Compare Revisions
Add-on signing in Firefox
Revision 115387:
Revision 115387 by AliceWyman on
Revision 121552:
Revision 121552 by AliceWyman on
Keywords:
Search results summary:
Learn about add-on signing and what to do if an extension you want to use could not be verified for use in Firefox.
Learn about add-on signing and what to do if an extension you want to use could not be verified for use in Firefox.
Content:
{note}'''Firefox ESR users:''' Add-on signing will be available on ESR version 45.{/note}
Add-ons that change your browser's settings without your consent or steal your information have become increasingly common. Some add-ons can add unwanted toolbars or buttons, change your search settings or inject ads into your computer. Firefox will now verify that the add-ons you install have been digitally signed by Mozilla. This article explains the ''add-on signing'' feature and how it works.
{for not fx40}
{warning}To use this new feature, please [[Update Firefox to the latest version | update to the latest version of Firefox]].{/warning}
{/for}
__TOC__
=What is add-on signing?=
Mozilla verifies and "signs" add-ons that follow a set of security guidelines. All add-ons hosted on addons.mozilla.org undergo this process in order to be signed. Add-ons hosted on other sites will need to follow the same guidelines in order to be signed by Mozilla.
{note}'''Developers:''' To learn more about add-on signing guidelines, see [https://developer.mozilla.org/en-US/Add-ons/Distribution Signing and distributing your add-on] and [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews Review Policies] at Mozilla Developer Network.{/note}
While Firefox currently has a [[Add-ons that cause stability or security issues are put on a blocklist |blocklist]] system, it is increasingly difficult to track and block the growing number of malicious add-ons. The new add-on signing process requires developers to follow [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews Mozilla Developer guidelines]. Add-on signing in Firefox helps protect against browser hijackers and other [https://wikipedia.org/wiki/Malware malware] by making it harder for them to be installed. {for =fx40,=fx41,=fx42}Firefox will warn you about third-party add-ons that are not digitally signed by Mozilla. For now you can still install the unverified add-on at your own risk.{/for}
In Firefox version 43 and above, Firefox prevents you from installing unsigned add-ons and disables any unsigned add-ons that are already installed.
=What types of add-ons need to be signed?=
[[Find and install add-ons to add features to Firefox#w_what-types-of-add-ons-can-i-install|Extensions]] (add-ons that add features to Firefox) will need to be signed. Themes, language packs and plugins do not need to be signed.
=Where would I encounter unsigned add-ons?=
Add-ons installed through the [https://addons.mozilla.org/firefox/ official Firefox Add-ons site] go through security checks before they are published. These add-ons are verified and signed. When you install an add-on through another website, Firefox checks to make sure that the add-on is digitally signed.
{for not fx43}
{warning}Install add-ons only from developers you trust. Unverified add-ons may contain malware or hijackers that can alter your settings and steal your information.{/warning}
{/for}
{for fx43}
=What can I do if Firefox disables an installed add-on?=
If an unsigned add-on is disabled, you won't be able to use it and the Add-ons manager will show a message that the add-on ''could not be verified for use in Firefox and has been disabled''. You can [[Disable or remove Add-ons#w_how-to-remove-extensions-and-themes|remove the add-on]] from Firefox and then reinstall a signed version from the [https://addons.mozilla.org/ Mozilla Add-ons site] if one is available.
If a signed version is not available, contact the add-on developer or vendor to see if they can offer an updated and signed version of that add-on. You can also ask them to [https://developer.mozilla.org/en-US/Add-ons/Distribution get their add-on signed].
