It will affect all current and future add-ons that you install, until you manually change back the value of xpinstall.signatures.required to true.

The xpinstall.signatures.required pref is only supported in Firefox 43. Once Firefox 44 gets released, only signed extensions can be enabled.

• https://wiki.mozilla.org/Addons/Extension_Signing

Thanks PeaCats and cor-el  :-)

cor-el said

The xpinstall.signatures.required pref is only supported in Firefox 43. Once Firefox 44 gets released, only signed extensions can be enabled.

• https://wiki.mozilla.org/Addons/Extension_Signing

3 questions:

1 - Why? Why will it be un-overrideable? 2 - Will the pref "xpinstall.signatures.required" disappear? Or will it only have one unchangeable value? 3 - Won't that discourage people from making add-ons?

It seems like often the people who make the most useful add-ons, do it because they want some particular feature for themselves. Then they share it with the rest of the community. But it seems like introducing more and more requirements for add-ons which force the authors to spend more and more time keeping the software up to date....well, it seems like it would discourage them from sharing their add-ons with the rest of the community.

Thanks again, brynn

Hi brynn, if developers distribute their extensions through the Mozilla Add-ons site, they are signed automatically. Some developers prefer to distribute them a different way, for example, as part of paid software. They do have the new task of submitting them to Mozilla for signing to make them compatible with Firefox 43+.

Answers.

1. Release and Beta versions of Firefox will not have xpinstall.signatures.required available, so there will be no override. But an unbranded version with different logos and either no-name or a different name should be available when Fx 44 is released which has the "signing" feature disabled or not present. None of those versions have been available yet from Mozilla, so we don't know exactly how it will work.
2. As to why - too many extensions were changing prefs like the Homepage, New Tab Page, and other nefarious actions, and 'locking' their new prefs thus making it hard for users to reset the prefs to default or their own preferences. We expect that override pref will be gone and a user created pref won't work if the user would try to add it themselves. Over the years there have been a few prefs that didn't appear in about:config by default, but users could add the pref and it work works. Basically a hidden pref that users could find by reading the source code or could learn about in a support forum or web article.
3. Yes it may discourage some developers from creating extensions, but more important it will stop developers from inserting malware like preference changing & locking prefs from focking with Firefox users. Actions that Mozilla doesn't want happening. Developers creating useful extensions and not trying to take advantage of Firefox users shouldn't be dissuaded.

Overall, not really a big deal considering that the extensible nature of Firefox will change drastically late in 2016 when / if Mozilla actually removes XUL from Firefox to go with WebExtensions using a new extension API. Everything will change and all the current extensions will be gone. https://blog.mozilla.org/addons/2015/08/21/the-future-of-developing-firefox-add-ons/ That may bring many new extension developers over to Firefox, but it may cause many current developers to "call it a day" and not bother with Firefox any longer. As has already happened with a couple of {full} Theme developers that I know who have already quit Firefox for SeaMonkey, many current extension developers may also switch to SeaMonkey - especially those who got in to 'it' for themselves and then decided to 'share' with all other Firefox users. And the SeaMonkey community has already stated that "signing" will never be in SeaMonkey.

PeaCats said

It will affect all current and future add-ons that you install,

Extensions and Language packs to be accurate and not Plugins and Themes (complete and image) and dictionaries. Addons does not refer to Extensions only.

Oh wow! Thanks for the info ed-meister  :-)

I read the first part of that article, but it quickly became too technical for me. When you say "all the current extensions will be gone" what do you mean exactly?

Do you mean they will be replaced by new ones made with the new Web Extensions thing? Or do you mean that there will no longer be a system where there's a basic browser which can be customized with plug-ins and extensions? If it's the 2nd, will it be like IE is (well-used to be, I haven't used since I switched to Ff 3 or 4 years ago), with bazillions of options everywhere you turn?

And now today, since I applied the override, there are some more changes in my Add-On Manager. 1 of those which were disabled is showing that there's an update for it. (I assume it will be a signed version.)

Of the other 2, 1 was enabled after I applied the override. But the 3rd is still disabled. (Blur, which originally was DoNotTrackMe) It does show the Enable button, so I could enable it. But is that some kind of clue? Does Ff have some kind of idea that it's too dangerous to enable? (I use the free version, and still just use to stop the tracking part - not for all those other things.)

And 1 more question -- Today I have yet another upgrade of Ff that wants to be installed.

Tbh, after this last upgrade, with the 3 add-ons disabled, it was pretty much the last straw for me, with applying upgrades as soon as they come. I used to routinely wait a month or so to apply upgrades, to allow time for all the kinds and bugs to get worked out -- so I wouldn't be one of the guinea pigs. When security got to be such an urgent issue several years ago, I started applying them right away. But this really was the last time for me. Now I'll go back to waiting for all the bugs to get worked out.

