How to disable the Firefox add-on signing requirement
Mozilla will enforce the signing of extensions in Firefox in Firefox 40. This particular version of Firefox is scheduled for release on August 11, 2015 to the stable channel.
Add-on signing refers to a new system implemented by Mozilla that requires extensions for Firefox to be signed by the organization in order to install them in stable and beta versions of the Firefox web browser.
Developers who want to make their extensions available to stable or beta users of Firefox need to get them signed through addons.mozilla.org (AMO) even if they plan to publish it only on third-party sites and not Mozilla's main add-ons repository.
All latest versions of extensions on Mozilla AMO are signed automatically. This means that Firefox users may run into issues when they try to install old versions of extensions hosted on AMO and extensions not hosted on the site or submitted to it for the signing process.
If that is the case, the following options are available to keep on using the add-on:
- Switch to Firefox ESR and modify the configuration to disable the add-on signing requirement.
- Switch to Firefox Developer or Firefox Nightly as they offer the same switch to disable add-on signing.
- Mozilla plans to release special builds for developers (so-called unbranded versions) which have the same preference.
- Switch to another browser based on Firefox, e.g. Pale Moon.
The current deployment timeline for signed extensions
- Firefox 40: Warnings are shown if unsigned add-ons are installed.
- Firefox 41: Add-on signing is enforced in stable and beta versions of the Firefox web browser. There is a preference that users can make use of to disable the requirement in this particular version.
- Firefox 48: Add-on signing is mandatory. The override is no longer working and there is no option available to install unsigned extensions on Stable or Beta Firefox versions.
It is unclear right now if the rule will be enforced for Firefox ESR as well. If that is the case, it would hit when the ESR channel reaches version 45. Mozilla plans to make the override switch available in Firefox ESR currently for the time being (meaning that the override will remain and not be removed).
How to disable the add-on signing enforcement
Firefox Stable, Beta and ESR users may use the preference xpinstall.signatures.required to disable the signing requirement in their version of the browser.
Stable and Beta users may only do so before their version of Firefox hits 41 while ESR users may use it afterwards as well.
- Type about:config in the browser's address bar and hit enter. This loads Firefox's main configuration page.
- Confirm the warning prompt if it appears.
- Search for the preference xpinstall.signatures.required.
- Double-click on it to toggle its value.
When you set it to false, you disable the add-on signing requirement.
Additional information about the feature are available on Mozilla's website.
I am getting bored with using just about ANY browser as of late, there’s always something new trying the utmost to piss me off. Just a few minutes ago, FF52’s (which I am still using) extension signing has deprecated all use of two important extensions: FEBE (to backup FF data) and Speed Dial [FVD] (which I installed 2 months ago and contained tons of info, now all lost – it will not open anymore in a new tab)
FF decided to do this just out of the blue, no matter if it worked 2 months on end. I can only suppose I can still extract the data from its extension folder, but how am I going to do this ?
I’m furious !
If you’re reasonably technical, there’s a solution here: https://www.reddit.com/r/ReverseEngineering/comments/51bxuv/modifying_release_builds_of_firefox_to_allow/
(Apologies – the previous post to /r/firefox was removed)
With the latest update, 48.0.1, the work around may no longer be working. I still have it set to false, yet Logitech Setpoint has been disabled by Firefox. Which is ridiculous, this is an add on allowing my keyboard/mouse configuration software to work within the Firefox environment. It is from a reputable company, Logitech, and does not contain malicious software. I have been using it for years without problem or incident, yet Firefox has seen fit to declare it to be malicious. This is ridiculous. It should be up to the user to decide which add ons he/she wants to keep. If someone loads something onto their own computer which somehow effects its operation, that in no way effects Mozilla. What right do they have to dictate to me, the consumer, how I configure my own personal property. I have been using Firefox for years and did not want to change, yet now it appears that I must.
I completely agree. I sure hope the folks at Mozilla rethink this decision. In no way do I feel “safer” since I can no longer run some of my add-ons. This should be left as an end user decision.
I appreciate your point (eysoin),
Yes, why is Mozilla becoming more like a dictator and less like a common voice of the people?
Formula to determine the #1 most likely answer:
Corporate Greed + Mozilla’s Insouciance = The End of User Rights and User Choice
———————————————————————————————————————————————-
Just like Microsoft is killing the (P)ersonal (C)omputer experience, so too has Mozilla been working to eviscerate our ability to customize our (B)rowsing experience. Not only that, when something goes wrong, they expect you the user to spend countless hours scouring their forums just to end up with less of an answer to your question than when you first noticed a problem.
