Add-on Signing Update

Kev Needham

119 responses

In Firefox 43, we made it a default requirement for add-ons to be signed. This requirement can be disabled by toggling a preference that was originally scheduled to be removed in Firefox 44 for release and beta versions (this preference will continue to be available in the Nightly, Developer, and ESR Editions of Firefox for the foreseeable future).

We are delaying the removal of this preference to Firefox 46 for a couple of reasons: We’re adding a feature in Firefox 45 that allows temporarily loading unsigned restartless add-ons in release, which will allow developers of those add-ons to use Firefox for testing, and we’d like this option to be available when we remove the preference. We also want to ensure that developers have adequate time to finish the transition to signed add-ons.

The updated timeline is available on the signing wiki, and you can look up release dates for Firefox versions on the releases wiki. Signing will be mandatory in the beta and release versions of Firefox from 46 onwards, at which point unbranded builds based on beta and release will be provided for testing.

119 responses

  1. David T. Macknet wrote on :

    If we want to install them, you shouldn’t prevent us from doing so. It’s enough of a PITA to change the about:config setting, and it’s necessary for those addons that haven’t been bothered to update yet still provide lots of value (e.g. ColorDeck for Tweetdeck).

    It’s a bit high-handed to remove the option entirely. Yeah, I know, you own the software. Thing is? We don’t have to use it. If you take away this option, there are 3 other browsers installed on my machine, and guess what? See ya, FireFox.

    1. Mark Tedrow wrote on :

      I agree

  2. Cody wrote on :

    Why remove the toggle at all? It seems like something users would want.

    1. Mark Tedrow wrote on :

      I agree

  3. Oleksandr wrote on :

    > temporarily loading unsigned restartless add-ons

    what have the solution for the authors not-restartless-addons?

  4. Jody wrote on :

    This is going to result in a lot of technical users not updating their browsers. You’re making Firefox less secure by “making Firefox more secure.”

  5. Ghost of Mozilla Past wrote on :

    This is nuts. Nobody asked for this, nobody can justify it beyond Mozilla’s standard catch-all (“because this is what Google is doing”) and it’s clear it’s more trouble than was anticipated.

    Please, for the love of all that is holy, let this one drop. I’m sure there will be another bad idea to alienate developers and vast swaths of your user base soon enough.

    AMO is already fast becoming another app store-like junkyard with useless brand apps and badly-written niche trinkets. Anyone who has the kinds of ideas that made Firefox extensions the killer app they once were is long gone. You throw up Google-like roadblocks and provide Google-quality APIs, you’re going to get the same kinds of crap that already litters the Play Store. Except when people want that, why go for a knockoff?

    I know it’s probably already way too late but please, stop ruining my favorite browser.

    1. q. wrote on :

      Yeah, what he said!

      1. q. wrote on :

        It should be added that I migrated to FF from Netscape 3 or 4 at around v. 0.8, live in the browser, and am despondent and filled with frustration at the loss of productivity that is being forced on the base of serious users day by day.

        It is fine to overlay simplification for the inexperienced. But where is the rational justification for destroying what FF has always been and what drew us all to it – a framework for security and functional customization. Simplify if you must. But stop destroying the essential features that make FF the browser for which we have all evangelized and upon which we all depend!

  6. yarda wrote on :

    Bye, bye Firefox. With this big brother centralized control “feature” enforcing what I can load into my own browser, it’s no longer open browser. This is the “feature” that finally decided me to leave Firefox. It was nice years, but it’s time to go.

    1. Speitelsbach wrote on :

      What’s the next step. Paying for your addons? I would like to use my own addons and not the addons which are censorshiped by mozilla. It will be a downgrade of usability. Everybody who gives up his liberty for more security will lose both.

      A google speaker already proposed to censorship the internet for more security! Like in China. Excellent work.

      As long as you can get Firefox Sourcecode it will be possible to get inofficial Firefox-Cracks und further run your desired addons. This is not the problem, but heading into the direction of total monitoring people.

      1. Russia wrote on :

        I completely agree.

  7. Ed Gant wrote on :

    Not happy to have several add-ons and a toolbar removed. No notice…nothing ! Sorry I made a donation previously. You’ve cut your usefulness to me big-time. KEG

  8. Jan Hagge wrote on :

    Everything you did, with and after the decision to only allow assigned extension was plain wrong and a huge failure. Right now we have 120.000 active users and we wrote each of them about the mess up you did here. To be honest, you can see firefox stagnating numbers for years, so not many of our users used your it anyway. But now, even the last changed.
    I like the idea of only assigned extensions. But your queue and timing wasn’t very clever. For example 8 days ago our extension (which we added months ago) was on position 55/289 in your queue, yesterday it was 35/119 … who can explain that?