Anyway, as long as I have a topic open already, what's this new upgrade for? I read the extra info, and it sounds like more "signing requirements". Maybe I'll just wait, so the developers of whatever has to be signed NOW, can catch up.

Thanks again  :-)

When you say "all the current extensions will be gone" what do you mean exactly?

Every extension ever made for Firefox over the last 13 years won't work with Firefox II (or New Firefox) (think New Coke or Coke II) ; every extension will need to be re-written from scratch to work in Firefox II and the vast majority won't work anywhere the same as they work now. Just as 'extensions' or add-ons made for Chrome or Opera won't work in Firefox, the non-XUL based version of the upcoming "new" Firefox will require a completely new type of 'extension' - the current XUL based extension code won't work. And the new API's will greatly limit what extension developers can and can't do.

And a few long time Firefox extension developers whose extensions [that I am using now] work just fine currently [who haven't written a new extension for many years] have already stated that they don't plan to support the new add-on infrastructure - i.e.; waste their time re-writing their existing extensions for Firefox II.

You have to keep in mind that many extension developers start when they are in uni / college, maybe as part of their curricula, and once they get into the 'real world' other things usually become a higher priority in their life. Then they stop writing new extensions and only do minor compatibility updates to what they already contributed the the world-wide Mozilla "community". And it's not like asking for contributions for an extension provides even a part-time renumeration for their time - I have done email with one (soon to be former) extension developer who only asked for "beer money" and for his efforts he didn't even get enough for the first beer per coding session.

As far as another browser that will be like Firefox or have the extensibility of the past and current Firefox goes, look to SeaMonkey or PaleMoon right now. And I wouldn't be surprised if another 2 or 3 Gecko based browsers are already in the initial stages of start-up right now as a result of The Future of Developing Firefox Add-ons blog. I would run out of fingers and have to take off my shoes & socks to count the number of 3rd party "Firefox" browsers I have seen and tried-out over the last 13 years; SM and PM are the only ones around now that still have ongoing, active development,

A "chem-spill" Firefox 43.0.1 version was released yesterday to fix a to meet a new Microsoft signing requirement - security related. https://www.mozilla.org/en-US/firefox/43.0.1/releasenotes/

As far as "signing" issues with Firefox 43.0.1 - why just use the available pref - xpinstall.signatures.required - and get some relief for at least the next 5 1/2 weeks until you have no choice - for real - with Firefox 44. Or switch to the ESR version and get "relief" until ESR goes EOL in June 2016. But keep in mind that some extensions may not work in the ESR version; some extension developers have already done a minVersion above Fx 38 to like FX 40 or 41.

Well that sounds dreadful!

But the Firefox community must see some benefits for making these drastic changes, right? There must be both some benefit for this, as well as some efforts to prevent losing users, as a result of this change?

(Hhmm....perhaps this explains the uptick in SeaMonkey visits to my forums?)

Well, I always wait until the discussion for my original question to wind down, before I mark the solution, etc. So I think my original question has been answered.

Thanks to everyone who answered, for your comments!

But I surely would like to read about "the other side of the story" i.e. the benfit of this big change and how the community plans to keep its user base intact.

Is there any less-technical article than that add-on blog entry? I understood ed-meister just fine, for an example of something I can understand.

Thanks again.

Hi Brynn, there's a fresh update for Blur on the Mozilla Add-ons site: https://addons.mozilla.org/firefox/addon/donottrackplus/

"about the SeaMonkey with no signing at all" I have in general nothing against signing and warning about unsigned addons, BUT there should always be a way for people to let unsigned addon in. also it slows down the release of addons that might need some important fixes. for example, it's been already 3 days since a seriously important fix for the U2F addon was released and still no signature on it. yesterday I disabled addon-signing so I can install it.

my Idea would be that addons should have "permissions" similar to chrome and cant do anything outside those, unless the user maually approves the addons as "legacy" which might be only available for older addons than that permission stuff.

similarly every unsigned addon should recieve a warning and and required to be manually enabled by the user one-by one, so that a malware cannot get in.

I mean HTTPS with self-signed certs are okay, even RC4 seems to be no problem (both just get a warning that the user can override), but some addons not? intresting on it's own

See this about 'temporary add-on loading'. https://blog.mozilla.org/addons/2015/12/23/loading-temporary-add-ons/

well temp loading is an intresting idea of its own.

but the override switch should be just made in a way that it can only be changed by the user e.g. secure dektop confirmation.

and maybe make it like it is in android and stuff when you install an external app, so devs can self-sign an app and an upgrade is only okay if the same signing key is used.

and maybe lock certain stuff from unsigned addons (like changing a lot of config settings) and when an addon that isnt signed attempts to change those ask the user.

