Add-on signing in Firefox

Revision Information
  • Revision id: 113455
  • Created:
  • Creator: AliceWyman
  • Comment: added that Fx43 enforces signing, included ''has not been verified for use in Firefox'' message, reordered.
  • Reviewed: Yes
  • Reviewed:
  • Reviewed by: AliceWyman
  • Is approved? Yes
  • Is current revision? No
  • Ready for localization: Yes
  • Readied for localization:
  • Readied for localization by: AliceWyman
Revision Source
Revision Content
Firefox ESR users: Add-on signing will be available on ESR version 45.

Add-ons that change your browser's settings without your consent or steal your information have become increasingly common. Some add-ons add unwanted toolbars or buttons, change your search settings or inject ads or malware into your device. This article explains how add-on signing works and how this feature makes it harder for malware to be installed by default.

What is add-on signing?

Mozilla verifies and "signs" add-ons that follow a set of security guidelines. All add-ons hosted on addons.mozilla.org undergo this process in order to be signed. Add-ons hosted on other sites will need to follow the same guidelines in order to be signed by Mozilla.

Add-on signing targets only malware and browser hijacking. It does not control or censor the content that you choose to see.

Developers: To learn more about add-on signing guidelines, see Signing and distributing your add-on and Review Policies at Mozilla Developer Network.

What types of add-ons need to be signed?

Extensions (add-ons that add features to Firefox) will need to be signed. Themes, language packs and plugins do not need to be signed.

Where would I encounter unsigned add-ons?

Add-ons installed through the official Firefox Add-ons site go through security checks before they are published. These add-ons are verified and signed. When you install an add-on through another website, Firefox checks to make sure that the add-on is digitally signed.

Install add-ons only from developers you trust. Unverified add-ons may contain malware or hijackers that can alter your settings and steal your information.

Starting in Firefox version 43, Firefox prevents you from installing unsigned add-ons and disables any unsigned add-ons that are already installed. If an unsigned add-on is disabled, you won't be able to use it and the Add-ons manager will show a message that the add-on could not be verified for use in Firefox and has been disabled.

What can I do if Firefox disables an installed add-on?

You can remove the add-on from Firefox and then reinstall a signed version from the Mozilla Add-ons site if one is available.

If a signed version is not available, contact add-on developer or vendor to see if they can offer an updated and signed version of that add-on. You can also ask them to get their add-on signed.

Override add-on signing (advanced users)

You can override the setting to enforce the add-on signing requirement by changing the preference xpinstall.signatures.required to false in the Firefox Configuration Editor (about:config page). Support is not available for any changes made with the Configuration Editor so please do this at your own risk. Additionally, Mozilla is planning to remove this override in a future version of Firefox so this is only a temporary solution.