  9. Avi wrote on :

    I am afraid this update will reduce the love people give to firefox.
    I don’t know why you are taking this step, but it is clearly hurting.
    Fingers crossed.
    I am not leaving firefox but let’s see!

  10. Chiff wrote on :

    Few times ago, an “upgrade” forbidded me from loading my own https websites saying they were not secure. Today Firefox plans to forbid me from loading the extensions I want to use.
    Firefox is perhaps more secure, but it’s no more free.
    Now I know I won’t allow anymore upgrade to protect my freedom.

  11. kummik kirves wrote on :

    Lets hope Otter Browser in future is replacement to users who do not like future Firefox road(signing, becoming chrome like, forced search offerings)

  12. Carbonic wrote on :

    Today marks the 3 month day my extension has been waiting to be reviewed in your store. It was added for FF42 but since FF43 (1+month ago) my extension has been unusable unless you change your security settings and before this change FF44 would have made the addon completely unusable from the store.

    Most of my users use Chrome but I wanted to provide it for the few people who use an open non big brother alternative so I went with the hassle of navigating the messy API’s and examples and made it into a Firefox extension as well.
    I don’t know how many hundreds of addons that have passed me in the queue and the few users on Firefox I had didn’t want to spend time messing with their settings or managing a separate non Mozilla store extension while it is being reviewed but the fact is that the users have pretty much have moved on to Chrome or abandoned the extension altogether. Don’t get me wrong, I understand and applaud the whole “human review for the security of the users” aspect but it just doesn’t work when you release new security features over twice as fast as that queue – ultimately it scares away users.

    In short, if you wanted to drive away a developer trying to create a Firefox extension you did a good job 🙁

  13. babaq wrote on :

    Well, Firefox (at least for me) was a sort of Lego, where I was able to make addons (quite sophisticated and specific for my envirnonment)vto automate my workflow. You made it incompatible with old JS libraries (Google Closure, for example) that are necessary for some arcane dev tools (ClojureScript, for example), and some of my addons are not working now (I need to use older versions of Firefox). Now you intend to take off the ability to run their own addons from users. Please think, aren’t you removing from the browser the very thing which makes it Firefox?

  14. Andrew wrote on :

    Well, at least we can take 44 and 45 before turning off updates forever…

  15. Zak wrote on :

    The only reason I use firefox is the pentadactyl extension (http://5digits.org/pentadactyl/)
    I agree that defaulting to signed extensions is very desirable, but removing the ability to disable any functionality reduces the amount of choice that the user has.

  16. Philip wrote on :

    This is just stupid. There’s no need to be overprotective, simply displaying a message that warns the user that the add-on hasn’t been signed by Mozilla is enough. I hope you change your mind regarding this because if you implement this feature, it’s going to kill Firefox. Those who still want to use it will stick to using older versions, which poses a far larger threat than a few malicious add-ons (and they are very few compared to the amount of legitimate ones).

  17. Chris wrote on :

    Apparently you don’t listen to your user base. We are SICK AND TIRED of being ignored by heavy-handed know-it-all ivory tower twits. Good riddance. This is the LAST post I will ever make with a Mozilla product.

  18. Hoggy wrote on :

    It’s this kind of crap that has gotten me to switch away from the Mozilla branded Fx, to both Pale Moon 64 and Cyberfox 64.. Not to mention that 64-bit versions ARE available for modern 21st century users. I’m still waiting for a 64-bit fork of Thunderbird as well………

    There are many great add-ons that have unfortunately become abandon-ware by their original authors – IN NO SMALL PART, I might add, due to the rapid release schedule.

    It’s one thing to make the signing default. It’s an entirely different matter to force advanced users to be able to override it for those abandoned add-ons.

    Enough. ENOUGH already!

  19. John wrote on :

    A totally unnecessary imposition. Does this delay signal a possible change in policy? If not, Pale Moon here I come.

  20. Dirk wrote on :

    I hope that testing frameworks like selenium can deliver working upgrades just in time… beginning with the 43 we had a lot of problems because of not accepting the dynamically loaded selenium test driver addins. we had to change a lot like special testing profile for firefox/selenium.
    yes, like some posters here told .. live in fear for the v44 and thanks got this signed add in decision is now moved to 46.