The fact that you can’t even pick up the phone and call them is just one of the many examples of their detachment from the user-base and their deleterious model on how help and support is provided to us…
“Heil Mozilla!…Heil, mein Führer!”
Mozilla has delayed the mandatory sign-in requirement until Firefox 46 – at which point the override (which has worked well for us) will allegedly become ineffective.
Discontinuing this workaround is just plain unnecessary. The requirement for add-ons to be signed is designed to banish once and for all crooked add-ons. For the vast majority of computer users, this is a fine idea. But for those with any savvy, the workaround should be left in place. The usual computer user would never even attempt change anything in Firefox’s configuration. But the more advanced user would and Mozilla would be prudent to allow the workaround to continue to work for those who understand computers.
It also creates a defacto mozilla ‘app store’ in that you can’t independantly produce addons without sending them to mozilla. One more attempt at becoming the google clone they dream of being..
Side note they have removed about:permissions completely from 45
I would like an option to have signatures required as still true but be able to whitelist or provide single instance exceptions. This would be useful for testing or using a beta xpi that you trust while still maintaining the system of generally getting people to use security signatures. This could be a simple about:config string, something simple but relatively technical to prevent overuse. My 2cents
Thankyou. Worked well on FF 42.0a2.
Hello,
my browser “Waterfox” Ver 40.0.3 (64bit) allow me the installing of an unsigned addon* and also it run stable without any errors after restart of waterfox.
But after rebooting the computer the addon get lost and i have to install it again.
The settings for “xpinstall.signatures.required” is still “false”.
*The name of the addon is: “MyKey Interface” from Chipdrive
http://www.chipdrive.de/index.php/de/chipkarten-software/passwort-manager-software.htm
What could be the root cause for this behavior and how can i fix this?
Regards
Johann
Johann, is this happening only for the one add-on or for others as well? Did you check if other software may interfere with the add-on?
Dude are you sure about your info?
I am running 40.0.2 on my mac with the preference xpinstall.signatures.required already set to false and a bunch have been disabled.
Luckily the ESR edition saved me….
42 nightly > xpinstall.signatures.required;false
I tend to sideload addons, and I tend to modify the addons sometimes (for example I modify the allowed Firefox version number when the addon is not compatible). But it won’t be possible anymore, due to the Mozilla’s DICTATORSHIP.
Mandatory signing is the worst thing that Mozilla have ever done. It’s even worse than the horrible Australis UI.
I always save the .xpi addon files to backup them on my PC and my backup DVDs. And I install them offline. And this way I can install them even if they’re removed from the official addons page. I also backup the good Firefox versions. The only good Firefox versions have ever been released are the Firefox 17.0.11 ESR, and Firefox 38. I will stay with the latest Firefox 38 ESR that doesn’t have mandatory signing. I hope the Firefox 38 ESR will not get the mandatory signing, because I want to use the latest Firefox 38 ESR that is planned to be released.
And I will NEVER update Firefox anymore.
The reason why I most hate it is that I wanted to have a Firefox with multiprocess (Electrolysis) support. But Firefox with multiprocess will be released only around Firefox 45. And now it’s known that all future versions from 41 will be infected with this retarded mandatory signing. It’s a deal breaker.
Mozilla and Firefox deserve to die. I’m glat that their market share is continuously declining.
Mandatory signing is terrible, I do hope we can get this reverted.
Otherwise the slow ESR releases with their non-disableable telemetry and whatnot will be the only official Firefox builds you can use, unless you want to compile everything yourself, just for a few edited or custom addons.
Considering rising amount of crapware bundled with Firefox and the huge in-browser js that accompanies it and slows down the startup,
probably what you want to do if you care.
I like the Light Firefox fork, sufficiently up to date and most crap disabled, it might need pgo or some other compiler trick to make it as fast as it could be. Or it is all for naught once you go with Australis.
Mandatory signing is beneficial. The average user first, doesn’t have the required technical know how on whether (s)he can trust the addon or not. Second, the user doesn’t care. All that the average user wants to do is browse uninhibited. Mozilla has to take that into consideration, and provide a strong layer of security over it – so mandatory addon signing seems the best path. Now, the reason this creates such a hullabaloo, is that Firefox has a user base that is far more adept at technical things, as compared to Chrome’s, which as far as I have experienced have relatively negligible technically oriented tech savvy users.
