Here are you options for running unsigned add-ons in Firefox

Martin Brinkmann
Oct 4, 2015
Updated • Oct 4, 2015
Firefox
|
20

Your favorite Firefox add-on just stopped working in the browser or refuses to install? If that happens to you it could be because of a new policy over at Mozilla that requires add-ons to be signed before they can be installed or activated in the Firefox web browser.

The policy is not live yet -- Mozilla postponed the enforcement part to Firefox 44 which will come out on January 26, 2016 according to the official Firefox release schedule.

Right now, you may receive warnings that unsigned add-ons are run and when Firefox 43 is released, may experience the blocking for the first time.

Mozilla plans to ship Firefox 43 with an override but will remove it again when the browser hits version 44.

Once Firefox 44 has been released, Firefox will only accept signed add-ons on the stable and beta channel.

Error messages

Firefox displays the following error messages in regards to unsigned add-ons.

When you try to install an add-on that is not signed and add-on signing is enforced:

Firefox has prevented this site from installing an unverified add-on.

When you install an unsigned add-on when add-on signing is not enforced:

Caution: This site would like to install an unverified add-on in Firefox. Proceed at your own risk.

When you have an unsigned add-on installed in Firefox and check the add-on manager:

"Add-on name" could not be verified for use in Firefox. Proceed with caution.

When add-on signing is enforced and there is an unsigned add-on installed in Firefox:

"Add-on name" will be disabled after you restart Firefox.

When you start Firefox with add-on signing enforced and an unsigned add-on installed:

"Add-on name" could not be verified for use in Firefox and has been disabled.

Your options

There are options however that may work for you. Lets take a closer look at all of them:

  1. Don't upgrade Firefox Stable or Beta so that these browsers never hit version 44. This works obviously but is not recommended as you will miss out on security and stability fixes that Mozilla releases regularly.
  2. Use Firefox ESR instead. Mozilla's plans to keep the override in Firefox ESR so that you can override the add-on signing requirement in Firefox ESR and use it instead of Firefox Stable. Note that Mozilla may change this in the future.
  3. Use Firefox Developer edition or Nightly. These test versions of Firefox support the override switch so that you can install unsigned add-ons in them once you make the configuration change. Note that these may not be as stable as Beta or Final versions of Firefox.
  4. Mozilla announced that it will release unbranded versions of Firefox. It is unclear right now when these will be released and how well they will be supported. The main idea here is to give add-on developers access to Stable and Beta versions of Firefox so that they can test their add-ons without having to go through the signing process each time they make a change during development. Unbranded editions will only be available in the en-US locale.
  5. Switch to a Firefox fork or spin-off. Developers of SeaMonkey, Pale Moon, Thunderbird and other programs based on Firefox code have either set outright that they won't support add-on signing at all, won't enforce it or will keep the override switch available. This may change obviously in the future.

The override switch

We have talked about this before but since it is important to have all information at hand from a single resource, I'd like to guide you through enabling the override again here on this page.

  1. Type about:config in the Firefox address bar and hit enter.
  2. Confirm that you will be careful if a warning page is displayed.
  3. Use the search at the top to find xpinstall.signatures.require.
  4. Double-click on the preference to toggle its value so that it is set to false.

Doing so allows you to install unsigned extensions in the Firefox web browser. Please note that the override will be removed in Firefox 44 Stable and Beta.

Now You: Do you run unsigned add-ons? If so, what do you plan to do about it?

Summary
Here are you options for running unsigned add-ons in Firefox
Article Name
Here are you options for running unsigned add-ons in Firefox
Description
The guide lists all options that you have currently to run unsigned extensions in the Firefox web browser.
Author
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. John said on November 16, 2016 at 6:17 pm
    Reply

    My Pale Moon (firefox spin-off) does not have the boolean expression xpinstall.signatures.required. If I add this to my config and set the value to false will it work? Cause damage?

  2. static said on October 12, 2016 at 8:12 am
    Reply

    I need to use Microsoft .NET Framework Assistant… But hey they are driving me back to IE. Good one Firefox.

  3. Glen said on January 25, 2016 at 4:02 pm
    Reply
  4. Kin said on January 13, 2016 at 4:06 pm
    Reply

    It looks to me like Mozilla is trying to completely destroy the add-ons world and make it impossible for devs and users alike.

    1- Many add-on are not working with FF 64bits
    2- Many add-on stopped working in FF 43 due to signing requirement(and we won’t be able to test beta version when we report a bug to the dev. I just had to test a beta of lastpass to see if my bug was fixed and I had a field time trying to find the info allowing me to run it. So, thanks GHacks for this article! :) )
    3- Many add-on are not working with e10s
    4- Many more will be broken too once webextensions goes live.

