Mozilla begins Add-On Signing, and we take a closer look at it
A couple of month’s ago, Mozilla, had announced that it would implementing a new security feature for its browser, Firefox.
Mozilla said that add-on developers will have to sign their extensions.
Now what does this mean exactly?
To users, it won’t mean much. Developers however could find it really annoying. All extension developers will now be required to sign up for a free account at Mozilla’s Addon Repository, commonly known as AMO (addons.mozilla.org). This is mandatory, even if the developer does not intend to release the addon on AMO.
The developers will then have to submit their addon to Mozilla for review, and when the addon passes their reviewing process, it will be approved, aka signed.
So, will all addons will be available from AMO? No, third party addons can be distributed elsewhere, but they still need to be signed, and can be done so privately.
Why is Mozilla doing this? What is the point of signing an extension?
The move is actually to protect the users from malicious extensions. Since Mozilla has no control over addons distributed in third party websites,this is the only way to block addons. Once extensions are signed, future versions are signed automatically.
Yes, unsigned addons will blocked. At least in the Stable, Beta and ESR (Firefox Extended Support Release). Developers wishing to test future builds of their addons can only do so in the Nightly and Developer channels of Firefox. Test versions of addons and Unsigned addons will not work in Stable, Beta and ESR channels.
Once Add-On signing rolls out, all existing addons, which you have installed in Firefox will be blocked, if they are unsigned. There is no setting which can override this.
Mozilla originally slated Add-On signing for roll out with Firefox 39, but it has been postponed to be released with Firefox 40 instead.
The current stable version of Firefox is 37.0.2, so technically you needn’t worry about add-on signing for the next two or three stable release cycles. According to Mozilla’s rapid release calendar, Firefox 38 is scheduled to be launched on 12th May, Firefox 39 on June 30th and Firefox 40 on 11th August.
But Add-on signing has reportedly already begun, and Ghacks posted a screenshot at its blog. (featured above in this article). Note that the No-Script addon has the word “signed” in its name next to the version number 188.8.131.52.1-signed
The version of NoScript that I have doesn’t say “signed”, although mine appears to be a very slightly older version. (184.108.40.206).
Custom browsers based on Firefox may or may not implement the addon signing rule. At least two browser developers have said that they won’t imply the new rule: Pale Moon and SeaMonkey.
Will you move away from Firefox if your favorite addon is blocked? Drop a comment below and tell us your opinion.