Mozilla postpones Firefox add-on signing enforcement

Martin Brinkmann
Sep 11, 2015
Firefox
|
21

Mozilla announced back in February 2015 that the decision was made to introduce add-on signing to Firefox's extension system.

The idea behind the move was to eliminate the majority of malicious or invasive extensions by making add-on signatures mandatory.

Signatures are only generated for add-ons which go through a review process on Mozilla's official add-ons store before they are pushed to the store.

Since malicious extensions would fall through the cracks, it should reduce a number of common issues that Firefox users face day in day out.

Mozilla's initial plan was to start showing notifications that unsigned extensions are used in Firefox 40, to block extensions but provide an override in Firefox 41, and to make signed extensions mandatory in Firefox 42 by removing the override option in Firefox Stable and Beta.

Firefox Developer Edition and Nightly users can override the requirement, while Stable and Beta users cannot.

A recent discussion on Bugzilla indicates that the add-on signing enforcement has been postponed by two releases.

This means that it will become mandatory when Firefox 44 is released to the stable channel and not with the release of Firefox 42 as initially planned.

This is the new schedule as it stands currently:

  • Firefox 40 - Warnings are shown if unsigned extensions are installed.
  • Firefox 41 - Warnings continue to show up.
  • Firefox 42 - Warnings are still displayed if unsigned add-ons are run.
  • Firefox 43 - Add-ons without signatures are blocked by default, but there is an override that is available in all versions of the browser.
  • Firefox 44 - Only signed add-ons can be installed in Firefox Stable and Beta. There is no override anymore for those editions of the browser. The override remains in Firefox Developer and Nightly.

Firefox 44 is scheduled to be released on January 26, 2016.

Mozilla plans to release unbranded versions of Firefox to provide add-on developers with options to test their add-ons in Stable and Beta releases of Firefox without having to go through the review process each time they update the add-on during development.

It is unclear why Mozilla made the decision to postpone the enforcement of signed add-ons in the web browser. (via Sören Hentzschel)

Summary
Mozilla postpones Firefox add-on signing enforcement
Article Name
Mozilla postpones Firefox add-on signing enforcement
Description
Mozilla made the decision to postpone Firefox's add-on signing enforcement by two releases.
Author
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. p3t3r said on September 19, 2015 at 8:06 am
    Reply

    Okay. That’s fine for me. The average user can rely on safe versions and developers and people, who want more individual features can use developer or nightly builds.

  2. Bill said on September 13, 2015 at 4:07 am
    Reply

    Why all the fuss? Just use the Aurora (developer) version and disable signing. Aurora is a pretty stable release — I have been using it on all of my machines at work and home for years without issues,

    1. animas said on September 14, 2015 at 7:53 am
      Reply

      It’s not stable. Just look at the bugzilla reports

      1. DonGateley said on September 14, 2015 at 8:09 am
        Reply

        I agree, looking at bugzilla reports is not stable. Using it on the other hand…

  3. marc klink said on September 12, 2015 at 6:28 pm
    Reply

    If Mozilla does not want to fade into oblivion, it had better pull its head out, and get the idea that it is alienating a good many of its users. Between the signed add-ons, the Chromified extensions, the move to adopt the look and feel of Chrome, and the ads in the speed dials, it is annoying nearly all of its shrinking user base.

    Someone should get the idea that Mozilla exists by the grace of its users, and it does not hold near-complete sway over the browser market, in the way that Microsoft does in the OS market, and therefore it cannot abuse the users with impunity in the same way.

  4. Tyler said on September 12, 2015 at 5:00 am
    Reply

    Addons can be signed without being hosted on the store.

    1. Martin Brinkmann said on September 12, 2015 at 7:14 am
      Reply

      While true, it means that you still hand them over to Mozilla for review.

    2. DonGateley said on September 12, 2015 at 5:42 am
      Reply

      How about posthumously?

  5. anonymous said on September 12, 2015 at 2:12 am
    Reply

    They should just keep the override option indefinitely. Problem solved.

    1. Antonio said on September 12, 2015 at 8:22 pm
      Reply

      I fully agree with you.

  6. flyli5411 said on September 12, 2015 at 12:50 am
    Reply

    Already telling me Kaspersky could not be verified proceed with caution ,as addon for Browser Protection
    Kaspersky anti virus
    wtf ..Kidding
    Il dump Firefox in a Heartbeat before letting this bunch disable Kaspersky
    Who the fk is running this clown act at Mozzila

  7. DonGateley said on September 11, 2015 at 10:47 pm
    Reply

    I hope they go through and sign all the orphans on behalf of the developers they can no longer contact. Signing going forward is a good idea but they must allow apps that work to continue to work.

    1. Pants said on September 12, 2015 at 3:35 am
      Reply

      all those little orphans will soon be buried due to e10s … in a pauper’s grave … in the rain

      1. DonGateley said on September 12, 2015 at 7:38 am
        Reply

        Finally, someone here with a sense of humor. :-)

  8. Nebulus said on September 11, 2015 at 7:10 pm
    Reply

    I hope they will give up the signing idea completely, but in any case this is a step forward.

  9. Dave said on September 11, 2015 at 5:51 pm
    Reply

    The add-on sighning doesn’t affect me either right now, but I oppose it anyway. I do however support the idea of add-on signing being turned on by default and only configurable via about:config.

  10. Tom Hawack said on September 11, 2015 at 4:26 pm
    Reply

    Good news.
    Looks like January-February 2016 will be the crossroad of many changes.

  11. Mongolia said on September 11, 2015 at 3:56 pm
    Reply

    Good news, however all this mandatory add-on signing thing will be no problem with me, i think.
    Almost all my addons, actively developing, commonly used ones.
    Btw, thanks for tip on Privacy Settings addon.
    Little, simple, nice, useful addon.

    1. Duane Moody said on September 11, 2015 at 7:47 pm
      Reply

      There are users within the defense and military sector who locally deploy addons they’ve written themselves and they cannot have Mozilla vet their code. Even Chrome is apparently more flexible about this than they are.

      If the requirement were that the code be signed by a known CA but not that it go through Mozilla’s Add-on store, that would sting but still be feasible for developers unable to submit publicly. This was the model for some elevated privilege JARs in the later days of Netscape.

      1. dj said on September 15, 2015 at 3:46 am
        Reply

        There’s a wiki here: https://wiki.mozilla.org/Addons/Extension_Signing
        Checkout the response to “unbranded” versions or “What about private add-ons used in enterprise environments?”.

        I was looking at Random Agent Spoofer addon’s comments (I think I read about it at https://www.privatesearch.io/about). I wondered if Mozilla had enough manpower to review addons in a timely manner… This blog entry,
        https://blog.mozilla.org/addons/2015/09/04/turning-the-queues-around-new-forum/, talked about queue and the additional
        staff.

        snippet:
        ++++++++++++
        29 Apr 15. Version 0.9.5.2 has been released on github. A limited version has been submitted to the AMO reviewers and should be available soon.

        30 July 15 Version 0.9.5.2 is still in the review queue, It should not be much longer .

        The latest full featured version will always be available on github, with certain features that are not allowed on this site. I will add what features I can to the AMO version within the terms allowed by the addon policy.
        ++++++++++++

      2. michal said on September 14, 2015 at 8:54 am
        Reply

        So, what will an organization like yours do? An alternative build without such restrictions? Stick to an old version? Does anyone have a clue whether Mozilla listens what such users have to say?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.