    Honestly, at which point do we simply give up on FF. To me, it is now already a completely broken browser due to the point mentioned above. I now browse more with Opera than FF, even though I’m trying everything to stay with FF(because of their privacy policy. i.e.: they are the last company to have one that protect the end user it seems)

  5. graz said on December 18, 2015 at 10:17 pm
    Reply

    I bet that if they remove the option to turn this off that they would be breaching EU laws

  6. TJ said on December 18, 2015 at 8:08 pm
    Reply

    FF 43.0.1 update forcibly disabled several unsigned extensions I use daily (which will never be signed because they will never be published and need no ‘approval’ from some external party), for no reason other than FF devs continuing their obstinate crusade of imposing their views and restricting choice and control over the user experience.

    I’ve been an exclusive FF user ever since the first version came out. I have idly watched FF turning from a growingly flexible platform catering to almost anything anyone could wish to do, to an increasingly tyrannical do-it-my-way-or-piss-off playground of a few. I have tolerated removal of option after option, believing that at some point and with enough user feedback, the devs would see the light again, but clearly this is not going to happen.

    This is the last drop. It’s time I go the fork route, or simply pick one of the now plentiful alternatives. Have fun playing out your private little crusade in your dwindling sandbox. You’ll soon enough get your perfect little world where there’s no one left that wants to use your browser any different than you.

    1. gf said on December 23, 2015 at 8:36 am
      Reply

      Totally agree. Same here.

    2. Reiner Block said on December 22, 2015 at 8:29 am
      Reply

      Agree!

      Starting with reducing the context menu so that you need add ons like menu wizard to get the whole context menu functionality is really and absolutely annoying!

      It has to be the users decision what elements shall be shown in the context menu.
      It has to be the users decision if he/she just whant to use signed add ons or not.

      What’s with those I changed myself e.g. like FEBE where I added my kind of date format because Chuck is so stubborn about the possibility to let each user define its own date format?

  7. k- said on December 18, 2015 at 12:11 am
    Reply

    Firefox crashes during any attempts to change the about:config items (even in safe mode). Is there somewhere else I can change this setting?

  8. RossN said on November 4, 2015 at 7:58 pm
    Reply

    Thanks, needed that xpinstall.signatures.require tweak today, after installing Firefox 43b1

  9. DonGateley said on October 5, 2015 at 10:14 pm
    Reply

    I’ve been running the developer version for some time now and installing updates as they are recommended. Between numbered versions xpinstall.signatures.require seems to get set back to true but once reset to false it stays that way for all the intermediate updates. I’m at 43.0a2 with the most recent update and the experience could hardly be better in terms of performance, memory or stability with 59 add-ons, 24 plugins and typically using 6-7 windows with 75-80 tabs. With respect to flexibility and customizability it has no peer that even approaches it.

    I’m not sure what the sturm and drang relative to FF in its current state is all about. The future may be another story but it currently outperforms any other major browser by a long shot in all regards. Should that future become too onerous I’ll simply freeze at the point where it isn’t.

  10. silat said on October 5, 2015 at 7:50 am
    Reply

    Tom Hawack hi.
    How did you change page zipper to v.2 manually?
    I need it :)

    1. Tom Hawack said on October 5, 2015 at 10:16 am
      Reply

      I changed Page Zipper to version 2 the easy way by modifying it’s version number in its install.rdf file.
      Anyway, since my last comment I discovered that the version I had artificially updated to version 2 had been signed (0.6.2.1-signed) so I decided to choose that 0.6.2.1-signed which has the same content as my “version 2” (since I managed version 2 from that 0.6.2 before it had been signed to 0.6.2.1). Point here is that if I modify version 0.6.2.1-signed’ install.rdf to “version 2” the Add-ons Manager no longer considers the add-on as signed : in fact — and this had been pointed out by a previous Ghacks article — you cannot modify whatever element of a signed add-on without loosing its signature validation. I guess there must be a sort of check sum included in the process. So here I am with a Page Zipper 0.6.2.1-signed for which I have to refuse its update (since I consider this version better) on every Add-ons Manager update I perform… no way around unless I simply remove that add-on even if bother/stress reasons are never valid reasons.

