Add-on signing in Firefox

Revision Information
  • Revision id: 112283
  • Created:
  • Creator: AliceWyman
  • Comment: suggested visiting AMO for signed add-on version
  • Reviewed: Yes
  • Reviewed:
  • Reviewed by: ideato
  • Is approved? Yes
  • Is current revision? No
  • Ready for localization: Yes
  • Readied for localization:
  • Readied for localization by: ideato
Revision Source
Revision Content

Add-ons that change your browser's settings without your consent or steal your information have become increasingly common. Some add-ons add unwanted toolbars or buttons, change your search settings or inject ads or malware into your device. This article explains how add-on signing makes it harder for malware to be installed by default.

What is add-on signing?

Mozilla verifies and "signs" add-ons that follow a set of security guidelines. All add-ons hosted on addons.mozilla.org undergo this process in order to be signed. Add-ons hosted on other sites will need to follow the same guidelines in order to be signed by Mozilla.

Add-on signing targets only malware and browser hijacking. It does not control or censor the content that you choose to see.

Developers: To learn more about add-on signing guidelines, see Signing and distributing your add-on and Review Policies at Mozilla Developer Network.

What can I do if Firefox disables an installed, unsigned add-on?

If an installed add-on is disabled because it hasn't been signed, contact the add-on developer or vendor to see if they can offer an updated and signed version of that add-on. You can also ask them to get their add-on signed. Another option is to visit addons.mozilla.org to see if there's a signed version of the add-on you can install.

Override add-on signing (advanced users): You can temporarily override this setting by changing the xpinstall.signatures.required preference to false in the Firefox Configuration Editor (about:config page). Support is not available for any changes made with the Configuration Editor so please do this at your own risk.

How does add-on signing protect me?

Firefox protects you against malware and browser hijackers by making it harder for them to install their add-ons on your browser.

Firefox protects you against malware and browser hijackers by warning you about third-party add-ons that are not digitally signed by Mozilla.

To use this new feature, please update to the latest version of Firefox

Newer versions of Firefox add protection against malware and browser hijackers by warning you about and (starting in Firefox 43) blocking third-party add-ons that are not verified and digitally signed by Mozilla.

While Firefox currently has a blocklist system, it is increasingly difficult to track and block the growing number of malicious add-ons. The new add-on signing process requires developers to follow Mozilla Developer guidelines and ensure that their add-ons are safe to install. Firefox warns you when an add-on did not complete the signing process. For now you can still install the unverified add-on at your own risk, but starting with Firefox 43, such add-ons will get deactivated as well.

Install add-ons only from developers you trust. Unverified add-ons may contain malware or hijackers that can alter your settings and steal your information.

What types of add-ons need to be signed?

Extensions (add-ons that add features to Firefox) will need to be signed. Themes, language packs and plugins do not need to be signed.

Where would I encounter unsigned add-ons?

Add-ons installed through the official Firefox Add-ons site go through security checks before they are published. These add-ons are verified and signed.

When you install an add-on through another website, Firefox checks to make sure that the add-on has been digitally signed before you can install it.