Firefox Add-on Manager update introduces signing information
If you have installed the most recent version of Firefox Nightly, you may have noticed changes in the add-on manager that comes with every version of Firefox.
The add-on manager highlights the signing state of every add-on installed in Firefox. As you may know, Mozilla will introduce add-on signing in Firefox 42 which means that add-ons need to be submitted to Mozilla so that they can be signed by the organization.
While it is theoretically possible to keep add-ons unsigned, it will exclude Stable and Beta users of the browser from installing them once Firefox 42 Stable is released.
This leaves Nightly and Developer editions of the browser as well as so-called unbranded builds of which we don't know anything yet except for that fact.
The redesigned add-on manager highlights the verification state of add-ons. Add-ons that are not signed are highlighted in the add-on manager which -- currently -- means lots of wasted space as most add-ons will show the warning message.
It reads: [Add-on name] could not be verified for use in Nightly. Proceed with caution.
There is a more information link which links to the Addons signing page on Mozilla Wiki currently. It is likely that this is changed to a support page in the future.
The same warning is displayed when you click on an add-on's more link.
There appears to be no option to disable the warning. It is unclear if Mozilla will add an option to do so. If the organization does that, it is likely going to be added as a new parameter that you can control on the about:config page of the browser.
For now, there is no way around the notification in Firefox. Extensions like Slim Add-ons Manager display the notification as well currently. It is probably only a matter of time before add-on updates are made available that take the new notification into account.
Notifications will become less of an issue with time in most cases as most add-ons will be signed eventually. This is for instance the case for the most recent version of all add-ons currently offered on Mozilla's Web Store.
Still, some add-ons will never be signed. This is for instance the case for user-modified add-ons which is frequently used to enforce compatibility of classic add-ons abandoned by their original developer.
i’m all for verifying and signing addons, if that means less malicious addons, but if they really ban non-signed addons from stable and even beta builds, mozilla has to sign addons and updates in a timely manner – something they simply can’t provide right now.
i think, even in the stable version, a user should still have a choice in regards to signed addons and a simple about:config switch would enable advanced users to stay in control, while the average user will be safe from bad addons.
firefox’ market share rose and declined with mozilla’s liberal stance regarding addons. with more and more users switching to chrome and maybe new contenders like spartan and vivaldi, restricting the remaining hard core of firefox users from using their beloved browser as they chose will only drive away people – the last thing that our browser needs right now.
if verified and unverified remain and choice up to user then thats generally good imo
interface could be tidied … auto grouped into sections rather than the way it is presented in image
top section – Verifed safe
Lower Section – Unverified Use with caution
and a single line of intro text to describe each boxed group,
and to emphasise maybe keeping a red green button indicator similar to when check addons out of date
“and choice up to user”
No, that’s already been decided. The mozilla blog posts have been clear: release channel firefox will REFUSE to install unsigned extensions. No user choice, no preference/setting available to override the behavior.
ah I see, that is a shame… the verified / unverified made me think they had perhaps changed their mind on that. A real shame it isn’t so
I have never seen a verified addon. So the whole thing is pointless.
I am pretty happy to have the add-ons to be signed. I like addition verification and encryption.
Admittedly, I don’t use that many add-ons. I only use Lastpass and Skype Click to Call.
It’s perfectly fine that you want the add-ons to be signed. I don’t want that. So if you ask me, Mozilla should respond both to your needs and mine, by providing a choice, which unfortunately doesn’t seem to be planned.
How did you get the new theme in about:addons ?
Yes, unfortunately compiling Mozilla seems to become a necessity in the future… Of course, compiling it is easy, finding the right patch to bring it to what is should be might prove a bit harder.
Finding:
If you’re on linux, check out the indexing program called ‘Recoll’. You can have it scan-n-index a local copy of the ff codebase, then use the recoll GUI to query names/strings of interest. The git client might provide a similar instant lookup ability (checking whether it does is on my todo list).
Interesting, I didn’t know about Recoll. Thanks for the information.
Looks like i will need to compile firefox some day..
Do hope we get an about:config switch. Anything else will be the death of firefox as we love it.
Without free add-ons the browser on its own is worth little, to me at least.
I definitely don’t want to go with nightlies, last time I tried the performance was horrible.
If debug stats gathering still can’t be disabled, despite setting the config entries accordingly.
The latest Firebug is signed, and is still free. I doubt any of the other developers (at least of the most useful addons) will object to a small fee to sign their addons. At least it’ll discourage the shady developers.
Looks like I need to consider compiling my own firefox eventually …damn.
Do hope we get an about:config switch. Anything else will be the death of firefox as we love it.
Without free add-ons the browser is worth little, to me at least.
I do not want to go with nightlies, last time the performance thanks to the non-disableable telemetry gathering was horrible.
There won’t be an override for this. And you don’t have to publish the add-ons to Mozilla’s repo, you just need to use it to get the signing key. Mozilla just wants users to install legitimate add-ons instead of malware regardless of where they get them.
I wonder how many of these “facilities” will Mozilla need to implement until their browser will become indistinguishable from Chrome?
@Nebulus, this policy is even more restrictive than Chrome. Google doesn’t really review any of its adds on, if it passes the internal malware scan, and the developer cough up the small fee to get a web store developer key, Google will put it on the store. They will take it down if the addon if it violates any TOS but it is always after the fact.
With Mozilla, if you submit a new addon it takes at very least more than a month an a half, I seen addon where it hasn’t been properly reviewed for half a year and more. I dunno their priorities at all. That combined with this new policy, theoretically any new addon will just languish until someone at the Mozilla addon division get off their lazy butts to do their job.