Mozilla Add-ons Community Blog
Categories: developers

Extending the deadline for add-on signing

17 responses

After listening to your feedback, bug 1203584 was filed last week to turn off signing requirements in Firefox 41 and 42.  This extends the signing deadline to Firefox 43, which will be released around December 15, 2015.

While the new unlisted queues have maintained a quick turnaround time (thanks to the tireless efforts of Andreas Wagner, aka TheOne), many developers are telling us they simply don’t have enough time to implement the requested changes before the September 22 deadline when 42 hits the beta channel.  In addition to giving you some extra breathing room, we’re also going to use this time on our side to make some improvements to the submission experience to make it clearer what level of review is needed, which you can follow in bug 1186369.

Thanks for your patience as we roll out this new process.  Special thanks to those of you who have already gotten your extensions signed…you’re awesome.

17 comments on “Extending the deadline for add-on signing”

  1. Kohei Yoshino wrote on

    Posted the Japanese translation: https://dev.mozilla.jp/2015/09/extending-the-deadline-for-add-on-signing/

    1. Jorge Villalobos wrote on

      Thanks!

  2. Brian T. Nakamoto wrote on

    Thanks for listening to your developers! 🙂

  3. Rob Stradling wrote on

    What’s the plan for the old extension signing mechanism [1] that uses code signing certificates from commercial CAs.
    Is this being phased out entirely (and if so, which Firefox and Thunderbird versions are you targeting for the phase out)?
    Or will the old mechanism continue to be supported?

    Thanks.

    [1] https://developer.mozilla.org/en-US/docs/Signing_a_XPI

    1. Jorge Villalobos wrote on

      The new signing system removes the existing signature, since there can only be one. For the moment this should only affect Firefox. There are no current plans to require signatures on Thunderbird.

      1. Rob Stradling wrote on

        Jorge, thanks for clarifying that.

    2. Michael wrote on

      Hi,

      thank you for all the information.

      Where are acutally using code signing certificats but we also have Mozilla-signed plugins since last week (with great support from Andreas!).

      Would you reccomend to use (also for FF41) the Mozilla-signed plugins – or should we use the traditional way (code signing certs from Commercial CAs) and switch later this year?

      Best regards,
      Michael

      1. Kathleen wrote on

        In the mozilla.dev.security.policy forum we are discussing a proposal to remove the code signing trust bit.

        Proposal:
        https://groups.google.com/d/msg/mozilla.dev.security.policy/004uvRRnVyY/OZ2O4vfQHAAJ

        Summary of discussion so far:
        https://groups.google.com/d/msg/mozilla.dev.security.policy/004uvRRnVyY/wZnrnTq0CwAJ

        So I recommend moving away from using “the traditional way (code signing certs from Commercial CAs)” within the next 6 months.

      2. jue wrote on

        like

  4. Furture wrote on

    You will be treating privacy for safety if the following two add-ons are not going to get signed.

    https://www.google.com/settings/ads/plugin
    https://tools.google.com/dlpage/gaoptout?hl=en

  5. suskind wrote on

    Dunno know how to report this, but statistics in addons.mozilla.org are stopped since sept 7

    1. Jorge Villalobos wrote on

      Yeah, the bug has been reported and is currently being investigated.

  6. Fred McDonald wrote on

    The signed requirement is not a bad idea. I have been hit twice by unknown, and hidden add-ons
    Discovered Hidden Add-on On Firefox. How To Check Yours
    https://support.mozilla.org/en-US/forums/support-forum-contributors/711335

    But what about legitimate add-ons that still work, but were abandon by their writers? Or whatever?

    Let Firefox lock out anything not signed, but leave the user an option to allow such add-ons
    on a one by one setting.

    1. ztrk6jlm wrote on

      Already reviewed addons on AMO are automatically signed without the developers’ interaction according to Mozilla. Non-AMO addons are not, however.

  7. Anton wrote on

    Hi Lisa,

    Thanks for an update and the (much needed!) delay.

    Do you know if there is a timeline for supporting WebExtensions addons on AMO site?

    I know WebExtensions API itself isn’t completely finished yet, but I’ve been playing with it for several days, and what is available is enough to start development.

  8. John wrote on

    Wow, Mozilla gives developers a new “breathing room” … like the big one we already have when submitting an extension for reviewing in AMO…
    Surely Mozilla takes care of our oxygen delivery…

    No comment (in french : foutage de g…)

  9. Alex wrote on

    What about the people that want to use private add-ons on their local machines, but do not want to run the alpha-quality developer edition or the en-US-only unbranded build?

    Or would they have to wait 10 weeks each time for big brother to bless their add-ons?