Add-on signing in Firefox
Add-ons that change your browser's settings without your consent or steal your information have become increasingly common. Some add-ons can add unwanted toolbars or buttons, change your search settings or inject ads into your computer. Firefox will now verify that the add-ons you install have been digitally signed by Mozilla. This article explains the add-on signing feature and how it works.
Table of Contents
What is add-on signing?
Mozilla verifies and "signs" add-ons that follow a set of security guidelines. All add-ons hosted on addons.mozilla.org undergo this process in order to be signed. Add-ons hosted on other sites will need to follow the same guidelines in order to be signed by Mozilla.
While Firefox currently has a blocklist system, it is increasingly difficult to track and block the growing number of malicious add-ons. The new add-on signing process requires developers to follow Mozilla Developer guidelines. Add-on signing in Firefox helps protect against browser hijackers and other malware by making it harder for them to be installed. Firefox will warn you about third-party add-ons that are not digitally signed by Mozilla. For now you can still install the unverified add-on at your own risk.
In Firefox version 43 and above, Firefox prevents you from installing unsigned add-ons and disables any unsigned add-ons that are already installed.
What types of add-ons need to be signed?
Extensions (add-ons that add features to Firefox) will need to be signed. Themes, language packs and plugins do not need to be signed.
Where would I encounter unsigned add-ons?
Add-ons installed through the official Firefox Add-ons site go through security checks before they are published. These add-ons are verified and signed. When you install an add-on through another website, Firefox checks to make sure that the add-on is digitally signed.
What can I do if Firefox disables an installed add-on?
If an unsigned add-on is disabled, you won't be able to use it and the Add-ons manager will show a message that the add-on could not be verified for use in Firefox and has been disabled. You can remove the add-on from Firefox and then reinstall a signed version from the Mozilla Add-ons site if one is available.
If a signed version is not available, contact the add-on developer or vendor to see if they can offer an updated and signed version of that add-on. You can also ask them to get their add-on signed.
Override add-on signing (advanced users)
You can override the setting to enforce the add-on signing requirement by changing the preference xpinstall.signatures.required to false in the Firefox Configuration Editor (about:config page). Support is not available for any changes made with the Configuration Editor so please do this at your own risk. Starting with Firefox version 48, the add-on signing requirement will be enforced with no override in Release and Beta versions of Firefox. See the MozillaWiki article, Add-ons/Extension Signing for more information.
What are my options if I want to use an unsigned add-on? (advanced users)
Firefox ESR version 45, as well as the Developer Edition and Nightly versions of Firefox, will allow you to override the setting to enforce the add-on signing requirement by changing the preference xpinstall.signatures.required to false in the Firefox Configuration Editor (about:config page). There are also special unbranded versions of Firefox that allow this override. See the MozillaWiki article, Add-ons/Extension Signing for more information.