{for =fx43,=fx44,=fx45}
==Override add-on signing (advanced users)==
You can temporarily override the setting to enforce the add-on signing requirement by changing the preference {pref xpinstall.signatures.required} to '''false''' in the [[Configuration Editor for Firefox|Firefox Configuration Editor]] (''about:config'' page). Support is not available for any changes made with the Configuration Editor so please do this at your own risk. Signing will be mandatory with no override, in Firefox 46 beta and release versions. For details, see [https://blog.mozilla.org/addons/2016/01/22/add-on-signing-update/ this Mozilla blog]. {/for}
{/for}
{note}'''Firefox ESR users:''' Add-on signing will be available on ESR version 45.{/note}
Add-ons that change your browser's settings without your consent or steal your information have become increasingly common. Some add-ons can add unwanted toolbars or buttons, change your search settings or inject ads into your computer. Firefox will now verify that the add-ons you install have been digitally signed by Mozilla. This article explains the ''add-on signing'' feature and how it works.
{for not fx40}
{warning}To use this new feature, please [[Update Firefox to the latest version | update to the latest version of Firefox]].{/warning}
{/for}
__TOC__
=What is add-on signing?=
Mozilla verifies and "signs" add-ons that follow a set of security guidelines. All add-ons hosted on addons.mozilla.org undergo this process in order to be signed. Add-ons hosted on other sites will need to follow the same guidelines in order to be signed by Mozilla.
{note}'''Developers:''' To learn more about add-on signing guidelines, see [https://developer.mozilla.org/en-US/Add-ons/Distribution Signing and distributing your add-on] and [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews Review Policies] at Mozilla Developer Network.{/note}
While Firefox currently has a [[Add-ons that cause stability or security issues are put on a blocklist |blocklist]] system, it is increasingly difficult to track and block the growing number of malicious add-ons. The new add-on signing process requires developers to follow [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews Mozilla Developer guidelines]. Add-on signing in Firefox helps protect against browser hijackers and other [https://wikipedia.org/wiki/Malware malware] by making it harder for them to be installed. {for =fx40,=fx41,=fx42}Firefox will warn you about third-party add-ons that are not digitally signed by Mozilla. For now you can still install the unverified add-on at your own risk.{/for}
In Firefox version 43 and above, Firefox prevents you from installing unsigned add-ons and disables any unsigned add-ons that are already installed.
=What types of add-ons need to be signed?=
[[Find and install add-ons to add features to Firefox#w_what-types-of-add-ons-can-i-install|Extensions]] (add-ons that add features to Firefox) will need to be signed. Themes, language packs and plugins do not need to be signed.
=Where would I encounter unsigned add-ons?=
Add-ons installed through the [https://addons.mozilla.org/firefox/ official Firefox Add-ons site] go through security checks before they are published. These add-ons are verified and signed. When you install an add-on through another website, Firefox checks to make sure that the add-on is digitally signed.
{for not fx43}
{warning}Install add-ons only from developers you trust. Unverified add-ons may contain malware or hijackers that can alter your settings and steal your information.{/warning}
{/for}
{for fx43}
=What can I do if Firefox disables an installed add-on?=
If an unsigned add-on is disabled, you won't be able to use it and the Add-ons manager will show a message that the add-on ''could not be verified for use in Firefox and has been disabled''. You can [[Disable or remove Add-ons#w_how-to-remove-extensions-and-themes|remove the add-on]] from Firefox and then reinstall a signed version from the [https://addons.mozilla.org/ Mozilla Add-ons site] if one is available.
If a signed version is not available, contact the add-on developer or vendor to see if they can offer an updated and signed version of that add-on. You can also ask them to [https://developer.mozilla.org/en-US/Add-ons/Distribution get their add-on signed].
{for =fx43,=fx44,=fx45,=fx46}
==Override add-on signing (advanced users)==
You can temporarily override the setting to enforce the add-on signing requirement by changing the preference {pref xpinstall.signatures.required} to '''false''' in the [[Configuration Editor for Firefox|Firefox Configuration Editor]] (''about:config'' page). Support is not available for any changes made with the Configuration Editor so please do this at your own risk. Signing will be mandatory with no override, in Firefox 47 beta and release versions. For details, see [https://blog.mozilla.org/addons/2016/01/22/add-on-signing-update/ this Mozilla blog]. {/for}
{/for}