this post was submitted on 16 Apr 2024
64 points (97.1% liked)

Firefox

17899 readers
31 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago
MODERATORS
 

Greetings from the Mozilla Add-ons team!

Mozilla has upgraded the signing for Firefox extensions, themes, dictionaries, and language packs to provide a stronger signature for a more secure add-ons ecosystem. This upgrade may impact add-on versions uploaded to https://addons.mozilla.org (AMO) differently depending on the date they were uploaded and whether they are self-distributed or distributed via AMO. Please see below for which add-ons will be affected.

For developers of add-on versions hosted on AMO that were uploaded prior to April 5, 2019.

  • No action will be required; the most recent public version of your add-on will be re-signed automatically April 25, 2024 resulting in a version bump

  • Developers will receive a confirmation email once the auto re-signing of their add-on is complete

For developers of add-on versions self-distributed that were uploaded prior to April 5, 2019.

  • Action will be required as Mozilla is not able to automatically re-sign unlisted versions since the distribution is controlled by the developer and thus the AMO team cannot determine which version(s) to re-sign

  • Action required: To continue to distribute any self-hosted versions uploaded to AMO prior to Apr 5, 2019, developers will need to submit new versions to AMO.

Self-distributed add-on versions that are not re-submitted by Apr 15 will no longer be installable on any version of Firefox 127: Nightly (Apr 15), Beta (May 13) or Release (Jun 11). Add-ons installed prior to Firefox 127 will continue to work for now, but we ask that you encourage your users to upgrade to the new, re-signed version of your add-on once you have re-submitted it to AMO. Any previous versions that are no longer in use do not need to be re-submitted to AMO.

Please feel free to reply to this email if you have any questions.

Regards,

Mozilla Add-ons team

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 7 months ago (3 children)

What if I don't want to put my extension on AMO? What if I just want to run my own code without your interference?

[–] [email protected] 2 points 7 months ago

You can use Nightly, Developer Edition or Unbranded Builds: https://wiki.mozilla.org/Add-ons/Extension_Signing#Unbranded_Builds

If you're on Linux, chances are your pre-installed Firefox is also already compiled to allow for unsigned extensions.

With all of these, you just need to set xpinstall.signatures.required to false in about:config.

[–] [email protected] 2 points 7 months ago

Then you're crewed.

You either have all your extensions scanned and verified, or you need to disable extension verification completely and for all extensions.You can upload the extensions as unlisted. They're still get a generic hash/ID though. In this case the scanning and verification is done automatically and you then can go to the back-end and manually download the verified package and install it locally.

It's not as easy as in all other browsers available in the world, but that is how it is.

[–] [email protected] 4 points 7 months ago (1 children)

You've always been able to run unsigned or unpackaged add-ons with developer mode. What's wrong with that? This only affects packages uploaded to AMO.

[–] [email protected] 3 points 7 months ago (1 children)

You cannot do that anymore. You can add temporary loaded extensions in about:debugging -> "This Firefox" with the normal version, that's it. You can also disable signatures entirely posing yourself to extension forgery.

[–] [email protected] 3 points 7 months ago (1 children)

Really? That's dumb, there should totally be an option for side-loading add-ons. They should be flagged on your add-ons page, but the choice should be yours.

[–] [email protected] 0 points 7 months ago

That won't ever be happen. Mozilla just loves being in control. See reflinks for everything by default, see massive telemetry data for EVERYTHING you do in the browser by default, see crippled mobile browser where you pretty much can't change anything, etc., etc.

"Mandatory" verification and signing of not-to-be-public extensions just 100% fits into that.