How can I enable a single unsigned add on
Recently, unsigned add-ons have been disabled and there is no option to re-enable them. I use quite a few unsigned add-ons that I trust, or that I've developed myself, and I want to enable them manually. I don't want to enable unsigned add-ons globally. Currently my only option is to trust any unsigned add-on, or to work without them.
Some commonly used add-ons that have been disabled when I updated firefox:
Selenium-IDE (and all the formatters) Fiddler Hook
I believe putting this new security feature into Firefox was premature. I use Firefox because I can customize it any way I like, and the community can create customizations that are easy to use. Impeding this in any way shape or form leads to temptations to use Chrome, or Edge by default... Let me be stupid if I want, give me a way to explicitly define how stupid I want to be.
Réiteach roghnaithe
Turning off the signing requirement rolls you back to the same situation as Firefox 42. Suspending the signing requirement doesn't auto-enable extensions you want disabled. Yes, you are foregoing a layer of security, but it sounds as though you are a user who keeps an eye on what extensions are running and can manage the risk.
Regarding changing how this feature works, it's beyond the scope of support. You can give input here:
https://input.mozilla.org/feedback/
If you want to get more involved, you can check out the mailing lists:
https://lists.mozilla.org/listinfo
Read this answer in context 👍 1All Replies (8)
hi, if you develop addons yourself then it would be best to switch to firefox developer edition, where the addon signing checks can be switched off through a setting in about:config (xpinstall.signatures.required). https://www.mozilla.org/firefox/developer/
This "signing feature" has already been postponed twice, it was supposed to be enabled in either Firefox 40 or 41 originally. I don't call that "premature", especially since this program was announced all the way back in Feb 2015. https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/ Hopefully most Firefox add-on developers follow that blog to be aware of what Mozilla is going to do with the add-ons infrastructure.
Firefox 43 does have a pref to disable it, but that will be gone in Firefox 44.
https://support.mozilla.org/en-US/kb/add-on-signing-in-firefox
If you want to be "stupid" and install anything that you want, and the Developer Edition is too much of an Alpha version for your tastes - an unbranded version of Firefox 44 should be available on of after Jan 26, 2016, when Firefox 44 is slated to be released. That version will be built with the "signing feature" turned off.
Unfortunately, there won't be a way for users to install one un-signed add-on and have the signing apply to all others, it is be global. It's all or nothing - you either use Firefox and be limited or you use the unbranded version and not have any "protection" offered via signed add-ons.
I asked for a way to allow users to permit a single unsigned add-on to run. Not every add-on developer wants to have their work signed by Mozilla, or publish it on their site. I have listed two add-ons that were disabled by this premature feature, that aren't specifically for people developing add-ons, they're for people analyzing web services and sites.
When I said the feature was premature, I didn't mean that it hasn't been thought about at all, I meant that it hasn't been thought about enough. I'm telling you, that as a user, this feature ruined my day. No, I do not look at postings about what firefox might break next, because I expect the add-ons I have to keep working since firefox updates itself automatically all the time. I expect some self control from the development team, to the extent that they provide an obvious work around for legacy add-ins that almost always work if you change the version compatibility range in their manifests. Do I want to sign these too? No, I do not. Do I want them to work? Yes, I do. Would I like any new add-on that I grab from the web to be checked for a signature? I'm not sure. I mean it sounds secure maybe, but add-ons have access to the underlying file system, the chrome, and all kinds of other things, maybe an encrypted signature prevents an add-on from having it's way with my browser, but probably not.
So I'm back at square one: I'm not any safer, and some of my add-ons aren't working. Meanwhile, chrome and edge are doing what I expect them to do, and I can test whatever web "stuff" that I want to test in them. So, I suppose that maybe I should stop trying to convince the dev teams I'm constantly talking to, to support firefox? Their main complaint is that breaking changes happen too often and that chrome is easier to go "way beyond AJAX" with.
So, yes, premature because it affects EVERY add-on ever made and has no option for EXPLICIT exemption from the "security" check.
Réiteach Roghnaithe
Turning off the signing requirement rolls you back to the same situation as Firefox 42. Suspending the signing requirement doesn't auto-enable extensions you want disabled. Yes, you are foregoing a layer of security, but it sounds as though you are a user who keeps an eye on what extensions are running and can manage the risk.
Regarding changing how this feature works, it's beyond the scope of support. You can give input here:
https://input.mozilla.org/feedback/
If you want to get more involved, you can check out the mailing lists:
MatthewKastor said
I asked for a way to allow users to permit a single unsigned add-on to run.
It's a temporary pref that is global. Planed to be only for Firefox 43 only, but if "necessary" it would be quite easy for Mozilla to extend that pref to work in 44.
Not every add-on developer wants to have their work signed by Mozilla, or publish it on their site.
No requirement that signed extensions be hosted at Mozilla. Submit the extension, when it is signed it will be returned to the person that submitted it.
I have listed two add-ons that were disabled by this premature feature, that aren't specifically for people developing add-ons, they're for people analyzing web services and sites.
Those two should have been submitted for signing to prevent than from being disabled.
As far as your comments in the 2nd posting...
"premature" - sorry it ruined your day
You need to keep up with Mozilla Blog postings, or Wiki's, or web sites like ghacks.net to see what is coming in the future with Firefox is you are so dependent on it. No surprises that way. Plus it sounds like you aren't even familiar with the Rapid Release schedule. https://wiki.mozilla.org/RapidRelease/Calendar
WTF are "legacy" extensions? No such thing - no extension category like that. If you mean the extensions that are your own "standard extensions" for Firefox - the extensions that you always install; that is personal, few users use exactly the same extensions and even when that happens, the order of importance or "value" placed on each usually varies.
"chrome and edge are doing what I expect them to do"
Yes, they happen to provide a weaker type of "add-on" system that doesn't have the "power" to modify the browser as "we" currently enjoy with Gecko-based browsers. But that's something that you'll have to wait and see in 2016 when XUL is gone from Firefox and "WebExtensions" will replace the current extensions infrastructure. Think you're upset now, wait until that happens!
Bottom line is that Mozilla came up with this quite awhile ago, and other than "when" they turn-off the xpinstall.signatures.required switch there's nothing really left to discuss.
Wait for Jan 26, 2016 and then ask us where to find the unbranded version of Firefox 44.
Dear edmeister,
I apologize for your lack of reading comprehension and communication skills. I have expressed myself as an end user and asked a plain and direct question, the answer to which is "you can not do that". Somebody else had posted a polite and concise answer to that effect, and I have marked it as the answer. As an end user, I will not be following every different blog, mailing list, chat room, usenet, message board, telegraph, homing pigeon, smoke signal, relay runner, or what have you. I will download the application, try to use it, hack a little here and there to make things do what I need. What I will not do, is accept a rude response that does not answer the question but rather, gives me instructions on the proper use of homing pigeons and message boards.
This guy doesn't care how long there have been messages saying a thing would be broken, he's saying that breaking it was a bad idea. He's currently looking for the way to un-break it going forward, and has this moderator giving him a lot of shit over it.
In short, thanks bruh, you've been quite unhelpful.
Athraithe ag MatthewKastor ar
MatthewKastor said
I have expressed myself as an end user and asked a plain and direct question, the answer to which is "you can not do that".
Hmm, in fairness to other volunteers who replied, I think you know you added some editorial comment to your question which invited the reply you got.