  21. Marc wrote on :

    This is a very stupid decision.
    I will use a FF fork or another browser soon.
    Also the stupid decision to remove the addon bar was incredible.
    Why should I use a Chrome clone when I could use Chrome directly.
    You destroy everything that makes FF fantastic and you wonder why
    your market share goes down?

  22. Julian wrote on :

    Do not remove this setting. you are going to remove one of the core features of firefox. listen to your users!

  23. George Howarth wrote on :

    It comes to something when even Kaspersky Security is disabled for “safety reasons”!

    1. Liz Barton wrote on :

      Yea, absolutely! Kaspersky Security disabled??? This is crazy!

    2. PGJU wrote on :

      Amen to that! Ridiculous that my Kaspersky plug-ins don’t work now. Sheesh!

  24. Markus wrote on :

    I have a few extensions installed that haven’t been updated in quite a while and seem abandoned. They’re not signed. Nonetheless, these extensions are crucial to my work, which is why I keep using them. I know exactly what they are and what they do, I know they’re not harmful in any possibly conceivable way. They’re no threat, they’re useful tools. They’re important to me.

    If Mozilla forces me to uninstall or otherwise stop using these extensions in future versions of Firefox because they’re unsigned, I will stop updating Firefox and probably in the long run stop using Firefox once alternatives pop up elsewhere. It really is as simple as that.

    There is absolutely no good reason to force this upon the users. None. One crazy development decision after another. Mozilla really seems to be hell-bent on destroying what once was a perfectly good browser. If that’s what you really want, go right ahead, because as of late, you’re truly doing great.

    Have you looked at your market share lately? Do you seriously think this is the right direction you’re going? Do you really believe this is a good time to alienate yet even more users?

  25. Cenio GR wrote on :

    WTF??? I don’t like at all this new “Firefox Paranoid” v43+ !!!

    That’s the meaning of FREE: Give users the option to enable/disable what extensions they like and want to run.

    Let them to decide about paranoid mode ON/OFF. So simple!!!!

  26. Bob wrote on :

    Let the user decide whether a specific unsigned add-on should be permitted. This should not be an all-or-nothing choice. My alternative is disabling updates or moving on to a competitive browser.

  27. DrBen wrote on :

    I must have missed it. When did Microsoft buy Mozilla/FireFox? Mozilla’s attitude has Microsoft’s fingerprints written all over it.

    My son loves Chrome but I don’t. There is a BIG audience for an old-time FireFox browser.

  28. Kevin wrote on :

    The reason most long time devoted users of Firefox have stayed with FF is because of it’s great ability to be customized by the user.

    To tamper with that core feature is a HUGE mistake. Long term users know what they are doing. Most are tech level minds. Non-techs are mostly those who just use MS’s default Internet Explorer and have no idea how to even use addons to enhance their browsing experience and feature sets.

    Tech level minds are not the kind of minds that like being controlled nor dictated to. They are free spirits, free thinkers, and relish the freedom to choose.

    Please reconsider this decision. Many developers of great FF addons are long gone but their addons still work fine and are very important to users who depend on them in their work efficiency.

  29. Eric Walker wrote on :

    Mozilla, do you see a trend in these comments? Do you find one single post saying “Yes, this is a good idea” or “Yes, we like how Mozilla is going these days”? Even one?

    It is unclear whether any amount of feedback from your rapidly dwindling customer base can have any effect on this madcap path you are following. Or do you just write off every single commenter as an ignorant ass?

  30. NG wrote on :

    We’re supposedly using Firefox because it’s open and free. Free in the sense of use using it as we please. We have enough of signed software totalitarianism from MS, Apple, Google and the likes. If you impose this on us you’re losing the main edge Firefox has.

    It really makes not sense. Have it on by default but at least let us choose what we want to do with our computers!!

  31. Merlin Graves wrote on :

    I am a long time Firefox user (12 years) and have always found your improvements to be useful until this one. You have disabled my Kaspersky antivirus and i am not geeky enough to know what to do to correct the situation. Please help. Merlin

  32. Palemoon browser to replace Firefox wrote on :

    Mozilla Foundation has announced today that the fundamental principles of openness and freedom that helped make the Firefox browser so famous in the last 15 years have both been deprecated. The Foundation all Firefox users to migrate to the Palemoon browser instead https://www.palemoon.org/

  33. Just use Palemoon browser instead wrote on :

    It seems to me that Firefox is abandoning the fundamental principles of openness and freedom that helped make it so popular in the last 15 years. If Mozilla refuses to stop extension signing and refused to back down on its plan to drop the classic extension API support later this year, users will migrate to the alternative browsers such as Palemoon

  34. kev wrote on :

    Everytime something is wrong with my firefox and I look for solution, it turns out there’s nothing wrong, it just updated to newer version and disabled that feature for whatever reason. Then I go to about:config and enable to again. Only to find it completely removed in the next version. Thanks alot.

