14 DAY TRIAL // Mozilla has announced that, starting with Firefox 42, the installation of unsigned extensions will be not allowed anymore, due to security-related concerns.
Signed extensions are Firefox add-ons that have been checked and approved by Mozilla's automated extensions verification system, or by one of its human reviewers.
They were announced back in February, but no timeline was offered on how and when Mozilla wanted to implement them.
The Mozilla wiki did reveal that, starting with the recently released Firefox 40, users would get a warning whenever installing an unsigned extension, and that with Firefox 41, unsigned extensions would only be installed if a special option in the about:config page was enabled.
New details have now surfaced, the same wiki page revealing that, starting with the beta versions of Firefox 42, users won't be able to install an unsigned extension at all.
Mozilla is tired of ruthless developers abusing its users
According to the blog post from February, this move was caused by the increasing number of developers that are abusing Mozilla's add-on installation procedures, overwriting user preferences, changing homepages, and even redirecting users to malware.
"We’re responsible for our add-ons ecosystem and we can’t sit idle as our users suffer due to bad add-ons," said Jorge Villalobos, Add-ons Developer Relations Lead for Mozilla.
This is why the company is introducing a system similar to what Google uses for its Chrome extensions, but unlike the Chrome team, it is not forcing extensions to be distributed only through its add-ons website.
Extension developers will still be able to host their extensions wherever they want, and have them signed by Mozilla's team.
New procedures for signing extensions will be put in place
According to Mozilla's new procedures, developers still have the option of hosting their add-ons on the Mozilla website or on their own sites. This hasn't changed.
What has changed is that, before an extension is signed, developers have to create a Mozilla account if they don't have one, submit the extension and have it reviewed by an automatic system.
If this automatic system encounters errors, developers can ask for a manual review carried out by a Mozilla employee.
After the extension is approved and signed, the developer can then publish it on the Mozilla add-ons page, or keep their profile hidden and distribute it via their own website.
Developers who work with private extensions distributed only in closed Intranets will also have a special method for signing their extensions, but no official details have been released on this procedure yet.
Regarding older extensions already submitted and listed to the Mozilla add-ons repository, the company started signing them a while back, even the ones abandoned by their developers.