How to override the Firefox Add-on Signing requirement
The following guide walks you through the steps of overriding the add-on signing enforcement in Firefox Stable and Beta. You will be able to install unsigned add-ons in Firefox versions in which this should not be possible.
Mozilla implemented the add-on signing security feature in Firefox some time ago, and made it mandatory in Firefox 48 for the Stable and Beta channel.
This means that Firefox users who run Stable or Beta versions of the browser can only install signed add-ons in the browser. Firefox Dev, Nightly and ESR users can install unsigned add-ons however after making a change in the preferences.
Add-on developers get access to unbranded Firefox builds which are stable versions of Firefox that still support the preference.
All add-ons submitted to Mozilla's main add-on repository are signed, but that is not necessarily the case for add-ons distributed through other channels.
Add-ons provided by applications, security software comes to mind, on development platforms like Github, and old add-ons that are not in development anymore, may not be signed. These add-ons cannot be installed in Firefox Stable or Beta in that case.
Update: The method does not seem to work anymore. You need to install and use Firefox ESR to disable add-on signing in the Firefox web browser (if you don't want to use Firefox Dev or Nightly builds).
All that is required in Firefox ESR is to set the preference xpinstall.signatures.required to False on about:config.
Override the Firefox Add-on Signing enforcement
The method requires that you create two new files and place them in the main Firefox installation / run folder.
Step 1: Create config.js file
- Create a config.js file first. You can do so on Windows by right-clicking on the desktop and selecting New > Text Document.
- Leave the name for the time being, and open the text document afterwards by double-clicking on it.
- Paste the following code into the document. Make sure you copy all of it, including the two // in the first line (See screenshot above).
- Save the document afterwards.
- Right-click on it, and select rename.
- Name it config.js. Make sure it is called config.js and not config.js.txt.
- Move the config.js file in the Firefox installation folder.
- On Windows, this is either C:\Program Files\Mozilla Firefox\ or C:\Program Files (x86)\Mozilla Firefox\.
- On Linux, it is /usr/lib/firefox-<version> or /usr/lib64/firefox-<version>
- On Mac, it is /Applications/Firefox.app
Please note that you are free to select any installation directory, and that you may run Firefox as a portable program as well. Adjust the program path accordingly. Make sure you place the file in the root program folder of Firefox.
Step 2:Â Create config-prefs.js
- Create a second text document on the desktop and open it afterwards in an editor.
- Paste the following lines into it:
- Rename the file to config-prefs.js.
- Move the file into the defaults\pref folder of the Firefox program folder, e.g. C:\Program Files\Mozilla Firefox\defaults\pref
Step 3: Install unsigned add-ons in Firefox Stable or Beta.
Once done, you may once again install any add-on, signed or unsigned, in Firefox Stable or Beta just like before.
What happens in the background
You are probably wondering what the few lines of code do, and whether it is save or dangerous.
Without going into too many details, here is what is happening:
The first bits of code, those added to the config.js file, load one of Firefox's configuration files and remove information from the Signed_Types constant in that file. It so happens that this constant defines the types of add-ons and extensions that need to be signed for be installed.
You may remember that some extensions, themes for instance, don't need to be signed. So, the code clears the constant from all types of add-ons so that none requires signing.
The preferences in the second file tell Firefox to load the config.js file on start.
The method removes the add-on signing enforcement in Firefox. It is rather surprising that it is this easy, considering that one of the main arguments for enforcing add-on signing is security.