  11. Tom Hawack said on October 4, 2015 at 9:55 pm
    Reply

    And speaking of the speed of obtaining a signature, I see several add-ons in AMO’s “sandbox” which are still not signed after months even when a previous version was signed. Examples :

    – Complete YouTube Saver : Version 5.5.1.1-signed Released July 20, 2014 BUT latest Version 5.6.32 Released July 31, 2015 STILL NOT SIGNED
    – Disable Sync : Version 1.0.1-signed Released February 18, 2014 BUT latest Version 1.3 Released September 24, 201 STILL NOT SIGNED

    If Mozilla decides to send the infantry with it’s add-on signature requirement they’d be well inspired to have the commissariat follow, to put it mildly. As the song puts it : “you’re in the army now so get up and fight” … at least let them get up and start moving themselves.(I’m still in the mood of a lecture on Napoleon).

    1. Pants said on October 5, 2015 at 1:38 am
      Reply

      Don’t go off the name in your Add-ons manager. Once signed addons were updated, the appendage ” – signed” was dropped off. I believe that if its on AMO then its signed, that is not the problem. The problem is 1) the AMO process delays with new versions and using beta versions etc and 2) non-AMO addon versions such as RAS on github, or modified addons (I have one I edited to get it to work due to legacy issues – Extension List Dumper) , or addons not even on the AMO.

      https://addons.mozilla.org/en-US/firefox/addon/complete-youtube-saver/ – current version listed is 5.6.26 (June 7th) .. under other versions is 5.6.32 (July 31st). I don’t know much about AMO, but clearly .26 is signed, .32 I would assume isn’t?

      1. Tom Hawack said on October 5, 2015 at 10:04 am
        Reply

        Here I have updated both Complete YouTube Saver from 5.5.1.1-signed to version 5.6.32 in the sandbox — and — Disable Sync : Version 1.0.1-signed to version 1.3 (sandbox) and both are marked in my Add-ons Manager with the warning of unsigned add-ons. These updates have been done manually from AMO since they were (still are) in the sandbox (aka “View all versions” of the add-on).
        What I believe is that an add-on shouldn’t stay so long in its sandbox, moreover when it’s an update, moreover when it is tied with the upcoming partially-active signature requirement. You realize : Complete YouTube Saver version 5.6.32 Released July 31, 2015 still in the sandbox? More than 2 months when previous version is signed?

  12. LimboSlam said on October 4, 2015 at 8:31 pm
    Reply

    I know Pale Moon won’t be signing add-ons at all for sure, SeaMonkey is an iffy.

    Though I honestly don’t get the point signing add-ons in the first place, I mean yeah it’s an added security measure, but where is the proof of it being a rogue add-on/extension for this transaction to take place (blocking unsigned add-ons/extensions)? Just like my AV gives me the option/choice of blocking what they think is a PUP based off their signatures or cloud analytics if I let them. Shouldn’t this choice be left up to the user, on by default and leave an option to turn it on and off in the settings panel if they feel they don’t need this added security measure, or at least in the about:config. This would apply for all Firefox versions/states their in.

    Simple way of thinking of it:
    **Solid Facts>> Opinionated Assumption**

  13. Jeff said on October 4, 2015 at 8:12 pm
    Reply

    @Martin, your subject line has a typo (you=your), and in the 2nd paragraph you have Firefox 44 stated for Jan 2015 release, should be 2016.

    Thanks for the info!

    1. Martin Brinkmann said on October 4, 2015 at 9:11 pm
      Reply

      Thanks Jeff ;)

  14. Tom Hawack said on October 4, 2015 at 8:00 pm
    Reply

    Thanks for the resume and the tips, Martin.

    I happen to have several unsigned add-ons here on Firefox 41.0.1 … unfortunately. Some from AMO others from external sources.

    From AMO :
    Disable Sync 1.3
    Page Zipper 0.6.2 (latest version 1.4.4.1 is signed but I prefer 0.6.2 which I’ve manually set as version 2.0 to avoid update)

    External :
    All from Codefisher dot org, some proposed there as custom toolbar buttons, 3 of those, others as custom link buttons (where I use a script rather than a link to create “bookmarklet buttons” so to say) : 4 of those. The developer is aware of the signing request in perspective and is starting to deploy some of his toolbar buttons signed on AMO (user : button_guy on AMO)

    So this is not dramatic yet bothering, and concerns what is installed without anticipating on non-signed add-ons if applicable starting FF44.
    And if that was not enough add-ons will be confronted to another filter when Electrolysis will have been deployed … [mama mia!]

    When I can’t fall asleep, fearing a browser yelling at me, I find the required calm by remembering that there is an exit with Firefox forks. Then I fall asleep and dream of … [I’m sleeping]

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.