  35. Carol reynolds wrote on :

    I love Firefox but I am sick & tired of it keeping my security from working.I will give up Firefox before my security.

  36. Porot wrote on :

    Ok, so this is a royal pain in the arse. Not sure what the actual benefits will be in Firefox’s case.

    The good news at least is that, from what I have read, it should be possible to self-sign one’s (or any one else’s) add-ons. Yes, it takes a technical time and it’ll be a waste of time, but probably easier than patching this shit out of Firefox.

    Still, it all seems a bit wankish to me.

  37. Konstantin wrote on :

    That’s ridiculous. What are the reasons that makes Firefox developers think they have rights to control which extensions user wishes to use?

    That means I cannot use my own, custom extension I write solely for private purpose. Other extensions, that are harmless but not placed to the app store by Mozilla.

    Such a policy is insane, politely saying. Warn user against installing such extensions, but leave tool to make it possible. You do not own user’s computer and have no rights to decide what’s the best security measures applied. It’s simply none of your business.

  38. Jeremy Wright wrote on :

    What is it that makes Mozilla continue to push Firefox in directions that users don’t want? It’s almost like they are intentionally trying to minimize their marketshare. More and more, it feels like a few people with big egos and bad ideas have all the power at Mozilla.

  39. Konstantin wrote on :

    You are also filtering out comments where people express their disagreement.

    So I assume the actual amount of angry comments is much more than is visible on this page. You just don’t censoring the users’ opinions if they are not satisifying you, correct?

    No problem, these opinions may be expressed on other social media.

  40. Alan wrote on :

    Mozilla is getting worse and worse. I know how to manage my browser security. I don’t need mozilla to stop me from installing I deem trust worthy.

  41. Tai-Pan wrote on :

    Mozilla betrays since years now power users and advanced users, with doing everything to absorb as much as Chrome’s market share as possible, while giving up on all their own geeks.

    Seriously disappointed.

    Luckily the times are over where Chromium based browsers have been crap only, Vivaldi, Brave, Otter, Qutebrowser, Slimjet, Centbrowser or Qupzilla… Everything better and more honest and interested in serving advanced users as compared with Mozilla.

    Shame on you guys! Why are Chrome users of so much important to you suddenly? Well, i will no longer support this madness. Enjoy your downfall! Will drop you instantly now where you are actually thinking about killing the smaller search field as it is not Chrome enough. Thank you Ghacks for making me aware of that!

    You suck!

  42. Kristian wrote on :

    First the options dialog had to be morphed into some touchscreen-friendly monstrosity, then you kill off tab groups and now this? The last few updates have been doing their level best to push this user away … ¯\_(ツ)_/¯ buh-bye!

  43. Wayne wrote on :

    My problem because kaspersky license finish and install KIS2016 by using mozilla 44 add-ons kaspersky protection can not verified recommended mozilla v 31-38, I tried using abot:config but it`s still, must I using install mozilla 38 thankyou

  44. PGJU wrote on :

    Is there not a way to pen the .rdf file for extensions and change something in them to make them still work in the future, like I was able to change the FF version number for compatibility to keep the add-ons working before?

    1. Wayne wrote on :

      Thankyou kaspersky protection 4.6.2.23.1 recommended using mozilla v 31-38 now I am using mozilla 44 it`s need downgrade, when I am trying downgrade most not help problem and risk, I think when mozilla automatic upgrade version and kaspersky finish 365 days automatic when it`s done may they have same problem

  45. Star Seer wrote on :

    As much as I love Mozilla and Firefox, this sort of behaviour is what I would expect from Apple, not a team focused on the freedom of the user. This feels like the Mozilla team is attempting to make the add-ons system into a new App Store, which simply does not work for the userbase that Mozilla has.

    I really hope the Mozilla team will start listening to these complaints.

