Firefox @lemmy.ml rorschah @lemdro.id 7 mo. ago

Upgraded add-on signatures required for Firefox 127

Greetings from the Mozilla Add-ons team!

Mozilla has upgraded the signing for Firefox extensions, themes, dictionaries, and language packs to provide a stronger signature for a more secure add-ons ecosystem. This upgrade may impact add-on versions uploaded to https://addons.mozilla.org (AMO) differently depending on the date they were uploaded and whether they are self-distributed or distributed via AMO. Please see below for which add-ons will be affected.

For developers of add-on versions hosted on AMO that were uploaded prior to April 5, 2019.

No action will be required; the most recent public version of your add-on will be re-signed automatically April 25, 2024 resulting in a version bump
Developers will receive a confirmation email once the auto re-signing of their add-on is complete

For developers of add-on versions self-distributed that were uploaded prior to April 5, 2019.

Action will be required as Mozilla is not able to automatically re-sign unlisted versions since the distribution is controlled by the developer and thus the AMO team cannot determine which version(s) to re-sign
Action required: To continue to distribute any self-hosted versions uploaded to AMO prior to Apr 5, 2019, developers will need to submit new versions to AMO.

Self-distributed add-on versions that are not re-submitted by Apr 15 will no longer be installable on any version of Firefox 127: Nightly (Apr 15), Beta (May 13) or Release (Jun 11). Add-ons installed prior to Firefox 127 will continue to work for now, but we ask that you encourage your users to upgrade to the new, re-signed version of your add-on once you have re-submitted it to AMO. Any previous versions that are no longer in use do not need to be re-submitted to AMO.

Please feel free to reply to this email if you have any questions.

Regards,

Mozilla Add-ons team

7 comments

What if I don't want to put my extension on AMO? What if I just want to run my own code without your interference?
- You've always been able to run unsigned or unpackaged add-ons with developer mode. What's wrong with that? This only affects packages uploaded to AMO.
  
  You cannot do that anymore. You can add temporary loaded extensions in about:debugging -> "This Firefox" with the normal version, that's it. You can also disable signatures entirely posing yourself to extension forgery.
- Then you're crewed.
  
  You either have all your extensions scanned and verified, or you need to disable extension verification completely and for all extensions.You can upload the extensions as unlisted. They're still get a generic hash/ID though. In this case the scanning and verification is done automatically and you then can go to the back-end and manually download the verified package and install it locally.
  
  It's not as easy as in all other browsers available in the world, but that is how it is.
- You can use Nightly, Developer Edition or Unbranded Builds: https://wiki.mozilla.org/Add-ons/Extension_Signing#Unbranded_Builds
  
  If you're on Linux, chances are your pre-installed Firefox is also already compiled to allow for unsigned extensions.
  
  With all of these, you just need to set xpinstall.signatures.required to false in about:config.
Self-distributed add-on versions that are not re-submitted by Apr 15 will no longer be installable

Will already-installed ones continue to function? Or has Mozilla declined to fix that problem despite the enormous mess it caused in 2019? I never did see evidence of any changes being made to address it.

Other sources seem to indicate that this email was sent quite recently considering the deadline is 15 April.
- My extension (signed, but unlisted) still functions on v. 125

You've viewed 7 comments.