Add-on signing in Firefox

Firefox ESR users: Add-on signing will be available on ESR version 45.

Add-ons that change your browser's settings without your consent or steal your information have become increasingly common. Some add-ons can add unwanted toolbars or buttons, change your search settings or inject ads into your computer. Firefox will now verify that the add-ons you install have been digitally signed by Mozilla. This article explains the add-on signing feature and how it works.

To use this new feature, please update to the latest version of Firefox.

What is add-on signing?

Mozilla verifies and "signs" add-ons that follow a set of security guidelines. All add-ons hosted on addons.mozilla.org undergo this process in order to be signed. Add-ons hosted on other sites will need to follow the same guidelines in order to be signed by Mozilla.

Developers: To learn more about add-on signing guidelines, see Signing and distributing your add-on and Review Policies at Mozilla Developer Network.

While Firefox currently has a blocklist system, it is increasingly difficult to track and block the growing number of malicious add-ons. The new add-on signing process requires developers to follow Mozilla Developer guidelines. Add-on signing in Firefox helps protect against browser hijackers and other malware by making it harder for them to be installed. Firefox will warn you about third-party add-ons that are not digitally signed by Mozilla. For now you can still install the unverified add-on at your own risk.

In Firefox version 43 and above, Firefox prevents you from installing unsigned add-ons and disables any unsigned add-ons that are already installed.

What types of add-ons need to be signed?

Extensions (add-ons that add features to Firefox) will need to be signed. Themes, language packs and plugins do not need to be signed.

Where would I encounter unsigned add-ons?

Add-ons installed through the official Firefox Add-ons site go through security checks before they are published. These add-ons are verified and signed. When you install an add-on through another website, Firefox checks to make sure that the add-on is digitally signed.

Install add-ons only from developers you trust. Unverified add-ons may contain malware or hijackers that can alter your settings and steal your information.

What can I do if Firefox disables an installed add-on?

If an unsigned add-on is disabled, you won't be able to use it and the Add-ons manager will show a message that the add-on could not be verified for use in Firefox and has been disabled. You can remove the add-on from Firefox and then reinstall a signed version from the Mozilla Add-ons site if one is available.

If a signed version is not available, contact the add-on developer or vendor to see if they can offer an updated and signed version of that add-on. You can also ask them to get their add-on signed.

Override add-on signing (advanced users)

You can override the setting to enforce the add-on signing requirement by changing the preference xpinstall.signatures.required to false in the Firefox Configuration Editor (about:config page). Support is not available for any changes made with the Configuration Editor so please do this at your own risk. Starting with Firefox version 48, the add-on signing requirement will be enforced with no override in Release and Beta versions of Firefox. See the MozillaWiki article, Add-ons/Extension Signing for more information.

What are my options if I want to use an unsigned add-on? (advanced users)

Firefox ESR version 45, as well as the Developer Edition and Nightly versions of Firefox, will allow you to override the setting to enforce the add-on signing requirement by changing the preference xpinstall.signatures.required to false in the Firefox Configuration Editor (about:config page). There are also special unbranded versions of Firefox that allow this override. See the MozillaWiki article, Add-ons/Extension Signing for more information.

Was this article helpful? Please wait...

These fine people helped write this article: AliceWyman, philipp, underpass, Tonnes, misibacsi, lizhenry, jsavage, Artist, drew.ray, jdc20181. You can help too - find out how.