Extending the deadline for add-on signing

After listening to your feedback, bug 1203584 was filed last week to turn off signing requirements in Firefox 41 and 42.  This extends the signing deadline to Firefox 43, which will be released around December 15, 2015.

While the new unlisted queues have maintained a quick turnaround time (thanks to the tireless efforts of Andreas Wagner, aka TheOne), many developers are telling us they simply don’t have enough time to implement the requested changes before the September 22 deadline when 42 hits the beta channel.  In addition to giving you some extra breathing room, we’re also going to use this time on our side to make some improvements to the submission experience to make it clearer what level of review is needed, which you can follow in bug 1186369.

Thanks for your patience as we roll out this new process.  Special thanks to those of you who have already gotten your extensions signed…you’re awesome.

17 responses

  1. Kohei Yoshino wrote on :

    Posted the Japanese translation: https://dev.mozilla.jp/2015/09/extending-the-deadline-for-add-on-signing/

    1. Jorge Villalobos wrote on :

      Thanks!

  2. Brian T. Nakamoto wrote on :

    Thanks for listening to your developers! 🙂

  3. Rob Stradling wrote on :

    What’s the plan for the old extension signing mechanism [1] that uses code signing certificates from commercial CAs.
    Is this being phased out entirely (and if so, which Firefox and Thunderbird versions are you targeting for the phase out)?
    Or will the old mechanism continue to be supported?

    Thanks.

    [1] https://developer.mozilla.org/en-US/docs/Signing_a_XPI

    1. Jorge Villalobos wrote on :

      The new signing system removes the existing signature, since there can only be one. For the moment this should only affect Firefox. There are no current plans to require signatures on Thunderbird.

      1. Rob Stradling wrote on :

        Jorge, thanks for clarifying that.

    2. Michael wrote on :

      Hi,

      thank you for all the information.

      Where are acutally using code signing certificats but we also have Mozilla-signed plugins since last week (with great support from Andreas!).

      Would you reccomend to use (also for FF41) the Mozilla-signed plugins – or should we use the traditional way (code signing certs from Commercial CAs) and switch later this year?

      Best regards,
      Michael

      1. Kathleen wrote on :

        In the mozilla.dev.security.policy forum we are discussing a proposal to remove the code signing trust bit.

        Proposal:
        https://groups.google.com/d/msg/mozilla.dev.security.policy/004uvRRnVyY/OZ2O4vfQHAAJ

        Summary of discussion so far:
        https://groups.google.com/d/msg/mozilla.dev.security.policy/004uvRRnVyY/wZnrnTq0CwAJ

        So I recommend moving away from using “the traditional way (code signing certs from Commercial CAs)” within the next 6 months.

      2. jue wrote on :

        like

  4. Furture wrote on :

    You will be treating privacy for safety if the following two add-ons are not going to get signed.

    https://www.google.com/settings/ads/plugin
    https://tools.google.com/dlpage/gaoptout?hl=en

  5. suskind wrote on :

    Dunno know how to report this, but statistics in addons.mozilla.org are stopped since sept 7

    1. Jorge Villalobos wrote on :

      Yeah, the bug has been reported and is currently being investigated.

  6. Fred McDonald wrote on :

    The signed requirement is not a bad idea. I have been hit twice by unknown, and hidden add-ons
    Discovered Hidden Add-on On Firefox. How To Check Yours
    https://support.mozilla.org/en-US/forums/support-forum-contributors/711335

    But what about legitimate add-ons that still work, but were abandon by their writers? Or whatever?

    Let Firefox lock out anything not signed, but leave the user an option to allow such add-ons
    on a one by one setting.

    1. ztrk6jlm wrote on :

      Already reviewed addons on AMO are automatically signed without the developers’ interaction according to Mozilla. Non-AMO addons are not, however.

  7. Anton wrote on :

    Hi Lisa,

    Thanks for an update and the (much needed!) delay.

    Do you know if there is a timeline for supporting WebExtensions addons on AMO site?

    I know WebExtensions API itself isn’t completely finished yet, but I’ve been playing with it for several days, and what is available is enough to start development.

  8. John wrote on :

    Wow, Mozilla gives developers a new “breathing room” … like the big one we already have when submitting an extension for reviewing in AMO…
    Surely Mozilla takes care of our oxygen delivery…

    No comment (in french : foutage de g…)

  9. Alex wrote on :

    What about the people that want to use private add-ons on their local machines, but do not want to run the alpha-quality developer edition or the en-US-only unbranded build?

    Or would they have to wait 10 weeks each time for big brother to bless their add-ons?