Extension signing
63 views
Skip to first unread message
Jeff Williams
Dec 16, 2015, 2:01:36 PM12/16/15
to firef...@mozilla.org
Firefox is not a good browser without extensions, and that's clear for everyone. The only reason it is still in the game is because it has features that no other browser can provide.
Here is what the official wiki says. "Mozilla will begin requiring all extensions to be signed in order for them to be installable in Release and Beta versions of Firefox. Signing will be done through addons.mozilla.org (AMO) and will be mandatory for all extensions, regardless of where they are hosted."
You can still force the use of unsigned add-ons by following just a couple of steps:
- Open about:config
- Look for the "xpinstall.signatures.required" entry and change the value from true to false
- Restart the browser.
And now comes the bad news. Mozilla will remove this entry from about:config, which means that starting with Firefox 44, this won't be possible anymore.
Some of the older add-ons, which also happen to be very good, haven't been signed. Mostly likely, the developers have dropped the support for them or simply don't have the time.
Only two options remain. Look for alternatives for add-ons or change the browser entirely. Guess what most people are going to do when they don't find alternatives?
If you remove the option mentioned in the above article I shall discontinue using Firefox and discontinue my financial support...
Please pass this e-mail on to the appropriate personnel.
Axel Grude
Dec 16, 2015, 2:12:05 PM12/16/15
to firef...@mozilla.org
Dear list
if (what I don't really believe) it becomes impossible to install an unsigned addon through an about:config change, then how are we supposed to test our Addons? Within a release cycle I may have to build and test over 1000 different versions:
A concerned Addon developer.
Axel
--
if (what I don't really believe) it becomes impossible to install an unsigned addon through an about:config change, then how are we supposed to test our Addons? Within a release cycle I may have to build and test over 1000 different versions:
A concerned Addon developer.
Axel
--
Axel Grude
Software Developer
Thunderbird Add-ons Developer (QuickFolders, quickFilters, QuickPasswords, Zombie Keys, SmartTemplate4)
AMO Editor
Software Developer
Thunderbird Add-ons Developer (QuickFolders, quickFilters, QuickPasswords, Zombie Keys, SmartTemplate4)
AMO Editor
Subject: Extension signing
To: Firefox-dev
From: Jeff Williams
Sent: Wednesday, 16/12/2015 19:00:07 19:00 GMT ST +0000 [Week 50]
_______________________________________________ firefox-dev mailing list firef...@mozilla.org https://mail.mozilla.org/listinfo/firefox-dev
Dave Townsend
Dec 16, 2015, 2:17:11 PM12/16/15
to Firefox Dev
On Wed, Dec 16, 2015 at 11:10 AM, Axel Grude <axel....@gmail.com> wrote:
Dear list
if (what I don't really believe) it becomes impossible to install an unsigned addon through an about:config change, then how are we supposed to test our Addons? Within a release cycle I may have to build and test over 1000 different versions:
It won't be possible through an about:config change in beta and release builds however you will always be able to turn off signing requirements in the developer edition and nightly builds. We will also be including a way to load an unsigned add-on temporarily in future release versions, these must be restartless and will only remain installed until you restart Firefox.
»Q«
Dec 16, 2015, 3:46:58 PM12/16/15
to firef...@mozilla.org
On Wed, 16 Dec 2015 11:17:05 -0800 Dave Townsend wrote:
> On Wed, Dec 16, 2015 at 11:10 AM, Axel Grude wrote:
>
> > if (what I don't really believe) it becomes impossible to install an
> > unsigned addon through an about:config change, then how are we
> > supposed to test our Addons? Within a release cycle I may have to
> > build and test over 1000 different versions:
>
> It won't be possible through an about:config change in beta and
> release builds however you will always be able to turn off signing
> requirements in the developer edition and nightly builds. We will
> also be including a way to load an unsigned add-on temporarily in
> future release versions, these must be restartless and will only
> remain installed until you restart Firefox.
From <https://wiki.mozilla.org/Addons/Extension_Signing#FAQ>:
There will also be special unbranded versions of Release and Beta
that will have this setting, so that add-on developers can work on
their add-ons without having to sign every build.
Is that still part of the plan?
> On Wed, Dec 16, 2015 at 11:10 AM, Axel Grude wrote:
>
> > if (what I don't really believe) it becomes impossible to install an
> > unsigned addon through an about:config change, then how are we
> > supposed to test our Addons? Within a release cycle I may have to
> > build and test over 1000 different versions:
>
> It won't be possible through an about:config change in beta and
> release builds however you will always be able to turn off signing
> requirements in the developer edition and nightly builds. We will
> also be including a way to load an unsigned add-on temporarily in
> future release versions, these must be restartless and will only
> remain installed until you restart Firefox.
There will also be special unbranded versions of Release and Beta
that will have this setting, so that add-on developers can work on
their add-ons without having to sign every build.
Is that still part of the plan?
Dave Townsend
Dec 16, 2015, 3:47:43 PM12/16/15
to Firefox Dev
Yes sorry I forgot about those. Those will be available from Firefox 44 onwards.
Sebastian Zartner
Dec 17, 2015, 1:42:01 AM12/17/15
to Dave Townsend, Firefox Dev
What about allowing users to explicitly enable certain extensions they trust and warning them about the risks of installing an unsigned extension?
For example, I am using the Shumway[1] and MDN documentation tester[2] extensions, which are both created by Mozilla staff, though are deactivated now by default, because they are not signed.I also want to remind that automatic extension signing is not a guarantee that it is safe.[3][4]
[1] https://github.com/mozilla/shumway/
[2] https://github.com/Elchi3/mdn-doc-tests
[3] https://groups.google.com/d/topic/firefox-dev/wqVkCo20c3E/discussion
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=1227867
Jeff Griffiths
Dec 17, 2015, 11:58:03 AM12/17/15
to Sebastian Zartner, Firefox Dev, Dave Townsend
Even though I run dev edition as my main browser and have signing enforcement turned off, I recently spent the time to get my personal extensions signed[1] using the `jpm sign` command now available and the keys issued to me by AMO[1]
It's actually a really painless process, I'm pretty impressed. If you're creating an add-on I really recommend the following workflow:Andrew McKay
Dec 17, 2015, 7:12:05 PM12/17/15
to Sebastian Zartner, Firefox Dev, Dave Townsend
On Wed, Dec 16, 2015 at 10:41 PM, Sebastian Zartner <sebastia...@gmail.com> wrote:
What about allowing users to explicitly enable certain extensions they trust and warning them about the risks of installing an unsigned extension?
That's a possibility, but anything that involves warning users always worries me because we rarely see much success in those sorts of warnings.
Between developing on dev edition, nightly, automatic signing, loading an add-on unsigned temporarily and unbranded builds, it does sound like we've got a lot of options for developers for this.
Richard Z
Dec 19, 2015, 7:39:03 PM12/19/15
to Jeff Griffiths, Sebastian Zartner, Dave Townsend, Firefox Dev
On Thu, Dec 17, 2015 at 08:57:56AM -0800, Jeff Griffiths wrote:
> Even though I run dev edition as my main browser and have signing
> enforcement turned off, I recently spent the time to get my personal
> extensions signed[1] using the `jpm sign` command now available and the
> keys issued to me by AMO[1]
that looks easy, is it also as easy to abuse as it looks?
> Even though I run dev edition as my main browser and have signing
> enforcement turned off, I recently spent the time to get my personal
> extensions signed[1] using the `jpm sign` command now available and the
> keys issued to me by AMO[1]
Where is the added security?
Richard
--
Name and OpenPGP keys available from pgp key servers
Reply all
Reply to author
Forward
0 new messages