It looks like most of these posting are for version 43. I have version 45.0.1 on Windows 7. Our office has recently switched from IE to Firefox for security/privacy reasons. Under IE we have been using an Adobe Extension: "Adobe Acrobat - Create PDF", which is marked by Firefox as "Create PDF could not be verified for use in Firefox." In order to use it I had to set xpinstall.signatures.required to false (which version 45 still supports).

It seems to me that if there is a known, trusted add-on (from Adobe in this case) there should be a mechanism to permit individual add-ons to be allowed, similar to the "exception" for unverified SSL certificates. If Mozilla is concerned about security, this "all or nothing" approach seems counterproductive. All I want to do is continue using the Adobe extension, which I've used for a very long time, but in order to do that I have to not require signatures AT ALL, which is far less secure than permitting this one exception. Yes, it would be nice if Adobe would create a suitably signed version for Firefox, but if the xpinstall.signatures.required option goes away entirely, our office will have to rethink using Firefox as the users will revolt.

I would encourage Mozilla to re-think this.

Hi MarkFoley, you can give input on feature changes for future versions of Firefox on the following page (click the sad face):

https://input.mozilla.org/feedback/firefox

What version of Acrobat do you have? I can confirm that a January update to Acrobat XI (11.0.14) replaced the unsigned version of Create PDF 2.0 with a signed one for me.

I assume there was a similar update for Acrobat DC.

If you are still using Acrobat X, I suspect you will not get the signed extension as support for Acrobat X ended last November.

jscher2000 - Thanks for the feedback. Yes, this is Acrobat X (10.1.16). Your comment about support ending for Acrobat X would explain my problem. I did download Acrobat DC, but nothing "appeared" in my Firefox add-ons related to that. Do you think DC has such a 'Create PDF' add-on?

Hi MarkFoley, Acrobat DC does have a Create PDF extension. Please see whether this article helps: https://helpx.adobe.com/acrobat/using/enable-createpdf-extension-firefox.html

Thanks for the link. Unfortunately, it doesn't help. I went to that site and followed the instructions. Step 4 says, "Select Extensions in the left pane. An extension name Adobe Acrobat - Create PDF appears as disabled with an Enable button beside it ..." When I do this I get an empty box which says, "You don't have any add-ons of this type installed / Learn more about add-ons". The message is a bit confusing: what does it mean by "add-ons of this type"? What type? I haven't selected anything yet.

Anyway, when I "Search all add-ons" for "Adobe", "Create PDF", and similar search phrases I get a list of add-ons related to PDFs, most of which I've tried, but none from Adobe and none which are named "Adobe Acrobat DC - Create PDF 15" as shown in your link example. Searching on parts of that explicit name gives me "Could not find any matching add-ons."

Are you sure there is a current add-on for Acrobat DC? Do you know an explicit site I could go to?

Hi MarkFoley, you should have extensions -- you were able to see the Create PDF extension earlier in this thread.

What did you install, exactly -- the 30-day trial version of Acrobat Pro DC? Or did you already buy the upgrade to Standard ($139) or Pro ($199)?

jscher2000 said

Hi MarkFoley, you should have extensions -- you were able to see the Create PDF extension earlier in this thread.

Well, yes, but that was a different machine. That one had Acrobat Standard X installed which, as you pointed out, is now unsupported and didn't have the signed extension. Rather than clutter up that machine with Acrobat DC, I decided to try that on a different computer.

What did you install, exactly -- the 30-day trial version of Acrobat Pro DC? Or did you already buy the upgrade to Standard ($139) or Pro ($199)?

This is the free version, not Pro. That might explain why there are no extensions.

I think that unless I upgrade our Adobe Acrobat, we aren't going to be able to use the Adobe extensions in Firefox without disabling the signature checking. Having said that, unless the Powers-That-Be mandate otherwise, we are likely NOT going to upgrade Adobe. Acrobat Standard gives us numerous head-aches including having to repair it on several workstations every few months and when we did upgrade to XI last year it wouldn't open web PDFs with IE. Adobe helpdesk had us try it with Firefox and it worked there, so they said it was not their problem; contact Microsoft. Rather, we uninstalled Adobe and bought FoxIt PhantomPDF which the users love way more than Adobe. So, we'll almost certainly be replacing Adobe rather than upgrading. I guess I need to find out if FoxIt has a 'Create PDF' add-on!

Thanks.