As for the telemetry, you can configure Firefox, quite easily to send the minimum necessary information to Mozilla, via the settings. Also, the new Firefox user is notified of the data sent quite clearly.
Crapware is on the increase, yes, but once you start using them, most of them turn out to be pretty damn good.
Signing can be useful – Mandatory signing is a nightmare to both users and writers of add-ons
You’re talking cráp. Mandatory signing is the worst thing that Mozilla have ever done. It’s even worse than the horrible Australis UI.
Firefox ESR is actually faster than regular version. And “non-disableable telemetry” is Google Chrome thing as far as I know.
orwellian grip on internet freedom tightens. I doubt it has anything to do with security having in mind how long it used to take for extension to be reviewed.
It doesn’t really make sense – it will be impossible to make any changes to extensions even to try it out on regular firefox without uploading it for “signing”. How could you do anything blindfolded and in the dark? Developers will be forced to be using another version of firefox than users of the product for whom they are developing it.
maybe unbranded firefox will work just like firefox on theoretical paper, but in reality they are two different versions of software even after you change one bit in software.
All I found was xpinstall.whitelist
I’m pleased to see it’s reasonably easy to get around with modest technical knowledge. The people that would be comfortable going through this process are exactly the group that can handle making their own decisions about whether or not they trust a given add-on.
“It is unclear right now if the rule will be enforced for Firefox ESR as well.”
I suspect it eventually will because that’s the browser folks recommend for a more stable, secure environment. More testing is balanced against a slower feature set, similar to LibreOffice “Still”. Add-on signing is definitely up their alley.
My default browser is at this time Cyberfox, a Firefox fork as we know. Cyberfox’s developer is for the time being unsure about the way he intends to handle this new add-on signing requirement once it will be de facto mandatory in Firefox (41) but as far as I’ve understood it, he claims it is technically possible.
All I can say is that if Cyberfox does not offer any means to circumvent this add-on signing process, I will be leading to another default browser, Pale Moon most likely, but not for sure again because of the add-ons’ limitations, though in terms of availability. I have now 77 add-ons, some that will never be signed, some that cannot be signed. I know, a user will be able to ask for an add-on to be “signed” by Mozilla, but how long will it take? And for a tweaked add-on, how long again? I will not endure this, certainly not.
As I understand it, Mozilla’s opinion about an average user is to consider him in kindergarten. The company flatters ignorance and prevents users’ improvements that another policy would trigger.
Its easy to disable by just set it false….thanks and yes the link you provided(xpinstall.signatures.required)is not working
I think that the xpinstall.signatures.required preference won’t show up in Firefox Stable (the regular final-release version that most of us use) until version 40 and that it will go away in version 41. So for now, we can install and use unsigned add-ons. When we update to Firefox 40, we will be able to continue using unsigned add-ons if we change the xpinstall.signatures.required preference to false. When Firefox 41 arrives, we will no longer be able to use unsigned add-ons unless we switch to a different branch of Firefox or a Firefox fork that either does not police add-on signing or allows us to opt out.
There’s still some time before the deadline, but just to freak everyone out I’d like to point out that, among the extensions I have installed, the following still don’t appear to be available in a signed version:
Classic Theme Restorer
Flagfox
HTTPS Everywhere
NoScript
Privacy Badger
I found out that all those extensions ARE signed!.
My guess is that the reason you think this might’ve not been the case is the fact that the old addon files that were converted to signed when Mozilla switched over to this new policy all were given new version numbers with the addition of “.1-signed”. This was annoying, but it’s what they did to everything. New addon files which are uploaded to this site and approved by Mozilla do not have their version number tampered with. Mozilla only changed the old version numbers to force a massive wave of addon updates. New versions are already new and will be updated normally.
EVERY addon on FireFox extensions site which is approved by Mozilla is signed, now.
Oh dear. I use all of them with the exception of Classic Theme Restorer. That certainly would be problematic. It seems rather odd that a popular extension like NoScript wouldn’t be signed by that time.
Classic Theme Restorer was signed at v1.3.2.1. Two weeks later, v1.3.3 came out; it does not say “signed” in the Tools>Addons list like v1.3.2.1 does. Most addons are doing it this way — the signed version says so, the later versions do not. Maybe you just missed the signed version as it auto-installed?
Not to mention another short term handicap : Multiprocess Extensions.
My extensions.ini file shows 43 MultiprocessIncompatibleExtensions : yep, forty-three!
This is going to be a tough second semester …
As mentioned in the article, no setting will be made available once the process mandatory starting with Firefox 41, unless conditions mentioned as well are met.