Add-on signing in Firefox

Having add-on problems? Starting in Firefox version 57, only extensions built using WebExtensions APIs will work. Not sure if your add-ons are affected? See Firefox add-on technology is modernizing and these Frequently Asked Questions for details.

Add-ons that can change your browser's settings without your consent or steal your information have become increasingly common. Some add-ons can add unwanted toolbars or buttons, change your search settings or inject ads into your computer. Firefox does now verify that the add-ons you install have been signed by Mozilla, digitally. This article explains the add-on signing feature and how it works.

What is add-on signing?

Mozilla verifies and "signs" add-ons that follow a set of security guidelines. All add-ons hosted on have to go through this process in order to be signed. Add-ons hosted on other sites will need to follow the same guidelines in order to be signed by Mozilla.

Developers: To learn more about the add-on signing guidelines, see Signing and distributing your add-on and Review Policies at Mozilla Developer Network.

While Firefox currently has a blocklist system, it is becoming difficult to track and block the growing number of malicious, or unverified add-ons. The add-on signing process requires developers to follow Mozilla Developer guidelines. Add-on signing in Firefox helps protect against browser hijackers and other malware by making it harder for them to be installed.

Firefox prevents you from installing unsigned add-ons and disables any unsigned add-ons that are already installed.

What types of add-ons need to be signed?

Extensions (add-ons that add features to Firefox) will need to be signed. Themes, language packs and plugins do not need to be signed.

Where would I encounter unsigned add-ons?

Add-ons installed through the official Firefox Add-ons site go through security checks before they are published. These add-ons are verified and signed. When you install an add-on through another website, Firefox checks to make sure that the add-on is digitally signed.

What can I do if Firefox disables an installed add-on?

If an unsigned add-on is disabled, you won't be able to use it and the Add-ons manager will show a message that the add-on could not be verified for use in Firefox and has been disabled. You can remove the add-on from Firefox and then reinstall a signed version from the Mozilla Add-ons site if one is available.

If a signed version is not available, contact the add-on developer or vendor to see if they can offer an updated and signed version of that add-on. You can also ask them to get their add-on signed.

What are my options if I want to use an unsigned add-on? (advanced users)

Firefox Extended Support Release (ESR), Firefox Developer Edition and Nightly versions of Firefox will allow you to override the setting to enforce the add-on signing requirement by changing the preference xpinstall.signatures.required to false in the Firefox Configuration Editor (about:config page). There are also special unbranded versions of Firefox that allow this override. See the MozillaWiki article, Add-ons/Extension Signing for more information.

Was this article helpful? Please wait...

These fine people helped write this article: AliceWyman, philipp, Underpass, Tonnes, misibacsi, lizhenry, Joni, Artist, drew.ray, jdc20181, Caitlin Neiman, Zppix. You can help too - find out how.