    I have never seen a verified addon. So the whole thing is pointless.

  4. Sundeep Basra said on May 3, 2015 at 4:20 pm
    Reply

    I am pretty happy to have the add-ons to be signed. I like addition verification and encryption.

    Admittedly, I don’t use that many add-ons. I only use Lastpass and Skype Click to Call.

    1. Nebulus said on May 4, 2015 at 12:55 pm
      Reply

      It’s perfectly fine that you want the add-ons to be signed. I don’t want that. So if you ask me, Mozilla should respond both to your needs and mine, by providing a choice, which unfortunately doesn’t seem to be planned.

  5. Niks said on May 3, 2015 at 2:51 pm
    Reply

    How did you get the new theme in about:addons ?

  6. Nebulus said on May 3, 2015 at 12:28 am
    Reply

    Yes, unfortunately compiling Mozilla seems to become a necessity in the future… Of course, compiling it is easy, finding the right patch to bring it to what is should be might prove a bit harder.

    1. gh said on May 4, 2015 at 9:13 am
      Reply

      Finding:
      If you’re on linux, check out the indexing program called ‘Recoll’. You can have it scan-n-index a local copy of the ff codebase, then use the recoll GUI to query names/strings of interest. The git client might provide a similar instant lookup ability (checking whether it does is on my todo list).

      1. Nebulus said on May 4, 2015 at 12:58 pm
        Reply

        Interesting, I didn’t know about Recoll. Thanks for the information.

  7. tester said on May 2, 2015 at 9:09 pm
    Reply

    Looks like i will need to compile firefox some day..
    Do hope we get an about:config switch. Anything else will be the death of firefox as we love it.
    Without free add-ons the browser on its own is worth little, to me at least.

    I definitely don’t want to go with nightlies, last time I tried the performance was horrible.
    If debug stats gathering still can’t be disabled, despite setting the config entries accordingly.

    1. Doc said on May 6, 2015 at 6:10 pm
      Reply

      The latest Firebug is signed, and is still free. I doubt any of the other developers (at least of the most useful addons) will object to a small fee to sign their addons. At least it’ll discourage the shady developers.

  8. kunz said on May 2, 2015 at 9:02 pm
    Reply

    Looks like I need to consider compiling my own firefox eventually …damn.

    Do hope we get an about:config switch. Anything else will be the death of firefox as we love it.
    Without free add-ons the browser is worth little, to me at least.

    I do not want to go with nightlies, last time the performance thanks to the non-disableable telemetry gathering was horrible.

    1. anon said on May 3, 2015 at 11:42 pm
      Reply

      There won’t be an override for this. And you don’t have to publish the add-ons to Mozilla’s repo, you just need to use it to get the signing key. Mozilla just wants users to install legitimate add-ons instead of malware regardless of where they get them.

  9. Nebulus said on May 2, 2015 at 8:42 pm
    Reply

    I wonder how many of these “facilities” will Mozilla need to implement until their browser will become indistinguishable from Chrome?

    1. Neal said on May 2, 2015 at 9:29 pm
      Reply

      @Nebulus, this policy is even more restrictive than Chrome. Google doesn’t really review any of its adds on, if it passes the internal malware scan, and the developer cough up the small fee to get a web store developer key, Google will put it on the store. They will take it down if the addon if it violates any TOS but it is always after the fact.

      With Mozilla, if you submit a new addon it takes at very least more than a month an a half, I seen addon where it hasn’t been properly reviewed for half a year and more. I dunno their priorities at all. That combined with this new policy, theoretically any new addon will just languish until someone at the Mozilla addon division get off their lazy butts to do their job.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.