    1. Wayne wrote on :

      Yes, I agree because why when using old mozilla version it`s add-ons compatible just click enable, but newst version mozilla, kaspersky may be need advance user not all can do that

  46. Anonymous wrote on :

    I used to be excited to try the latest version of Firefox.
    Those were nice times.
    But recently, instead of adding features to Firefox, you have been taking them out. And you haven’t really added anything in.
    It seems to have started with Australis. You changed the default complete theme, and then you took the addon-bar and the `firefox` menu out.
    Ok. I don’t use the default theme anyway. Two addons later, fixed.
    But this keeps happening. And when you sabotage your own extension system, it becomes increasingly difficult to correct the flaws (in my opinion, anyway…) in the default design, and to add new features.
    Forced addon-signing is a form of DRM (digital restrictions management). Yes; Firefox is under a license which permits people to modify the source, but even technical users do not want to be maintaining their web-browser. This will transform Firefox into something which the users do not truly control.
    If this continues, I know that I, for one will discontinue my use of Firefox.

    1. Wayne wrote on :

      Thank you but why when using google chrome-chromium no problem with extension kaspersky protection 4.6.2.23.1 it`s only check enable, yes it`s compatible and not depend by newst version

  47. MOT wrote on :

    A good way to lose more users.
    For me that means: Bye-bye Firefox, welcome Opera.

  48. 404 Freedom Not Found wrote on :

    This new behavior is broken by design. Starting with FF 43 our own add-ons aren’t working any more. We are using them inside our company. It’s a nightmare to change all “xpinstall.signatures.required” preferences in about:config. According to the Firefox Timeline, this option will also be removed within FF 46 [1].

    Why should I send our own code to Mozilla for signing, if we don’t want to publish it anyway? We are writing and using this add-ons inside the company only. Is this the new “freedom”? In Europe we call that “industrial espionage”. As far as I can see in the comments here, I’m not alone[2,3,4,5,6,7]. If Firefox wants to become Google Chrome, we are out.

    Providing code to Mozilla will break our security policy and at least European law (European Court of Justice declared in October 2015 that the Safe Harbour Decision was invalid).

    But there is an alternative, PaleMoon [8]. It’s a Firefox fork without Firefox restrictions. It’s available for Windows and Linux. On Debian based systems you can install PaleMoon very simple (as root):

    gpg –keyserver pgp.mit.edu –recv-keys 81E77EAF14E225A0
    gpg –armor –export 14E225A0 | apt-key add –
    echo ‘deb http://main.mepis-deb.org/mx/repo/ mx15 main non-free’ >> /etc/apt/sources.list.d/palemoon.list
    aptitude update
    aptitude install palemoon

    You can copy & paste your Firefox settings into the PaleMoon folder. After that and starting PaleMoon, not only our own add-ons worked again, further also the very useful “SyncPlaces”.

    Let all things flow their natural way. Goodbye Mozilla.

    [1] https://wiki.mozilla.org/Addons/Extension_Signing#Timeline
    [2] https://discourse.mozilla-community.org/t/duplicate-uuid-after-delete-add-on-no-new-submission-possible/3582
    [3] https://discourse.mozilla-community.org/t/extensions-became-disabled-because-they-couldnot-be-verified/6018/36
    [4] https://discourse.mozilla-community.org/t/mozilla-not-allowing-to-install-addon-from-sites-after-updating-to-version-43-0/6194
    [5] https://discourse.mozilla-community.org/t/new-release-43-add-ons-disabled/6229
    [6] https://discourse.mozilla-community.org/t/duplicate-uuid-found-error/6833
    [7] https://discourse.mozilla-community.org/t/not-able-to-upload-distribute-add-on-duplicate-uuid-found/2337/10
    [8] http://www.palemoon.org/

  49. Wayne wrote on :

    Thankyou very much, it`s about all search engine but every country may have security-restrict for make save and may be peace-peace-peace

  50. Mark Tedrow wrote on :

    I have been a big YouTube fan for years and and also used Mozilla for several years. I am frustrated with the control Mozilla is now casting over it’s users. I have used an add on called YouTube Center for along time, which is now outdated in Mozilla and does not work and the developer YePpHa says to use his YouTube Center Developer Build 537 available at https://github.com/YePpHa/YouTubeCenter/wiki. I have used it for along time to control all of YouTube’s functions, but now it will not even show up when playing a video because it’s not signed, whatever that means. It should still be my choice to use what I want.

    I did have it overridden so it would still work, but now it won’t in FF 44. Mozilla is playing games now.
    I am very disappointed.

More comments:1 2 3