Add-on signing in Firefox
Add-ons that can change your browser's settings without your consent or steal your information have become increasingly common. Some add-ons can add unwanted toolbars or buttons, change your search settings or inject ads into your computer. Firefox does now verify that the add-ons you install have been signed by Mozilla, digitally. This article explains the add-on signing feature and how it works.
Table of Contents
What is add-on signing?
Mozilla verifies and "signs" add-ons that follow a set of security guidelines. All add-ons hosted on addons.mozilla.org have to go through this process in order to be signed. Add-ons hosted on other sites will need to follow the same guidelines in order to be signed by Mozilla.
While Firefox currently has a blocklist system, it is becoming difficult to track and block the growing number of malicious, or unverified add-ons. The add-on signing process requires developers to follow Mozilla Developer guidelines. Add-on signing in Firefox helps protect against browser hijackers and other malware by making it harder for them to be installed.
Firefox prevents you from installing unsigned add-ons and disables any unsigned add-ons that are already installed.
What types of add-ons need to be signed?
Extensions (add-ons that add features to Firefox) will need to be signed. Themes, language packs and plugins do not need to be signed.
Where would I encounter unsigned add-ons?
Add-ons installed through the official Firefox Add-ons site go through security checks before they are published. These add-ons are verified and signed. When you install an add-on through another website, Firefox checks to make sure that the add-on is digitally signed.
What can I do if Firefox disables an installed add-on?
If an unsigned add-on is disabled, you won't be able to use it and the Add-ons manager will show a message that the add-on could not be verified for use in Firefox and has been disabled. You can remove the add-on from Firefox and then reinstall a signed version from the Mozilla Add-ons site if one is available.
If a signed version is not available, contact the add-on developer or vendor to see if they can offer an updated and signed version of that add-on. You can also ask them to get their add-on signed.
What are my options if I want to use an unsigned add-on? (advanced users)
Firefox Extended Support Release (ESR), Firefox Developer Edition and Nightly versions of Firefox will allow you to override the setting to enforce the add-on signing requirement by changing the preference xpinstall.signatures.required to false in the Firefox Configuration Editor (about:config page). There are also special unbranded versions of Firefox that allow this override. See the MozillaWiki article, Add-ons/Extension Signing for more information.